Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ahnrpta.exe and others strange problems


  • This topic is locked This topic is locked
16 replies to this topic

#1 Cokone

Cokone

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 28 January 2009 - 03:56 PM

Hello there...

My computer has been a bit slow , especially with Windows Media Player... I´ve looked up about this ahnrpta.exe on the internet, and discovered it´s a virus... But my antivirus couldn´t detect it..
Once I had the kavo.exe virus and ckvo.exe, then I´ve installed the Malware Byte Program and i think it did remove them...But I´m not sure, because my SpyBot always ask about what to do with cdsooft ( located in C:\WINDOWS\system32\olhrwef.exe)

Could you tell me if there is another virus besides the ahnrpta.exe?

Thanks guys!!

Here´s the log of DDS............



DDS (Ver_09-01-19.01) - NTFSx86
Run by Master at 18:40:53,00 on 28/01/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.1023.382 [GMT -2:00]

AV: AVG 7.5.524 *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe
C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe
C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe
C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe
C:\Arquivos de programas\DAEMON Tools Lite\daemon.exe
C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
C:\Arquivos de programas\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\twain_32\Vivid\Vivid.exe
C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Arquivos de programas\Java\jre1.6.0_07\bin\jucheck.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe
C:\Arquivos de programas\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\AhnRpta.exe
C:\Arquivos de programas\Winamp\winamp.exe
C:\Documents and Settings\Master\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Facilitador de Leitor de Link Adobe PDF: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\arquivos de programas\arquivos comuns\adobe\acrobat\activex\AcroIEHelper.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\arquivos de programas\bitcomet\tools\BitCometBHO_1.2.2.28.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\arquivos de programas\java\jre1.6.0_07\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Auxiliar de Conexão do Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\arquivos de programas\arquivos comuns\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [DAEMON Tools Lite] "c:\arquivos de programas\daemon tools lite\daemon.exe" -autorun
uRun: [SpybotSD TeaTimer] c:\arquivos de programas\spybot - search & destroy\TeaTimer.exe
uRun: [EasyLinkAdvisor] "c:\arquivos de programas\linksys easylink advisor\LinksysAgent.exe" /startup
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NeroFilterCheck] c:\arquivos de programas\arquivos comuns\ahead\lib\NeroCheck.exe
mRun: [AVG7_CC] c:\arquiv~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [HP Component Manager] "c:\arquivos de programas\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
mRun: [HP Software Update] "c:\arquivos de programas\hewlett-packard\hp software update\HPWuSchd2.exe"
mRun: [SunJavaUpdateSched] "c:\arquivos de programas\java\jre1.6.0_07\bin\jusched.exe"
mRun: [InstantAccess] c:\arquiv~1\textbr~1.0\bin\INSTAN~1.EXE /h
mRun: [RegisterDropHandler] c:\arquiv~1\textbr~1.0\bin\REGIST~1.EXE
mRun: [TkBellExe] "c:\arquivos de programas\arquivos comuns\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\arquivos de programas\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\arquivos de programas\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [StartCCC] "c:\arquivos de programas\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRunOnce: [wextract_cleanup1] rundll32.exe c:\windows\system32\advpack.dll,delnoderundll32 "c:\docume~1\master\config~1\temp\ixp001.tmp\"
mRunServices: [RegisterDropHandler] c:\arquiv~1\textbr~1.0\bin\REGIST~1.EXE
dRun: [AVG7_Run] c:\arquiv~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\alluse~1\menuin~1\progra~1\inicia~1\detector.lnk - c:\windows\twain_32\vivid\Vivid.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Baixar link usando &BitComet - c:\arquivos de programas\bitcomet\BitComet.exe/AddLink.htm
IE: Baixar todos os links usando BitComet - c:\arquivos de programas\bitcomet\BitComet.exe/AddAllLink.htm
IE: Baixar todos os vídeos usando BitComet - c:\arquivos de programas\bitcomet\BitComet.exe/AddVideo.htm
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\micros~2\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\arquivos de programas\bitcomet\tools\BitCometBHO_1.2.2.28.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\arquivos de programas\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\arquivos de programas\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\arquiv~1\micros~2\office11\REFIEBAR.DLL
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206644724140
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {30A1C6FA-609E-4E0B-8E59-48A306E7C76C} = 200.175.182.139,200.175.89.139
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\arquivos de programas\hp\hpcoretech\comp\hpuiprot.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\arquiv~1\arquiv~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: hook dll rising: {c5f43bef-ce2f-46d8-afe6-a647bacd1f09} - c:\windows\system32\Bitkv1.dll
SEH: hook dll rising: {bb4c402f-882a-4526-8c08-51278ea437c1} - c:\windows\system32\afmain0.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\master\dadosd~1\mozilla\firefox\profiles\zsa2ri8e.default\
FF - component: c:\documents and settings\master\dados de aplicativos\mozilla\firefox\profiles\zsa2ri8e.default\extensions\{87f8774f-b485-47e2-a755-a40a8a5e886d}\components\GbMzhCef.dll
FF - component: c:\documents and settings\master\dados de aplicativos\mozilla\firefox\profiles\zsa2ri8e.default\extensions\{87f8774f-b485-47e2-a755-a40a8a5e8873}\components\GbMzhUni.dll
FF - plugin: c:\arquivos de programas\google\picasa3\npPicasa3.dll
FF - plugin: c:\documents and settings\all users\dados de aplicativos\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpjplug.dll

---- FIREFOX POLICIES ----
c:\arquivos de programas\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

============= SERVICES / DRIVERS ===============

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2008-3-27 77312]
R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2008-3-28 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2008-3-28 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2008-3-28 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2008-3-28 10760]
R4 Avg7Alrt;AVG7 Alert Manager Server;c:\arquiv~1\grisoft\avg7\avgamsvr.exe [2008-3-28 418816]
R4 Avg7UpdSvc;AVG7 Update Service;c:\arquiv~1\grisoft\avg7\avgupsvc.exe [2008-3-28 49664]
R4 AVGEMS;AVG E-mail Scanner;c:\arquiv~1\grisoft\avg7\avgemc.exe [2008-3-28 406528]
R4 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2008-3-28 4960]
R4 ppsio2;PPDevice;c:\windows\system32\drivers\PPSIO2.SYS [2008-5-7 22400]

=============== Created Last 30 ================

2009-01-26 20:59 9,200 -------- c:\windows\system32\drivers\cdralw2k.sys
2009-01-26 20:59 9,072 -------- c:\windows\system32\drivers\cdr4_xp.sys
2009-01-26 20:47 50,068 a---h--- c:\windows\system32\mlfcache.dat
2009-01-26 20:36 <DIR> --d----- c:\windows\system32\IOSUBSYS
2009-01-25 15:23 <DIR> --d----- C:\rafael
2009-01-25 15:16 108,512 ---shr-- C:\uvsqfgwd.cmd
2009-01-16 06:09 95,744 ---shr-- c:\windows\system32\nmdfgds2.dll
2009-01-16 05:12 110,003 ---shr-- C:\x2csvg.exe
2009-01-15 18:15 70,144 a------- c:\windows\AhnRpta.exe
2009-01-15 18:07 95,744 ---shr-- c:\windows\system32\nmdfgds1.dll
2009-01-15 18:07 108,940 ---shr-- C:\ve.exe
2009-01-15 18:06 108,861 ---shr-- c:\windows\system32\olhrwef.exe
2009-01-15 18:06 95,744 -------- c:\windows\system32\nmdfgds0.dll
2009-01-14 20:18 <DIR> --d----- c:\docume~1\master\dadosd~1\Samsung
2009-01-14 17:58 174,592 a------- c:\windows\system32\framedyn.dll
2009-01-14 17:57 109,704 a------- c:\windows\system32\drivers\ss_mdm.sys
2009-01-14 17:57 83,592 a------- c:\windows\system32\drivers\ss_bus.sys
2009-01-14 17:57 15,112 a------- c:\windows\system32\drivers\ss_mdfl.sys
2009-01-14 17:57 12,424 a------- c:\windows\system32\drivers\ss_whnt.sys
2009-01-14 17:57 12,424 a------- c:\windows\system32\drivers\ss_wh.sys
2009-01-14 17:57 12,424 a------- c:\windows\system32\drivers\ss_cmnt.sys
2009-01-14 17:57 12,424 a------- c:\windows\system32\drivers\ss_cm.sys
2009-01-14 17:57 <DIR> --d----- c:\windows\system32\Samsung_USB_Drivers
2009-01-14 17:57 766 a------- c:\windows\system32\Uninstall.ico
2009-01-14 17:57 5,632 a------- c:\windows\system32\drivers\StarOpen.sys
2009-01-14 17:57 <DIR> --d----- c:\arquivos de programas\Samsung
2009-01-12 18:05 102,439 a------- c:\windows\system32\sipr3260.dll
2009-01-11 18:49 <DIR> --d----- C:\30 rock
2009-01-05 20:33 3,751,995 a------- c:\windows\system32\GPhotos.scr

==================== Find3M ====================

2009-01-05 18:56 85,504 ---shr-- c:\windows\system32\gasretyw0.dll
2008-12-26 10:03 85,504 ---shr-- c:\windows\system32\vbsdfe1.dll
2008-12-26 10:03 115,869 ---shr-- c:\windows\system32\vamsoft.exe
2008-12-26 10:02 85,504 -------- c:\windows\system32\vbsdfe0.dll
2008-12-11 08:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-08 14:46 84,992 ---shr-- c:\windows\system32\gasretyw1.dll
2008-11-20 08:56 106,626 ---shr-- C:\abk.bat
2008-11-14 15:19 105,062 ---shr-- c:\windows\system32\kamsoft.exe
2008-11-14 15:19 105,062 ---shr-- C:\0w.com
2008-11-12 13:13 99,461 ---shr-- C:\lky.exe
2008-11-09 09:00 110,013 ---shr-- C:\whi.com
2008-11-09 09:00 110,013 ---shr-- C:\sq.com
2008-06-01 15:49 87,608 a------- c:\docume~1\master\dadosd~1\inst.exe
2008-06-01 15:49 47,360 a------- c:\docume~1\master\dadosd~1\pcouffin.sys
2008-04-07 23:34 32 a------- c:\docume~1\alluse~1\dadosd~1\ezsid.dat

============= FINISH: 18:41:41,93 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Cokone

Cokone
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 29 January 2009 - 09:16 AM

help please...

thanks

#3 Cokone

Cokone
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 03 February 2009 - 09:49 AM

please guys, i need a hand here ...i can´t remove this virus
and it appears that it´s not the only virus

thaaanks!

#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:07 PM

Posted 04 February 2009 - 05:11 PM

Hi,

If you still need help with this post a fresh dds report, please.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 Cokone

Cokone
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 05 February 2009 - 09:31 AM

here it is..

thanks for the help
:D


------------------------------



DDS (Ver_09-01-19.01) - NTFSx86
Run by Master at 12:28:54,31 on 05/02/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.1023.659 [GMT -2:00]

AV: AVG 7.5.524 *On-access scanning enabled* (Outdated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe
C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\AhnRpta.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe
C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe
C:\ARQUIV~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe
C:\Arquivos de programas\DAEMON Tools Lite\daemon.exe
C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
C:\Arquivos de programas\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\twain_32\Vivid\Vivid.exe
C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Arquivos de programas\Java\jre1.6.0_07\bin\jucheck.exe
C:\Arquivos de programas\Windows Live\Messenger\usnsvc.exe
C:\Documents and Settings\Master\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Facilitador de Leitor de Link Adobe PDF: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\arquivos de programas\arquivos comuns\adobe\acrobat\activex\AcroIEHelper.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\arquivos de programas\bitcomet\tools\BitCometBHO_1.2.2.28.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\arquivos de programas\java\jre1.6.0_07\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Auxiliar de Conexão do Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\arquivos de programas\arquivos comuns\microsoft shared\windows live\WindowsLiveLogin.dll
uRun: [DAEMON Tools Lite] "c:\arquivos de programas\daemon tools lite\daemon.exe" -autorun
uRun: [SpybotSD TeaTimer] c:\arquivos de programas\spybot - search & destroy\TeaTimer.exe
uRun: [EasyLinkAdvisor] "c:\arquivos de programas\linksys easylink advisor\LinksysAgent.exe" /startup
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [NeroFilterCheck] c:\arquivos de programas\arquivos comuns\ahead\lib\NeroCheck.exe
mRun: [AVG7_CC] c:\arquiv~1\grisoft\avg7\avgcc.exe /STARTUP
mRun: [HP Component Manager] "c:\arquivos de programas\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
mRun: [HP Software Update] "c:\arquivos de programas\hewlett-packard\hp software update\HPWuSchd2.exe"
mRun: [SunJavaUpdateSched] "c:\arquivos de programas\java\jre1.6.0_07\bin\jusched.exe"
mRun: [InstantAccess] c:\arquiv~1\textbr~1.0\bin\INSTAN~1.EXE /h
mRun: [RegisterDropHandler] c:\arquiv~1\textbr~1.0\bin\REGIST~1.EXE
mRun: [TkBellExe] "c:\arquivos de programas\arquivos comuns\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\arquivos de programas\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\arquivos de programas\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [StartCCC] "c:\arquivos de programas\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRunOnce: [wextract_cleanup1] rundll32.exe c:\windows\system32\advpack.dll,delnoderundll32 "c:\docume~1\master\config~1\temp\ixp001.tmp\"
mRunServices: [RegisterDropHandler] c:\arquiv~1\textbr~1.0\bin\REGIST~1.EXE
dRun: [AVG7_Run] c:\arquiv~1\grisoft\avg7\avgw.exe /RUNONCE
StartupFolder: c:\docume~1\alluse~1\menuin~1\progra~1\inicia~1\detector.lnk - c:\windows\twain_32\vivid\Vivid.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Baixar link usando &BitComet - c:\arquivos de programas\bitcomet\BitComet.exe/AddLink.htm
IE: Baixar todos os links usando BitComet - c:\arquivos de programas\bitcomet\BitComet.exe/AddAllLink.htm
IE: Baixar todos os vídeos usando BitComet - c:\arquivos de programas\bitcomet\BitComet.exe/AddVideo.htm
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\micros~2\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://c:\arquivos de programas\bitcomet\tools\BitCometBHO_1.2.2.28.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\arquivos de programas\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\arquivos de programas\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\arquiv~1\micros~2\office11\REFIEBAR.DLL
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1206644724140
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {30A1C6FA-609E-4E0B-8E59-48A306E7C76C} = 200.175.182.139,200.175.89.139
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\arquivos de programas\hp\hpcoretech\comp\hpuiprot.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\arquiv~1\arquiv~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
SEH: hook dll rising: {c5f43bef-ce2f-46d8-afe6-a647bacd1f09} - c:\windows\system32\Bitkv1.dll
SEH: hook dll rising: {bb4c402f-882a-4526-8c08-51278ea437c1} - c:\windows\system32\afmain0.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\master\dadosd~1\mozilla\firefox\profiles\zsa2ri8e.default\
FF - component: c:\documents and settings\master\dados de aplicativos\mozilla\firefox\profiles\zsa2ri8e.default\extensions\{87f8774f-b485-47e2-a755-a40a8a5e886d}\components\GbMzhCef.dll
FF - component: c:\documents and settings\master\dados de aplicativos\mozilla\firefox\profiles\zsa2ri8e.default\extensions\{87f8774f-b485-47e2-a755-a40a8a5e8873}\components\GbMzhUni.dll
FF - plugin: c:\arquivos de programas\google\picasa3\npPicasa3.dll
FF - plugin: c:\arquivos de programas\mozilla firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\documents and settings\all users\dados de aplicativos\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nppl3260.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprjplug.dll
FF - plugin: c:\program files\real\realplayer\netscape6\nprpjplug.dll

---- FIREFOX POLICIES ----
c:\arquivos de programas\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

============= SERVICES / DRIVERS ===============

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2008-3-27 77312]
R1 Avg7Core;AVG7 Kernel;c:\windows\system32\drivers\avg7core.sys [2008-3-28 821856]
R1 Avg7RsW;AVG7 Wrap Driver;c:\windows\system32\drivers\avg7rsw.sys [2008-3-28 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP;c:\windows\system32\drivers\avg7rsxp.sys [2008-3-28 27776]
R1 AvgClean;AVG7 Clean Driver;c:\windows\system32\drivers\avgclean.sys [2008-3-28 10760]
R4 Avg7Alrt;AVG7 Alert Manager Server;c:\arquiv~1\grisoft\avg7\avgamsvr.exe [2008-3-28 418816]
R4 Avg7UpdSvc;AVG7 Update Service;c:\arquiv~1\grisoft\avg7\avgupsvc.exe [2008-3-28 49664]
R4 AVGEMS;AVG E-mail Scanner;c:\arquiv~1\grisoft\avg7\avgemc.exe [2008-3-28 406528]
R4 AvgTdi;AVG Network Redirector;c:\windows\system32\drivers\avgtdi.sys [2008-3-28 4960]
R4 ppsio2;PPDevice;c:\windows\system32\drivers\PPSIO2.SYS [2008-5-7 22400]

=============== Created Last 30 ================

2009-02-05 12:26 82,432 ----h--t c:\windows\system32\eb7391f.dll
2009-02-05 12:26 82,432 ----h--t c:\windows\system32\445a9e2.dll
2009-02-04 22:07 <DIR> --d----- C:\Combat Arms
2009-02-04 21:56 <DIR> --d----- c:\docume~1\alluse~1\dadosd~1\PMB Files
2009-02-04 21:55 <DIR> --d----- c:\arquivos de programas\Pando Networks
2009-01-26 20:59 9,200 -------- c:\windows\system32\drivers\cdralw2k.sys
2009-01-26 20:59 9,072 -------- c:\windows\system32\drivers\cdr4_xp.sys
2009-01-26 20:47 50,068 a---h--- c:\windows\system32\mlfcache.dat
2009-01-26 20:36 <DIR> --d----- c:\windows\system32\IOSUBSYS
2009-01-25 15:23 <DIR> --d----- C:\rafael
2009-01-25 15:16 108,512 ---shr-- C:\uvsqfgwd.cmd
2009-01-16 06:09 95,744 ---shr-- c:\windows\system32\nmdfgds2.dll
2009-01-16 05:12 110,003 ---shr-- C:\x2csvg.exe
2009-01-15 18:15 70,144 a------- c:\windows\AhnRpta.exe
2009-01-15 18:07 95,744 ---shr-- c:\windows\system32\nmdfgds1.dll
2009-01-15 18:07 108,940 ---shr-- C:\ve.exe
2009-01-15 18:06 108,705 ---shr-- c:\windows\system32\olhrwef.exe
2009-01-15 18:06 95,744 -------- c:\windows\system32\nmdfgds0.dll
2009-01-14 20:18 <DIR> --d----- c:\docume~1\master\dadosd~1\Samsung
2009-01-14 17:58 174,592 a------- c:\windows\system32\framedyn.dll
2009-01-14 17:57 109,704 a------- c:\windows\system32\drivers\ss_mdm.sys
2009-01-14 17:57 83,592 a------- c:\windows\system32\drivers\ss_bus.sys
2009-01-14 17:57 15,112 a------- c:\windows\system32\drivers\ss_mdfl.sys
2009-01-14 17:57 12,424 a------- c:\windows\system32\drivers\ss_whnt.sys
2009-01-14 17:57 12,424 a------- c:\windows\system32\drivers\ss_wh.sys
2009-01-14 17:57 12,424 a------- c:\windows\system32\drivers\ss_cmnt.sys
2009-01-14 17:57 12,424 a------- c:\windows\system32\drivers\ss_cm.sys
2009-01-14 17:57 <DIR> --d----- c:\windows\system32\Samsung_USB_Drivers
2009-01-14 17:57 766 a------- c:\windows\system32\Uninstall.ico
2009-01-14 17:57 5,632 a------- c:\windows\system32\drivers\StarOpen.sys
2009-01-14 17:57 <DIR> --d----- c:\arquivos de programas\Samsung
2009-01-12 18:05 102,439 a------- c:\windows\system32\sipr3260.dll
2009-01-11 18:49 <DIR> --d----- C:\30 rock

==================== Find3M ====================

2009-01-05 20:33 3,751,995 a------- c:\windows\system32\GPhotos.scr
2009-01-05 18:56 85,504 ---shr-- c:\windows\system32\gasretyw0.dll
2008-12-26 10:03 85,504 ---shr-- c:\windows\system32\vbsdfe1.dll
2008-12-26 10:03 115,869 ---shr-- c:\windows\system32\vamsoft.exe
2008-12-26 10:02 85,504 -------- c:\windows\system32\vbsdfe0.dll
2008-12-11 08:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-08 14:46 84,992 ---shr-- c:\windows\system32\gasretyw1.dll
2008-11-20 08:56 106,626 ---shr-- C:\abk.bat
2008-11-14 15:19 105,062 ---shr-- c:\windows\system32\kamsoft.exe
2008-11-14 15:19 105,062 ---shr-- C:\0w.com
2008-11-12 13:13 99,461 ---shr-- C:\lky.exe
2008-11-09 09:00 110,013 ---shr-- C:\whi.com
2008-11-09 09:00 110,013 ---shr-- C:\sq.com
2008-06-01 15:49 87,608 a------- c:\docume~1\master\dadosd~1\inst.exe
2008-06-01 15:49 47,360 a------- c:\docume~1\master\dadosd~1\pcouffin.sys
2008-04-07 23:34 32 a------- c:\docume~1\alluse~1\dadosd~1\ezsid.dat

============= FINISH: 12:29:21,03 ===============

Attached Files



#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:07 PM

Posted 05 February 2009 - 12:53 PM

Hi,

Nowadays major part of infections spreads in P2P networks. BitComet is P2P client and I recommend uninstalling it.


If you have used usb removable drives with this system recently I recommend those are plugged in to get them clean. There's namely a risk that those are infected carrying flash infection.


Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 Cokone

Cokone
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 05 February 2009 - 07:56 PM

ComboFix 09-02-05.01 - Master 2009-02-05 21:04:37.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1046.18.1023.580 [GMT -2:00]
Executando de: c:\documents and settings\Master\Desktop\ComboFix.exe
Comandos utilizados :: c:\documents and settings\Master\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-PTB.exe
AV: AVG 7.5.524 *On-access scanning enabled* (Outdated)
* Criado um novo ponto de restauro
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\0w.com
C:\1t6yxlxx.cmd
C:\9.cmd
C:\abk.bat
C:\Autorun.inf
C:\b.exe
c:\documents and settings\Master\Dados de aplicativos\inst.exe
C:\lky.exe
C:\uvsqfgwd.cmd
c:\windows\IE4 Error Log.txt
c:\windows\system32\_000006_.tmp.dll
c:\windows\system32\Bitkv0.dll
c:\windows\system32\Bitkv1.dll
c:\windows\system32\gasretyw0.dll
c:\windows\system32\gasretyw1.dll
c:\windows\system32\kamsoft.exe
c:\windows\system32\nmdfgds0.dll
c:\windows\system32\nmdfgds1.dll
c:\windows\system32\nmdfgds2.dll
c:\windows\system32\olhrwef.exe
c:\windows\system32\vamsoft.exe

.
(((((((((((((((( Arquivos/Ficheiros criados de 2009-01-05 to 2009-02-05 ))))))))))))))))))))))))))))
.

2009-02-05 12:26 . 2008-04-14 00:20 82,432 ---h---t- c:\windows\system32\eb7391f.dll
2009-02-05 12:26 . 2008-04-14 00:20 82,432 ---h---t- c:\windows\system32\445a9e2.dll
2009-02-04 22:07 . 2009-02-04 22:07 <DIR> d-------- C:\Combat Arms
2009-02-04 21:56 . 2009-02-04 21:56 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\PMB Files
2009-02-04 21:55 . 2009-02-04 21:55 <DIR> d-------- c:\arquivos de programas\Pando Networks
2009-01-26 20:59 . 2008-07-31 20:17 9,200 --------- c:\windows\system32\drivers\cdralw2k.sys
2009-01-26 20:59 . 2008-07-31 20:17 9,072 --------- c:\windows\system32\drivers\cdr4_xp.sys
2009-01-26 20:47 . 2009-01-26 20:47 50,068 --ah----- c:\windows\system32\mlfcache.dat
2009-01-26 20:36 . 2009-01-26 20:59 <DIR> d-------- c:\windows\system32\IOSUBSYS
2009-01-25 15:23 . 2009-01-25 15:23 <DIR> d-------- C:\rafael
2009-01-16 05:12 . 2009-01-16 06:09 110,003 -r-hs---- C:\x2csvg.exe
2009-01-15 18:15 . 2008-04-14 00:21 70,144 --a------ c:\windows\AhnRpta.exe
2009-01-15 18:07 . 2009-01-15 18:32 108,940 -r-hs---- C:\ve.exe
2009-01-14 20:18 . 2009-01-14 20:18 <DIR> d-------- c:\documents and settings\Master\Dados de aplicativos\Samsung
2009-01-14 17:58 . 2006-05-03 22:53 174,592 --a------ c:\windows\system32\framedyn.dll
2009-01-14 17:57 . 2009-01-14 17:57 <DIR> d-------- c:\windows\system32\Samsung_USB_Drivers
2009-01-14 17:57 . 2009-01-14 17:57 <DIR> d-------- c:\arquivos de programas\Samsung
2009-01-14 17:57 . 2007-05-02 11:11 109,704 --a------ c:\windows\system32\drivers\ss_mdm.sys
2009-01-14 17:57 . 2007-05-02 11:11 83,592 --a------ c:\windows\system32\drivers\ss_bus.sys
2009-01-14 17:57 . 2007-05-02 11:11 15,112 --a------ c:\windows\system32\drivers\ss_mdfl.sys
2009-01-14 17:57 . 2007-05-02 11:11 12,424 --a------ c:\windows\system32\drivers\ss_whnt.sys
2009-01-14 17:57 . 2007-05-02 11:11 12,424 --a------ c:\windows\system32\drivers\ss_wh.sys
2009-01-14 17:57 . 2007-05-02 11:11 12,424 --a------ c:\windows\system32\drivers\ss_cmnt.sys
2009-01-14 17:57 . 2007-05-02 11:11 12,424 --a------ c:\windows\system32\drivers\ss_cm.sys
2009-01-14 17:57 . 2009-01-14 18:34 5,632 --a------ c:\windows\system32\drivers\StarOpen.sys
2009-01-14 17:57 . 2005-08-28 20:51 766 --a------ c:\windows\system32\Uninstall.ico
2009-01-12 18:05 . 2002-12-10 02:20 102,439 --a------ c:\windows\system32\sipr3260.dll
2009-01-11 18:49 . 2009-02-02 19:09 <DIR> d-------- C:\30 rock
2009-01-05 20:33 . 2009-01-05 20:33 3,751,995 --a------ c:\windows\system32\GPhotos.scr

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-05 18:36 --------- d-----w c:\documents and settings\Master\Dados de aplicativos\AVG7
2009-02-02 21:52 --------- d-----w c:\arquivos de programas\mIRC
2009-01-31 17:45 --------- d-----w c:\documents and settings\Master\Dados de aplicativos\mIRC
2009-01-26 22:59 --------- d-----w c:\arquivos de programas\Google
2009-01-25 22:21 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Spybot - Search & Destroy
2009-01-25 17:16 --------- d-----w c:\arquivos de programas\Spybot - Search & Destroy
2009-01-19 14:27 --------- d-----w c:\arquivos de programas\EvilLyrics
2009-01-18 20:25 --------- d-----w c:\arquivos de programas\BitComet
2009-01-14 19:57 --------- d--h--w c:\arquivos de programas\InstallShield Installation Information
2009-01-12 22:32 --------- d-----w c:\documents and settings\Master\Dados de aplicativos\Vso
2009-01-12 21:48 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\vsosdk
2009-01-11 18:28 --------- d-----w c:\documents and settings\Master\Dados de aplicativos\Skype
2009-01-06 19:26 --------- d-----w c:\arquivos de programas\Soulseek
2009-01-01 20:13 --------- d-----w c:\arquivos de programas\Ubisoft
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:23 --------- d-----w c:\documents and settings\Master\Dados de aplicativos\skypePM
2008-11-09 11:00 110,013 --sh--r C:\whi.com
2008-11-09 11:00 110,013 --sh--r C:\sq.com
2008-06-01 17:49 47,360 ----a-w c:\documents and settings\Master\Dados de aplicativos\pcouffin.sys
2008-04-08 01:34 32 ----a-w c:\documents and settings\All Users\Dados de aplicativos\ezsid.dat
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\arquivos de programas\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]
"SpybotSD TeaTimer"="c:\arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"EasyLinkAdvisor"="c:\arquivos de programas\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"AVG7_CC"="c:\arquiv~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 579584]
"HP Component Manager"="c:\arquivos de programas\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"HP Software Update"="c:\arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152]
"SunJavaUpdateSched"="c:\arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"InstantAccess"="c:\arquiv~1\TEXTBR~1.0\Bin\INSTAN~1.EXE" [1998-07-07 37376]
"RegisterDropHandler"="c:\arquiv~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [1998-07-07 22528]
"TkBellExe"="c:\arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" [2008-05-07 185896]
"QuickTime Task"="c:\arquivos de programas\QuickTime\QTTask.exe" [2008-05-27 413696]
"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"StartCCC"="c:\arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"SoundMan"="SOUNDMAN.EXE" [2005-01-19 c:\windows\SOUNDMAN.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup1"="c:\windows\system32\advpack.dll" [2008-04-14 101376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"RegisterDropHandler"="c:\arquiv~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [1998-07-07 22528]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\arquiv~1\Grisoft\AVG7\avgw.exe" [2008-03-28 219136]

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\
Detector.lnk - c:\windows\twain_32\Vivid\Vivid.exe [2008-05-07 40960]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{BB4C402F-882A-4526-8C08-51278EA437C1}"= "c:\windows\system32\afmain0.dll" [2008-04-14 78848]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Arquivos de programas\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Arquivos de programas\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Arquivos de programas\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Arquivos de programas\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Arquivos de programas\\Soulseek\\slsk.exe"=
"c:\\Arquivos de programas\\BitComet\\BitComet.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Arquivos de programas\\mIRC\\mirc.exe"=
"c:\\Arquivos de programas\\EvilLyrics\\EvilLyrics.exe"=
"c:\\Documents and Settings\\All Users\\Dados de aplicativos\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=
"c:\\Arquivos de programas\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9723:TCP"= 9723:TCP:BitComet 9723 TCP
"9723:UDP"= 9723:UDP:BitComet 9723 UDP
"57990:TCP"= 57990:TCP:Pando Media Booster
"57990:UDP"= 57990:UDP:Pando Media Booster

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2008-03-27 77312]
R2 ppsio2;PPDevice;c:\windows\system32\drivers\PPSIO2.SYS [2008-05-07 22400]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03effe36-e275-11dd-b2bd-0013d46659ef}]
\Shell\AutoRun\command - H:\uvsqfgwd.cmd
\Shell\open\Command - H:\uvsqfgwd.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0892b5bd-749f-11dd-b140-0013d46659ef}]
\Shell\AutoRun\command - F:\xih9.cmd
\Shell\explore\Command - F:\xih9.cmd
\Shell\open\Command - F:\xih9.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ca3bb80-fcd1-11dc-b006-806d6172696f}]
\Shell\AutoRun\command - F:\39lpji.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{50a46a0a-ff68-11dc-b00f-0013d46659ef}]
\Shell\AutoRun\command - I:\0w.com
\Shell\explore\Command - I:\0w.com
\Shell\open\Command - I:\0w.com
.
Conteúdo da pasta 'Tarefas Agendadas'

2009-02-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\arquivos de programas\Apple Software Update\SoftwareUpdate.exe [2008-04-11 18:57]
.
- - - - ORFÃOS REMOVIDOS - - - -

MSConfigStartUp-kamsoft - c:\windows\system32\kamsoft.exe


.
------- Scan Suplementar -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Baixar link usando &BitComet - c:\arquivos de programas\BitComet\BitComet.exe/AddLink.htm
IE: Baixar todos os links usando BitComet - c:\arquivos de programas\BitComet\BitComet.exe/AddAllLink.htm
IE: Baixar todos os vídeos usando BitComet - c:\arquivos de programas\BitComet\BitComet.exe/AddVideo.htm
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {30A1C6FA-609E-4E0B-8E59-48A306E7C76C} = 200.175.182.139,200.175.89.139
FF - ProfilePath - c:\documents and settings\Master\Dados de aplicativos\Mozilla\Firefox\Profiles\zsa2ri8e.default\
FF - component: c:\documents and settings\Master\Dados de aplicativos\Mozilla\Firefox\Profiles\zsa2ri8e.default\extensions\{87F8774F-B485-47E2-A755-A40A8A5E886D}\components\GbMzhCef.dll
FF - component: c:\documents and settings\Master\Dados de aplicativos\Mozilla\Firefox\Profiles\zsa2ri8e.default\extensions\{87F8774F-B485-47E2-A755-A40A8A5E8873}\components\GbMzhUni.dll
FF - plugin: c:\arquivos de programas\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\arquivos de programas\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\documents and settings\All Users\Dados de aplicativos\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll

---- FIREFOX POLICIES ----
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-05 21:08:31
Windows 5.1.2600 Service Pack 3 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•6~*]
"6140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(716)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Outros Processos em Execução ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\arquiv~1\Grisoft\AVG7\avgamsvr.exe
c:\arquiv~1\Grisoft\AVG7\avgupsvc.exe
c:\arquiv~1\Grisoft\AVG7\avgemc.exe
c:\arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\AhnRpta.exe
c:\windows\system32\wscntfy.exe
c:\arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Tempo para conclusão: 2009-02-05 21:11:57 - Máquina reiniciou
ComboFix-quarantined-files.txt 2009-02-05 23:11:49

Pré-execução: 28 pasta(s) 106.055.446.528 bytes disponíveis
Pós execução: 28 pasta(s) 106,347,876,352 bytes disponíveis

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

237 --- E O F --- 2009-01-15 09:46:08

#8 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:07 PM

Posted 06 February 2009 - 01:18 PM

Hi,

You have flash infection there. If this system has had any usb removable drives plugged in lately then you have to have those attached during this whole cleaning operation. Otherwise those will stay infected and infect other systems when plugged in them.



Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:
  • Run Spybot-S&D in Advanced Mode
  • If it is not already set to do this, go to the Mode menu
    select
    Advanced Mode
  • On the left hand side, click on Tools
  • Then click on the Resident icon in the list
  • Uncheck
    Resident TeaTimer
    and OK any prompts.
  • Restart your computer
Download ResetTeaTimer.bat to the Desktop (right click the link and select save)
http://downloads.subratam.org/ResetTeaTimer.bat
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).



Uninstall old Adobe Reader versions and get the latest one here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader!


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 12.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version. Uncheck MSN toolbar if it's offered there.

Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\eb7391f.dll
c:\windows\system32\445a9e2.dll
C:\x2csvg.exe
c:\windows\AhnRpta.exe
C:\ve.exe
C:\whi.com
C:\sq.com
c:\windows\system32\afmain0.dll
H:\uvsqfgwd.cmd
F:\xih9.cmd
F:\39lpji.com
I:\0w.com

Registry::
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{BB4C402F-882A-4526-8C08-51278EA437C1}"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{03effe36-e275-11dd-b2bd-0013d46659ef}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0892b5bd-749f-11dd-b140-0013d46659ef}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3ca3bb80-fcd1-11dc-b006-806d6172696f}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{50a46a0a-ff68-11dc-b00f-0013d46659ef}]


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here.


Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#9 Cokone

Cokone
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 07 February 2009 - 12:07 PM

hi,

i´ve removed all the Java programs in my Installed Programs List, but when i click on accept to install "jre-6u12-windows-i586-p.exe", it shows a message "the wizard was interrupted before Java 6 Update 12 could be completely installed"

thanks again

#10 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:07 PM

Posted 07 February 2009 - 12:34 PM

Hi

Try doing ComboFix part first and try install Java after that again.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#11 Cokone

Cokone
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 07 February 2009 - 07:55 PM

KAS log ------------------------


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, February 7, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, February 07, 2009 19:04:04
Records in database: 1765672
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 52412
Threat name: 22
Infected objects: 28
Suspicious objects: 0
Duration of the scan: 01:12:43


File name / Threat name / Threats count
C:\2fiji.com Infected: Trojan-GameThief.Win32.Magania.aiau 1
C:\Documents and Settings\Master\Meus documentos\despacho_artigo875234134.scr Infected: Trojan-Downloader.Win32.Dadobra.bpv 1
C:\Qoobox\Quarantine\C\0w.com.vir Infected: Trojan-GameThief.Win32.Magania.akhq 1
C:\Qoobox\Quarantine\C\1t6yxlxx.cmd.vir Infected: Trojan-GameThief.Win32.Magania.acjq 1
C:\Qoobox\Quarantine\C\9.cmd.vir Infected: Trojan-GameThief.Win32.Magania.ahbf 1
C:\Qoobox\Quarantine\C\abk.bat.vir Infected: Trojan.Win32.Agent.aosw 1
C:\Qoobox\Quarantine\C\b.exe.vir Infected: Trojan-GameThief.Win32.Magania.ahhh 1
C:\Qoobox\Quarantine\C\lky.exe.vir Infected: Trojan-Downloader.Win32.Zlob.aceg 1
C:\Qoobox\Quarantine\C\sq.com.vir Infected: Worm.Win32.AutoRun.sbo 1
C:\Qoobox\Quarantine\C\uvsqfgwd.cmd.vir Infected: Trojan-GameThief.Win32.Magania.audk 1
C:\Qoobox\Quarantine\C\ve.exe.vir Infected: Trojan-GameThief.Win32.Magania.asth 1
C:\Qoobox\Quarantine\C\whi.com.vir Infected: Worm.Win32.AutoRun.sbo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\afmain0.dll.vir Infected: Packed.Win32.Krap.g 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Bitkv0.dll.vir Infected: Packed.Win32.Krap.b 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Bitkv1.dll.vir Infected: Packed.Win32.Krap.b 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gasretyw0.dll.vir Infected: Trojan-GameThief.Win32.Magania.akll 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gasretyw1.dll.vir Infected: Trojan.Win32.Inject.ldi 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kamsoft.exe.vir Infected: Trojan-GameThief.Win32.Magania.akhq 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\nmdfgds2.dll.vir Infected: Trojan-GameThief.Win32.Magania.aszu 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vamsoft.exe.vir Infected: Trojan-GameThief.Win32.Magania.arsp 1
C:\Qoobox\Quarantine\C\x2csvg.exe.vir Infected: Trojan-GameThief.Win32.Magania.aswh 1
C:\Qoobox\Quarantine\I\xih9.cmd.vir Infected: Trojan-GameThief.Win32.Magania.ajjs 1
C:\WINDOWS\system32\afmain1.dll Infected: Packed.Win32.Krap.g 1
C:\WINDOWS\system32\afmain2.dll Infected: Packed.Win32.Krap.g 1
C:\WINDOWS\system32\vbsdfe0.dll Infected: Trojan-GameThief.Win32.WOW.dzf 1
C:\WINDOWS\system32\vbsdfe1.dll Infected: Trojan-GameThief.Win32.WOW.dzf 1
C:\xlk9.com Infected: Trojan-GameThief.Win32.Magania.aigw 1
I:\2fiji.com Infected: Trojan-GameThief.Win32.Magania.ahhn 1

The selected area was scanned.






COMBOFIX ---------------------



ComboFix 09-02-06.04 - Master 2009-02-07 15:48:06.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1046.18.1023.594 [GMT -2:00]
Executando de: c:\documents and settings\Master\Desktop\ComboFix.exe
Comandos utilizados :: c:\documents and settings\Master\Desktop\CFScript.txt
AV: AVG 7.5.524 *On-access scanning disabled* (Outdated)
* Criado um novo ponto de restauro

FILE ::
C:\sq.com
C:\ve.exe
C:\whi.com
c:\windows\AhnRpta.exe
c:\windows\system32\445a9e2.dll
c:\windows\system32\afmain0.dll
c:\windows\system32\eb7391f.dll
C:\x2csvg.exe
F:\39lpji.com
F:\xih9.cmd
H:\uvsqfgwd.cmd
I:\0w.com
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\1utbfd.bat
C:\autorun.inf
C:\m0vnonh.bat
C:\sq.com
C:\ve.exe
C:\whi.com
c:\windows\AhnRpta.exe
c:\windows\system32\445a9e2.dll
c:\windows\system32\afmain0.dll
c:\windows\system32\eb7391f.dll
c:\windows\system32\nmdfgds0.dll
c:\windows\system32\nmdfgds1.dll
c:\windows\system32\olhrwef.exe
C:\x2csvg.exe
H:\1utbfd.bat
H:\autorun.inf
I:\1utbfd.bat
I:\autorun.inf
I:\xih9.cmd

.
(((((((((((((((( Arquivos/Ficheiros criados de 2009-01-07 to 2009-02-07 ))))))))))))))))))))))))))))
.

2009-02-07 14:26 . 2009-02-07 14:39 <DIR> d-------- c:\arquivos de programas\MSECACHE
2009-02-07 14:04 . 2009-02-07 14:04 <DIR> d-------- c:\arquivos de programas\Arquivos comuns\Adobe AIR
2009-02-04 21:55 . 2009-02-05 21:15 <DIR> d-------- c:\arquivos de programas\Pando Networks
2009-01-26 20:59 . 2008-07-31 20:17 9,200 --------- c:\windows\system32\drivers\cdralw2k.sys
2009-01-26 20:59 . 2008-07-31 20:17 9,072 --------- c:\windows\system32\drivers\cdr4_xp.sys
2009-01-26 20:47 . 2009-01-26 20:47 50,068 --ah----- c:\windows\system32\mlfcache.dat
2009-01-26 20:36 . 2009-01-26 20:59 <DIR> d-------- c:\windows\system32\IOSUBSYS
2009-01-25 15:23 . 2009-01-25 15:23 <DIR> d-------- C:\rafael
2009-01-14 20:18 . 2009-01-14 20:18 <DIR> d-------- c:\documents and settings\Master\Dados de aplicativos\Samsung
2009-01-14 17:58 . 2006-05-03 22:53 174,592 --a------ c:\windows\system32\framedyn.dll
2009-01-14 17:57 . 2009-01-14 17:57 <DIR> d-------- c:\windows\system32\Samsung_USB_Drivers
2009-01-14 17:57 . 2009-01-14 17:57 <DIR> d-------- c:\arquivos de programas\Samsung
2009-01-14 17:57 . 2007-05-02 11:11 109,704 --a------ c:\windows\system32\drivers\ss_mdm.sys
2009-01-14 17:57 . 2007-05-02 11:11 83,592 --a------ c:\windows\system32\drivers\ss_bus.sys
2009-01-14 17:57 . 2007-05-02 11:11 15,112 --a------ c:\windows\system32\drivers\ss_mdfl.sys
2009-01-14 17:57 . 2007-05-02 11:11 12,424 --a------ c:\windows\system32\drivers\ss_whnt.sys
2009-01-14 17:57 . 2007-05-02 11:11 12,424 --a------ c:\windows\system32\drivers\ss_wh.sys
2009-01-14 17:57 . 2007-05-02 11:11 12,424 --a------ c:\windows\system32\drivers\ss_cmnt.sys
2009-01-14 17:57 . 2007-05-02 11:11 12,424 --a------ c:\windows\system32\drivers\ss_cm.sys
2009-01-14 17:57 . 2009-01-14 18:34 5,632 --a------ c:\windows\system32\drivers\StarOpen.sys
2009-01-14 17:57 . 2005-08-28 20:51 766 --a------ c:\windows\system32\Uninstall.ico
2009-01-12 18:05 . 2002-12-10 02:20 102,439 --a------ c:\windows\system32\sipr3260.dll
2009-01-11 18:49 . 2009-02-02 19:09 <DIR> d-------- C:\30 rock

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-07 16:03 --------- d-----w c:\arquivos de programas\Arquivos comuns\Adobe
2009-02-07 15:36 --------- d-----w c:\documents and settings\Master\Dados de aplicativos\AVG7
2009-02-06 22:06 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Spybot - Search & Destroy
2009-02-06 22:06 --------- d-----w c:\arquivos de programas\Spybot - Search & Destroy
2009-02-06 21:02 --------- d-----w c:\documents and settings\Master\Dados de aplicativos\mIRC
2009-02-06 21:02 --------- d-----w c:\arquivos de programas\mIRC
2009-02-05 23:15 --------- d-----w c:\arquivos de programas\Soulseek
2009-01-26 22:59 --------- d-----w c:\arquivos de programas\Google
2009-01-19 14:27 --------- d-----w c:\arquivos de programas\EvilLyrics
2009-01-18 20:25 --------- d-----w c:\arquivos de programas\BitComet
2009-01-14 19:57 --------- d--h--w c:\arquivos de programas\InstallShield Installation Information
2009-01-12 22:32 --------- d-----w c:\documents and settings\Master\Dados de aplicativos\Vso
2009-01-12 21:48 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\vsosdk
2009-01-11 18:28 --------- d-----w c:\documents and settings\Master\Dados de aplicativos\Skype
2009-01-01 20:13 --------- d-----w c:\arquivos de programas\Ubisoft
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:23 --------- d-----w c:\documents and settings\Master\Dados de aplicativos\skypePM
2008-06-01 17:49 47,360 ----a-w c:\documents and settings\Master\Dados de aplicativos\pcouffin.sys
2008-04-08 01:34 32 ----a-w c:\documents and settings\All Users\Dados de aplicativos\ezsid.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-02-05_21.10.57.76 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-12 17:06:42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe
+ 2006-12-02 00:54:32 479,232 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-02 00:54:34 548,864 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-02 00:54:32 626,688 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\arquivos de programas\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]
"EasyLinkAdvisor"="c:\arquivos de programas\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"AVG7_CC"="c:\arquiv~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 579584]
"HP Component Manager"="c:\arquivos de programas\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"HP Software Update"="c:\arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152]
"InstantAccess"="c:\arquiv~1\TEXTBR~1.0\Bin\INSTAN~1.EXE" [1998-07-07 37376]
"RegisterDropHandler"="c:\arquiv~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [1998-07-07 22528]
"TkBellExe"="c:\arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" [2008-05-07 185896]
"QuickTime Task"="c:\arquivos de programas\QuickTime\QTTask.exe" [2008-05-27 413696]
"StartCCC"="c:\arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SoundMan"="SOUNDMAN.EXE" [2005-01-19 c:\windows\SOUNDMAN.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"RegisterDropHandler"="c:\arquiv~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [1998-07-07 22528]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\arquiv~1\Grisoft\AVG7\avgw.exe" [2008-03-28 219136]

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\
Detector.lnk - c:\windows\twain_32\Vivid\Vivid.exe [2008-05-07 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Arquivos de programas\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Arquivos de programas\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Arquivos de programas\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Arquivos de programas\\Grisoft\\AVG7\\avgemc.exe"=
"c:\\Arquivos de programas\\BitComet\\BitComet.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Arquivos de programas\\mIRC\\mirc.exe"=
"c:\\Arquivos de programas\\EvilLyrics\\EvilLyrics.exe"=
"c:\\Documents and Settings\\All Users\\Dados de aplicativos\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9723:TCP"= 9723:TCP:BitComet 9723 TCP
"9723:UDP"= 9723:UDP:BitComet 9723 UDP

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2008-03-27 77312]
R2 ppsio2;PPDevice;c:\windows\system32\drivers\PPSIO2.SYS [2008-05-07 22400]
.
Conteúdo da pasta 'Tarefas Agendadas'

2009-02-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\arquivos de programas\Apple Software Update\SoftwareUpdate.exe [2008-04-11 18:57]
.
- - - - ORFÃOS REMOVIDOS - - - -

HKCU-Run-cdoosoft - c:\windows\system32\olhrwef.exe


.
------- Scan Suplementar -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Baixar link usando &BitComet - c:\arquivos de programas\BitComet\BitComet.exe/AddLink.htm
IE: Baixar todos os links usando BitComet - c:\arquivos de programas\BitComet\BitComet.exe/AddAllLink.htm
IE: Baixar todos os vídeos usando BitComet - c:\arquivos de programas\BitComet\BitComet.exe/AddVideo.htm
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {30A1C6FA-609E-4E0B-8E59-48A306E7C76C} = 200.175.182.139,200.175.89.139
FF - ProfilePath - c:\documents and settings\Master\Dados de aplicativos\Mozilla\Firefox\Profiles\zsa2ri8e.default\
FF - component: c:\documents and settings\Master\Dados de aplicativos\Mozilla\Firefox\Profiles\zsa2ri8e.default\extensions\{87F8774F-B485-47E2-A755-A40A8A5E886D}\components\GbMzhCef.dll
FF - component: c:\documents and settings\Master\Dados de aplicativos\Mozilla\Firefox\Profiles\zsa2ri8e.default\extensions\{87F8774F-B485-47E2-A755-A40A8A5E8873}\components\GbMzhUni.dll
FF - plugin: c:\arquivos de programas\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\documents and settings\All Users\Dados de aplicativos\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll

---- FIREFOX POLICIES ----
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-07 15:52:08
Windows 5.1.2600 Service Pack 3 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•6~*]
"6140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(708)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Outros Processos em Execução ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\arquiv~1\Grisoft\AVG7\avgamsvr.exe
c:\arquiv~1\Grisoft\AVG7\avgupsvc.exe
c:\arquiv~1\Grisoft\AVG7\avgemc.exe
c:\arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wscntfy.exe
c:\arquivos de programas\Grisoft\AVG7\avgcc.exe
c:\arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
.
**************************************************************************
.
Tempo para conclusão: 2009-02-07 15:56:18 - Máquina reiniciou
ComboFix-quarantined-files.txt 2009-02-07 17:56:11
ComboFix2.txt 2009-02-06 01:04:48
ComboFix3.txt 2009-02-05 23:11:58

Pré-execução: 26 pasta(s) 105.701.224.448 bytes disponíveis
Pós execução: 26 pasta(s) 105,693,425,664 bytes disponíveis

216 --- E O F --- 2009-01-15 09:46:08






HIJACKTHIS --------------------------



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:53:43, on 07/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe
C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\ARQUIV~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe
C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Arquivos de programas\DAEMON Tools Lite\daemon.exe
C:\Arquivos de programas\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\twain_32\Vivid\Vivid.exe
C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\Arquivos de programas\Winamp\winamp.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Master\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Arquivos de programas\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HP Component Manager] "C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\ARQUIV~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\ARQUIV~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [StartCCC] "C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\ARQUIV~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Arquivos de programas\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Arquivos de programas\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\ARQUIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\ARQUIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Detector.lnk = C:\WINDOWS\twain_32\Vivid\Vivid.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Baixar link usando &BitComet - res://C:\Arquivos de programas\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: Baixar todos os links usando BitComet - res://C:\Arquivos de programas\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Baixar todos os vídeos usando BitComet - res://C:\Arquivos de programas\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Arquivos de programas\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1206644724140
O17 - HKLM\System\CCS\Services\Tcpip\..\{30A1C6FA-609E-4E0B-8E59-48A306E7C76C}: NameServer = 200.175.182.139,200.175.89.139
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 8323 bytes

#12 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:07 PM

Posted 08 February 2009 - 11:49 AM

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\2fiji.com
C:\Documents and Settings\Master\Meus documentos\despacho_artigo875234134.scr
C:\WINDOWS\system32\afmain1.dll
C:\WINDOWS\system32\afmain2.dll
C:\WINDOWS\system32\vbsdfe0.dll
C:\WINDOWS\system32\vbsdfe1.dll
C:\xlk9.com
I:\2fiji.com


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log & a fresh hjt log. Re-run Kaspersky scanner and post back its report too.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#13 Cokone

Cokone
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 08 February 2009 - 03:13 PM

COMBOFIX------------------



ComboFix 09-02-08.01 - Master 2009-02-08 18:34:50.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1046.18.1023.703 [GMT -2:00]
Executando de: c:\documents and settings\Master\Desktop\ComboFix.exe
Comandos utilizados :: c:\documents and settings\Master\Desktop\CFScript.txt
* Criado um novo ponto de restauro
.

(((((((((((((((( Arquivos/Ficheiros criados de 2009-01-08 to 2009-02-08 ))))))))))))))))))))))))))))
.

2009-02-08 18:08 . 2009-02-08 18:08 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Avg7
2009-02-07 15:59 . 2009-02-07 15:58 410,984 --a------ c:\windows\system32\deploytk.dll
2009-02-07 15:59 . 2009-02-07 15:58 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-02-07 15:58 . 2009-02-07 15:58 <DIR> d-------- c:\arquivos de programas\Java
2009-02-07 14:26 . 2009-02-07 14:39 <DIR> d-------- c:\arquivos de programas\MSECACHE
2009-02-07 14:04 . 2009-02-07 14:04 <DIR> d-------- c:\arquivos de programas\Arquivos comuns\Adobe AIR
2009-02-04 21:55 . 2009-02-05 21:15 <DIR> d-------- c:\arquivos de programas\Pando Networks
2009-01-26 20:59 . 2008-07-31 20:17 9,200 --------- c:\windows\system32\drivers\cdralw2k.sys
2009-01-26 20:59 . 2008-07-31 20:17 9,072 --------- c:\windows\system32\drivers\cdr4_xp.sys
2009-01-26 20:47 . 2009-01-26 20:47 50,068 --ah----- c:\windows\system32\mlfcache.dat
2009-01-26 20:36 . 2009-01-26 20:59 <DIR> d-------- c:\windows\system32\IOSUBSYS
2009-01-25 15:23 . 2009-01-25 15:23 <DIR> d-------- C:\rafael
2009-01-14 20:18 . 2009-01-14 20:18 <DIR> d-------- c:\documents and settings\Master\Dados de aplicativos\Samsung
2009-01-14 17:58 . 2006-05-03 22:53 174,592 --a------ c:\windows\system32\framedyn.dll
2009-01-14 17:57 . 2009-01-14 17:57 <DIR> d-------- c:\windows\system32\Samsung_USB_Drivers
2009-01-14 17:57 . 2009-01-14 17:57 <DIR> d-------- c:\arquivos de programas\Samsung
2009-01-14 17:57 . 2007-05-02 11:11 109,704 --a------ c:\windows\system32\drivers\ss_mdm.sys
2009-01-14 17:57 . 2007-05-02 11:11 83,592 --a------ c:\windows\system32\drivers\ss_bus.sys
2009-01-14 17:57 . 2007-05-02 11:11 15,112 --a------ c:\windows\system32\drivers\ss_mdfl.sys
2009-01-14 17:57 . 2007-05-02 11:11 12,424 --a------ c:\windows\system32\drivers\ss_whnt.sys
2009-01-14 17:57 . 2007-05-02 11:11 12,424 --a------ c:\windows\system32\drivers\ss_wh.sys
2009-01-14 17:57 . 2007-05-02 11:11 12,424 --a------ c:\windows\system32\drivers\ss_cmnt.sys
2009-01-14 17:57 . 2007-05-02 11:11 12,424 --a------ c:\windows\system32\drivers\ss_cm.sys
2009-01-14 17:57 . 2009-01-14 18:34 5,632 --a------ c:\windows\system32\drivers\StarOpen.sys
2009-01-14 17:57 . 2005-08-28 20:51 766 --a------ c:\windows\system32\Uninstall.ico
2009-01-12 18:05 . 2002-12-10 02:20 102,439 --a------ c:\windows\system32\sipr3260.dll
2009-01-11 18:49 . 2009-02-02 19:09 <DIR> d-------- C:\30 rock

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-08 20:22 --------- d-----w c:\documents and settings\Master\Dados de aplicativos\mIRC
2009-02-08 20:21 --------- d-----w c:\arquivos de programas\mIRC
2009-02-08 20:08 --------- d-----w c:\arquivos de programas\BitComet
2009-02-07 16:03 --------- d-----w c:\arquivos de programas\Arquivos comuns\Adobe
2009-02-06 22:06 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Spybot - Search & Destroy
2009-02-06 22:06 --------- d-----w c:\arquivos de programas\Spybot - Search & Destroy
2009-02-05 23:15 --------- d-----w c:\arquivos de programas\Soulseek
2009-01-26 22:59 --------- d-----w c:\arquivos de programas\Google
2009-01-19 14:27 --------- d-----w c:\arquivos de programas\EvilLyrics
2009-01-14 19:57 --------- d--h--w c:\arquivos de programas\InstallShield Installation Information
2009-01-12 22:32 --------- d-----w c:\documents and settings\Master\Dados de aplicativos\Vso
2009-01-12 21:48 --------- d-----w c:\documents and settings\All Users\Dados de aplicativos\vsosdk
2009-01-11 18:28 --------- d-----w c:\documents and settings\Master\Dados de aplicativos\Skype
2009-01-05 22:33 3,751,995 ----a-w c:\windows\system32\GPhotos.scr
2009-01-01 20:13 --------- d-----w c:\arquivos de programas\Ubisoft
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:23 --------- d-----w c:\documents and settings\Master\Dados de aplicativos\skypePM
2008-06-01 17:49 47,360 ----a-w c:\documents and settings\Master\Dados de aplicativos\pcouffin.sys
2008-04-08 01:34 32 ----a-w c:\documents and settings\All Users\Dados de aplicativos\ezsid.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-02-05_21.10.57.76 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-12 17:06:42 295,606 ----a-r c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe
- 2008-06-10 04:21:01 135,168 ----a-w c:\windows\system32\java.exe
+ 2009-02-07 17:58:52 144,792 ----a-w c:\windows\system32\java.exe
- 2008-06-10 04:21:04 135,168 ----a-w c:\windows\system32\javaw.exe
+ 2009-02-07 17:58:52 144,792 ----a-w c:\windows\system32\javaw.exe
- 2008-06-10 05:32:34 139,264 ----a-w c:\windows\system32\javaws.exe
+ 2009-02-07 17:58:52 148,888 ----a-w c:\windows\system32\javaws.exe
+ 2009-02-08 17:09:40 16,384 ----atw c:\windows\temp\Perflib_Perfdata_7a4.dat
+ 2006-12-02 00:54:32 479,232 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2006-12-02 00:54:34 548,864 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-02 00:54:32 626,688 ----a-w c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="c:\arquivos de programas\DAEMON Tools Lite\daemon.exe" [2008-04-01 486856]
"EasyLinkAdvisor"="c:\arquivos de programas\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"HP Component Manager"="c:\arquivos de programas\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2004-03-04 172032]
"HP Software Update"="c:\arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-02-18 49152]
"InstantAccess"="c:\arquiv~1\TEXTBR~1.0\Bin\INSTAN~1.EXE" [1998-07-07 37376]
"RegisterDropHandler"="c:\arquiv~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [1998-07-07 22528]
"TkBellExe"="c:\arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" [2008-05-07 185896]
"QuickTime Task"="c:\arquivos de programas\QuickTime\QTTask.exe" [2008-05-27 413696]
"StartCCC"="c:\arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\arquivos de programas\Java\jre6\bin\jusched.exe" [2009-02-07 148888]
"SoundMan"="SOUNDMAN.EXE" [2005-01-19 c:\windows\SOUNDMAN.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"RegisterDropHandler"="c:\arquiv~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [1998-07-07 22528]

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\
Detector.lnk - c:\windows\twain_32\Vivid\Vivid.exe [2008-05-07 40960]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Arquivos de programas\\mIRC\\mirc.exe"=
"c:\\Arquivos de programas\\EvilLyrics\\EvilLyrics.exe"=
"c:\\Documents and Settings\\All Users\\Dados de aplicativos\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9723:TCP"= 9723:TCP:BitComet 9723 TCP
"9723:UDP"= 9723:UDP:BitComet 9723 UDP

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2008-03-27 77312]
R2 ppsio2;PPDevice;c:\windows\system32\drivers\PPSIO2.SYS [2008-05-07 22400]

--- ---

*Deregistered* - Avg7Core
*Deregistered* - Avg7RsXP
*Deregistered* - AvgClean
*Deregistered* - AvgTdi
.
Conteúdo da pasta 'Tarefas Agendadas'

2009-02-03 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\arquivos de programas\Apple Software Update\SoftwareUpdate.exe [2008-04-11 18:57]
.
.
------- Scan Suplementar -------
.
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {30A1C6FA-609E-4E0B-8E59-48A306E7C76C} = 200.175.182.139,200.175.89.139
FF - ProfilePath - c:\documents and settings\Master\Dados de aplicativos\Mozilla\Firefox\Profiles\zsa2ri8e.default\
FF - component: c:\documents and settings\Master\Dados de aplicativos\Mozilla\Firefox\Profiles\zsa2ri8e.default\extensions\{87F8774F-B485-47E2-A755-A40A8A5E886D}\components\GbMzhCef.dll
FF - component: c:\documents and settings\Master\Dados de aplicativos\Mozilla\Firefox\Profiles\zsa2ri8e.default\extensions\{87F8774F-B485-47E2-A755-A40A8A5E8873}\components\GbMzhUni.dll
FF - plugin: c:\arquivos de programas\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\documents and settings\All Users\Dados de aplicativos\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nppl3260.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprjplug.dll
FF - plugin: c:\program files\Real\RealPlayer\Netscape6\nprpjplug.dll

---- FIREFOX POLICIES ----
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-08 18:36:32
Windows 5.1.2600 Service Pack 3 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\Ø•€|ÿÿÿÿ•€|ù•6~*]
"6140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\windows\system32\Ati2evxx.dll
.
Tempo para conclusão: 2009-02-08 18:37:51
ComboFix-quarantined-files.txt 2009-02-08 20:37:39
ComboFix2.txt 2009-02-08 17:19:25
ComboFix3.txt 2009-02-07 17:56:19
ComboFix4.txt 2009-02-06 01:04:48
ComboFix5.txt 2009-02-08 20:34:26

Pré-execução: 25 pasta(s) 105.740.754.944 bytes disponíveis
Pós execução: 25 pasta(s) 105,792,217,088 bytes disponíveis

171 --- E O F --- 2009-01-15 09:46:08




HIJACKTHIS---------------



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:21:21, on 08/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe
C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\ARQUIV~1\TEXTBR~1.0\Bin\INSTAN~1.EXE
C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe
C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Arquivos de programas\Java\jre6\bin\jusched.exe
C:\Arquivos de programas\DAEMON Tools Lite\daemon.exe
C:\Arquivos de programas\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\twain_32\Vivid\Vivid.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Master\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Arquivos de programas\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HP Component Manager] "C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [InstantAccess] C:\ARQUIV~1\TEXTBR~1.0\Bin\INSTAN~1.EXE /h
O4 - HKLM\..\Run: [RegisterDropHandler] C:\ARQUIV~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Arquivos de programas\Arquivos comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [StartCCC] "C:\Arquivos de programas\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\ARQUIV~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Arquivos de programas\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Arquivos de programas\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\ARQUIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\ARQUIV~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Detector.lnk = C:\WINDOWS\twain_32\Vivid\Vivid.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Baixar link usando &BitComet - res://C:\Arquivos de programas\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: Baixar todos os links usando BitComet - res://C:\Arquivos de programas\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Baixar todos os vídeos usando BitComet - res://C:\Arquivos de programas\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Arquivos de programas\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1206644724140
O17 - HKLM\System\CCS\Services\Tcpip\..\{30A1C6FA-609E-4E0B-8E59-48A306E7C76C}: NameServer = 200.175.182.139,200.175.89.139
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe

--
End of file - 8339 bytes



KASPERSKY---------------

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, February 8, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, February 08, 2009 18:50:58
Records in database: 1769753
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Files scanned: 52470
Threat name: 23
Infected objects: 34
Suspicious objects: 0
Duration of the scan: 01:19:10


File name / Threat name / Threats count
C:\Qoobox\Quarantine\C\0w.com.vir Infected: Trojan-GameThief.Win32.Magania.akhq 1
C:\Qoobox\Quarantine\C\1t6yxlxx.cmd.vir Infected: Trojan-GameThief.Win32.Magania.acjq 1
C:\Qoobox\Quarantine\C\1utbfd.bat.vir Infected: Trojan-GameThief.Win32.Magania.auti 1
C:\Qoobox\Quarantine\C\2fiji.com.vir Infected: Trojan-GameThief.Win32.Magania.aiau 1
C:\Qoobox\Quarantine\C\9.cmd.vir Infected: Trojan-GameThief.Win32.Magania.ahbf 1
C:\Qoobox\Quarantine\C\abk.bat.vir Infected: Trojan.Win32.Agent.aosw 1
C:\Qoobox\Quarantine\C\b.exe.vir Infected: Trojan-GameThief.Win32.Magania.ahhh 1
C:\Qoobox\Quarantine\C\Documents and Settings\Master\Meus documentos\despacho_artigo875234134.scr.vir Infected: Trojan-Downloader.Win32.Dadobra.bpv 1
C:\Qoobox\Quarantine\C\lky.exe.vir Infected: Trojan-Downloader.Win32.Zlob.aceg 1
C:\Qoobox\Quarantine\C\sq.com.vir Infected: Worm.Win32.AutoRun.sbo 1
C:\Qoobox\Quarantine\C\uvsqfgwd.cmd.vir Infected: Trojan-GameThief.Win32.Magania.audk 1
C:\Qoobox\Quarantine\C\ve.exe.vir Infected: Trojan-GameThief.Win32.Magania.asth 1
C:\Qoobox\Quarantine\C\whi.com.vir Infected: Worm.Win32.AutoRun.sbo 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\afmain0.dll.vir Infected: Packed.Win32.Krap.g 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\afmain1.dll.vir Infected: Packed.Win32.Krap.g 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\afmain2.dll.vir Infected: Packed.Win32.Krap.g 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Bitkv0.dll.vir Infected: Packed.Win32.Krap.b 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Bitkv1.dll.vir Infected: Packed.Win32.Krap.b 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gasretyw0.dll.vir Infected: Trojan-GameThief.Win32.Magania.akll 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gasretyw1.dll.vir Infected: Trojan.Win32.Inject.ldi 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\kamsoft.exe.vir Infected: Trojan-GameThief.Win32.Magania.akhq 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\nmdfgds0.dll.vir Infected: Trojan-GameThief.Win32.Magania.auti 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\nmdfgds1.dll.vir Infected: Trojan-GameThief.Win32.Magania.auti 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\nmdfgds2.dll.vir Infected: Trojan-GameThief.Win32.Magania.aszu 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\olhrwef.exe.vir Infected: Trojan-GameThief.Win32.Magania.auti 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vamsoft.exe.vir Infected: Trojan-GameThief.Win32.Magania.arsp 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vbsdfe0.dll.vir Infected: Trojan-GameThief.Win32.WOW.dzf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\vbsdfe1.dll.vir Infected: Trojan-GameThief.Win32.WOW.dzf 1
C:\Qoobox\Quarantine\C\x2csvg.exe.vir Infected: Trojan-GameThief.Win32.Magania.aswh 1
C:\Qoobox\Quarantine\C\xlk9.com.vir Infected: Trojan-GameThief.Win32.Magania.aigw 1
C:\Qoobox\Quarantine\H\1utbfd.bat.vir Infected: Trojan-GameThief.Win32.Magania.auti 1
C:\Qoobox\Quarantine\I\1utbfd.bat.vir Infected: Trojan-GameThief.Win32.Magania.auti 1
C:\Qoobox\Quarantine\I\2fiji.com.vir Infected: Trojan-GameThief.Win32.Magania.ahhn 1
C:\Qoobox\Quarantine\I\xih9.cmd.vir Infected: Trojan-GameThief.Win32.Magania.ajjs 1

The selected area was scanned.


-----------


PS: by the way, my java is a bit odd...

in this site, or in orkut, there are some buttons missing, the images don´t appear

is this because of the viruses?
thanks again!

Edited by Cokone, 08 February 2009 - 03:41 PM.


#14 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:07 PM

Posted 09 February 2009 - 03:33 AM

Hi

The logs look ok. Do you have Noscript addon installed in Firefox? Could you provide a screenshot so I can possibly get better idea of the problem, please? :thumbup2:

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#15 Cokone

Cokone
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:11:07 AM

Posted 09 February 2009 - 03:13 PM

hi

i don´t know why, but it´s normal again..
ahhahaa

anyway, thanks a lot man, you´ve helped me a lot...

many thanks :D




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users