Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected by HackTool.GSQ


  • This topic is locked This topic is locked
45 replies to this topic

#1 noposer

noposer

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 09 May 2009 - 04:25 PM

Hi,

I use the AVG Anti-Virus Free edition 8.5.325 and it has found the following threat: HackTool.GSQ ---> C:\WINDOWS\system32\drivers\sysdrv32.sys
As usual I send it to the quarantine but every time I reboot my computer it appears a warning message saying this virus has been found.
My computer doesn't work as before... the internet hardly works, I have to click several times to reach a website, and sometimes it opens without figures. Besides that, sometimes my computer just doesn't turns off when I ask to, very weard, I have to call on the switch on/off button.
I've seen some past posts about this virus but I decided to not try the same recipe in order to not delete something unappropriated.

Thanks in advance for the help!



DDS (Ver_09-03-16.01) - FAT32x86
Run by Valued Client at 22:52:10.26 on Sat 09/05/2009
Internet Explorer: 7.0.5346.5 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.91 [GMT 2:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Acer\eManager\anbmServ.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe -k bthsvcs
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\winvnc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\acer\epm\epm-dm.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Program Files\Acer\eRecovery\Monitor.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Valued Client\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Valued Client\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Valued Client\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uLocal Page = \blank.htm
uStart Page = hxxp://google.atcomet.com/b/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar =
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - d:\my shared folder\bitcomet\tools\BitCometBHO_1.2.8.7.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: {7eef1e3d-fd97-4401-bcdb-5827f2d11709} - &iG
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\3.1.807.1746\swg.dll
BHO: GbIehObj Class: {c41a1c0e-ea6c-11d4-b1b8-444553540000} - c:\program files\gbplugin\gbieh.dll
BHO: G-Buster Browser Defense ABN AMRO: {c41a1c0e-ea6c-11d4-b1b8-444553540007} - GbIehObj Class
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &iG: {7eef1e3d-fd97-4401-bcdb-5827f2d11709} -
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\valued client\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [EPM-DM] c:\acer\epm\epm-dm.exe
mRun: [ePowerManagement] c:\acer\epm\ePM.exe boot
mRun: [LManager] c:\progra~1\launch~1\QtZgAcer.EXE
mRun: [eRecoveryService] c:\program files\acer\erecovery\Monitor.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [EOUApp] "c:\program files\intel\wireless\bin\EOUWiz.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [WinVNC] "C:\winvnc.exe" -servicehelper
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [QuickTime Task] "d:\my shared folder\quicktime\qttask.exe" -atboottime
mRun: [IME JPN 2007 Migration] c:\progra~1\common~1\micros~1\ime12\imejp\IMJPKLMG.EXE /Preload
mRun: [Korean IME Migration] c:\progra~1\common~1\micros~1\ime12\imekr\IMKRMIG.EXE
mRun: [Microsoft Pinyin IME Migration] c:\progra~1\common~1\micros~1\ime12\imesc\IMSCMIG.EXE /INSTALL
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
IE: &D&ownload &with BitComet - d:\my shared folder\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - d:\my shared folder\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - d:\my shared folder\bitcomet\BitComet.exe/AddAllLink.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: E&xportar para o Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://d:\my shared folder\bitcomet\tools\BitCometBHO_1.2.8.7.dll/206
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {FD1672E0-AE0D-465B-B345-F7B0944A121D} - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709}
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149774839031
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} - hxxp://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
DPF: {B6C10489-FB89-11D4-93C9-006008A7EED4} - hxxp://www.netvmi.com/obj/Teechart5.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} - hxxps://www14.bancobrasil.com.br/plugin/GbpDist.cab
DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} - hxxps://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginABN.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: IE Component Categories cache daemon: {553858a7-4922-4e7e-b1c1-97140c1c16ef} - c:\windows\system32\ieframe.dll
SEH: GbPlugin ShlObj: {e37cb5f0-51f5-4395-a808-5fa49e399007} - GbPluginObj Class
SEH: GbPluginObj Class: {e37cb5f0-51f5-4395-a808-5fa49e399f83} - c:\program files\gbplugin\gbieh.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\valued~1\applic~1\mozilla\firefox\profiles\mgr3z099.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=it
FF - component: c:\documents and settings\valued client\application data\mozilla\firefox\profiles\mgr3z099.default\extensions\{b042753d-f57e-4e8e-a01b-

7379a6d4cefb}\components\IBitCometExtension.dll
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\documents and settings\valued client\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\valued client\local settings\application data\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: d:\my shared folder\quicktime\plugins\npqtplugin.dll
FF - plugin: d:\my shared folder\quicktime\plugins\npqtplugin2.dll
FF - plugin: d:\my shared folder\quicktime\plugins\npqtplugin3.dll
FF - plugin: d:\my shared folder\quicktime\plugins\npqtplugin4.dll
FF - plugin: d:\my shared folder\quicktime\plugins\npqtplugin5.dll
FF - plugin: d:\my shared folder\quicktime\plugins\npqtplugin6.dll
FF - plugin: d:\my shared folder\quicktime\plugins\npqtplugin7.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-3-31 325896]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-3-31 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-3-31 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-3-31 298776]
R2 EpmPsd;Acer EPM Power Scheme Driver;c:\windows\system32\drivers\epm-psd.sys [2006-1-28 4096]
R2 EpmShd;Acer EPM System Hardware Driver;c:\windows\system32\drivers\epm-shd.sys [2006-1-28 78208]
R2 GbpSv;Gbp Service;c:\program files\gbplugin\GbpSv.exe [2007-1-8 44872]
R2 osaio;osaio;c:\windows\system32\drivers\osaio.sys [2006-1-28 7296]
R2 osanbm;osanbm;c:\windows\system32\drivers\osanbm.sys [2006-1-28 4010]
S2 dozakiro;Server Network;c:\windows\system32\svchost.exe -k netsvcs [2005-8-22 14336]
S2 frfjqx;Config Microsoft;c:\windows\system32\svchost.exe -k netsvcs [2005-8-22 14336]
S2 govwbmypa;Config Helper;c:\windows\system32\svchost.exe -k netsvcs [2005-8-22 14336]
S2 lreqtgxwi;Config Server;c:\windows\system32\svchost.exe -k netsvcs [2005-8-22 14336]
S2 ncvmbje;Center Microsoft;c:\windows\system32\svchost.exe -k netsvcs [2005-8-22 14336]
S2 scjtunz;Monitor Time;c:\windows\system32\svchost.exe -k netsvcs [2005-8-22 14336]
S2 xmaromkln;Boot Helper;c:\windows\system32\svchost.exe -k netsvcs [2005-8-22 14336]
S3 XDva186;XDva186; [x]

=============== Created Last 30 ================

2009-05-09 18:49 28,544 a------- c:\windows\system32\drivers\pavboot.sys
2009-05-09 18:47 <DIR> --d----- c:\program files\Panda Security
2009-05-08 23:07 <DIR> --d----- c:\program files\Western Digital
2009-05-08 19:26 284,160 -------- c:\windows\system32\dllcache\pdh.dll
2009-05-08 19:26 473,600 -------- c:\windows\system32\dllcache\fastprox.dll
2009-05-08 19:26 401,408 -------- c:\windows\system32\dllcache\rpcss.dll
2009-05-08 19:26 227,840 -------- c:\windows\system32\dllcache\wmiprvse.exe
2009-05-08 19:26 110,592 -------- c:\windows\system32\dllcache\services.exe
2009-05-08 19:26 729,088 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-05-08 19:26 453,120 -------- c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-08 19:26 714,752 -------- c:\windows\system32\dllcache\ntdll.dll
2009-05-08 19:26 617,472 -------- c:\windows\system32\dllcache\advapi32.dll
2009-05-08 19:25 1,203,922 -------- c:\windows\system32\dllcache\sysmain.sdb
2009-05-08 19:25 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-05-08 19:25 215,552 -------- c:\windows\system32\dllcache\wordpad.exe
2009-05-06 19:48 6,115,159 ---shr-- c:\windows\system\svhost.exe
2009-04-18 14:26 <DIR> --d-h--- C:\$AVG8.VAULT$

==================== Find3M ====================

2009-05-08 19:46 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-05-08 19:46 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-08 19:46 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-03-21 16:06 989,696 -------- c:\windows\system32\dllcache\kernel32.dll
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 16:22 284,160 a------- c:\windows\system32\PDH.DLL
2009-02-09 14:10 729,088 a------- c:\windows\system32\LSASRV.DLL
2009-02-09 14:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 14:10 617,472 a------- c:\windows\system32\ADVAPI32.DLL
2009-02-09 14:10 401,408 a------- c:\windows\system32\RPCSS.DLL
2009-02-09 12:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 12:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2008-03-14 20:50 32 a------- c:\docume~1\alluse~1\applic~1\ezsid.dat
2007-02-22 19:20 92,064 a------- c:\documents and settings\valued client\mqdmmdm.sys
2007-02-22 19:20 79,328 a------- c:\documents and settings\valued client\mqdmserd.sys
2007-02-22 19:20 66,656 a------- c:\documents and settings\valued client\mqdmbus.sys
2007-02-22 19:20 25,600 a------- c:\documents and settings\valued client\usbsermptxp.sys
2007-02-22 19:20 22,768 a------- c:\documents and settings\valued client\usbsermpt.sys
2007-02-22 19:20 9,232 a------- c:\documents and settings\valued client\mqdmmdfl.sys
2007-02-22 19:20 6,208 a------- c:\documents and settings\valued client\mqdmcmnt.sys
2007-02-22 19:20 5,936 a------- c:\documents and settings\valued client\mqdmwhnt.sys
2007-02-22 19:20 4,048 a------- c:\documents and settings\valued client\mqdmcr.sys
2008-10-10 19:01 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008101020081011

\index.dat

============= FINISH: 22:53:39.20 ===============

Attached Files


Edited by noposer, 09 May 2009 - 04:44 PM.


BC AdBot (Login to Remove)

 


m

#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:26 PM

Posted 10 May 2009 - 12:01 PM

Hello! :thumbup2:
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on Download_mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
  • On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.




We need to create an OTListIt2 Report
  • Please download OTListIt2 from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the "Run Scan" button.
  • The scan should take just a few minutes.
  • Copy the log that opens up and paste it back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 noposer

noposer
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 10 May 2009 - 02:16 PM

Hi Sam!
Thanks for the support!

So, just to let you know, yesterday, after reading the manual to post here, I didn't download or erased anything from my PC, I just set on the firewall for almost everything, as asked for. Today when I opened the computer it didn't show the warning, don't know why and the internet started to work a little better, I don't know why. But anyway, the computer is still slow.
I didn't set off my AVG in any time, during the steps you have asked me to do, I didn't know whether or not to.

Anyway, it seems that mbam found some stuff.

Here goes the logs asked:


Malwarebytes' Anti-Malware 1.36
Database version: 2105
Windows 5.1.2600 Service Pack 3

10/05/2009 8:43:32 PM
mbam-log-2009-05-10 (20-43-32).txt

Scan type: Quick Scan
Objects scanned: 85634
Time elapsed: 11 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Downloaded Program Files\GbPluginABN.inf (Trojan.Agent) -> Quarantined and deleted successfully.


--------------OTLISTIT-------------------------

OTListIt logfile created on: 10/05/2009 8:57:28 PM - Run 1
OTListIt2 by OldTimer - Version 2.0.15.6 Folder = C:\Documents and Settings\Valued Client\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5346.5)
Locale: 00000C09 | Country: Australia | Language: ENA | Date Format: d/MM/yyyy

502.05 Mb Total Physical Memory | 74.99 Mb Available Physical Memory | 14.94% Memory free
1.20 Gb Paging File | 0.76 Gb Available in Paging File | 63.43% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 26.27 Gb Total Space | 0.74 Gb Free Space | 2.81% Space Free | Partition Type: FAT32
Drive D: | 26.66 Gb Total Space | 22.26 Gb Free Space | 83.49% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ACER-71E3CA8185
Current User Name: Valued Client
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Output = Standard
File Age = 30 Days
Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2006/02/28 14:16:08 | 00,114,753 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
PRC - [2006/02/28 14:18:10 | 00,540,745 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
PRC - [2007/08/08 14:29:16 | 00,044,872 | ---- | M] () -- C:\Program Files\GbPlugin\GbpSv.exe
PRC - [2008/04/14 02:12:20 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Explorer.EXE
PRC - [2005/06/06 19:08:58 | 01,273,344 | ---- | M] (OSA Technologies Inc.) -- C:\Acer\eManager\anbmServ.exe
PRC - [2009/05/08 19:45:56 | 00,298,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\AVGWDSVC.EXE
PRC - [2009/03/09 05:19:16 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2003/03/19 01:55:56 | 00,335,872 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
PRC - [2006/02/28 14:15:30 | 00,217,164 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
PRC - [2003/08/16 17:22:34 | 00,311,296 | ---- | M] (RealVNC Ltd.) -- C:\winvnc.exe
PRC - [2009/05/08 19:46:18 | 00,486,168 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgrsx.exe
PRC - [2009/05/08 19:46:04 | 00,594,712 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\AVGNSX.EXE
PRC - [2005/08/11 19:21:00 | 00,200,704 | ---- | M] (Acer Inc) -- C:\acer\epm\epm-dm.exe
PRC - [2005/08/19 01:28:54 | 00,462,848 | ---- | M] (Dritek System Inc.) -- C:\Program Files\Launch Manager\QtZgAcer.EXE
PRC - [2005/08/18 19:38:46 | 00,352,256 | ---- | M] (acer Inc.) -- C:\Program Files\Acer\eRecovery\Monitor.exe
PRC - [2006/02/28 14:25:20 | 00,667,718 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
PRC - [2006/02/28 14:25:48 | 00,602,182 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
PRC - [2006/02/28 14:29:54 | 00,569,413 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
PRC - [2004/10/08 14:44:24 | 00,098,394 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2004/10/08 14:43:12 | 00,688,218 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
PRC - [2009/02/27 17:10:28 | 00,035,696 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
PRC - [2009/05/08 19:46:08 | 01,947,928 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\avgtray.exe
PRC - [2009/03/09 05:19:18 | 00,148,888 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2007/06/27 21:58:56 | 00,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2008/11/17 22:43:42 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Documents and Settings\Valued Client\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
PRC - [2006/02/28 14:22:50 | 00,397,381 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
PRC - [2009/05/01 11:42:06 | 00,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/03/24 17:55:30 | 00,083,440 | ---- | M] (Google) -- C:\Documents and Settings\Valued Client\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe
PRC - [2009/05/10 20:55:46 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Valued Client\Desktop\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2005/06/06 19:08:58 | 01,273,344 | ---- | M] (OSA Technologies Inc.) -- C:\Acer\eManager\anbmServ.exe -- (anbmService [Auto | Running])
SRV - [2004/07/15 01:49:26 | 00,032,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2009/05/08 19:45:56 | 00,298,776 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG8\AVGWDSVC.EXE -- (avg8wd [Auto | Running])
SRV - [2006/02/28 14:16:08 | 00,114,753 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\EvtEng.exe -- (EvtEng [Auto | Running])
SRV - [2007/08/08 14:29:16 | 00,044,872 | ---- | M] () -- C:\Program Files\GbPlugin\GbpSv.exe -- (GbpSv [Auto | Running])
SRV - [2008/04/14 02:12:02 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2009/03/09 05:19:16 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])
SRV - [2003/03/19 01:55:56 | 00,335,872 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe -- (MDM [Auto | Running])
SRV - [2007/08/24 03:19:12 | 00,443,776 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv [On_Demand | Stopped])
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2006/02/28 14:15:30 | 00,217,164 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe -- (RegSrvc [Auto | Running])
SRV - [2006/02/28 14:18:10 | 00,540,745 | ---- | M] (Intel Corporation ) -- C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe -- (S24EventMonitor [Auto | Running])
SRV - [2007/01/19 12:54:14 | 00,097,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\MSN Messenger\usnsvc.exe -- (usnjsvc [On_Demand | Stopped])
SRV - [2003/08/16 17:22:34 | 00,311,296 | ---- | M] (RealVNC Ltd.) -- C:\winvnc.exe -- (winvnc [Auto | Running])
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2006/04/05 18:43:50 | 00,021,275 | ---- | M] (Meetinghouse Data Communications) -- C:\WINDOWS\system32\DRIVERS\AegisP.sys -- (AegisP [Auto | Running])
DRV - [2004/08/04 05:00:00 | 00,005,248 | ---- | M] (Acer Laboratories Inc.) -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde [Boot | Stopped])
DRV - [2008/04/13 20:36:40 | 00,043,008 | ---- | M] (Advanced Micro Devices, Inc.) -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp [Boot | Stopped])
DRV - [2005/01/10 15:47:14 | 00,449,888 | ---- | M] (Atheros Communications, Inc.) -- C:\WINDOWS\system32\DRIVERS\ar5211.sys -- (AR5211 [On_Demand | Stopped])
DRV - [2004/08/04 05:00:00 | 00,026,496 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc [Boot | Stopped])
DRV - [2004/08/04 05:00:00 | 00,014,848 | ---- | M] (Advanced System Products, Inc.) -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550 [Boot | Stopped])
DRV - [2009/05/08 19:46:16 | 00,325,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgldx86.sys -- (AvgLdx86 [System | Running])
DRV - [2009/05/08 19:46:16 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgmfx86.sys -- (AvgMfx86 [System | Running])
DRV - [2009/05/08 19:46:00 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\Drivers\avgtdix.sys -- (AvgTdiX [System | Running])
DRV - [2004/08/04 05:00:00 | 00,006,656 | ---- | M] (CMD Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde [Boot | Stopped])
DRV - [2004/08/04 05:00:00 | 00,179,584 | ---- | M] (Mylex Corporation) -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k [Boot | Stopped])
DRV - [2004/12/08 14:10:00 | 00,016,896 | ---- | M] (Dritek System Inc.) -- C:\WINDOWS\system32\DRIVERS\DKbFltr.sys -- (DKbFltr [On_Demand | Running])
DRV - [2004/07/19 13:10:00 | 00,004,096 | ---- | M] (Acer Value Labs, USA) -- C:\WINDOWS\system32\drivers\epm-psd.sys -- (EpmPsd [Auto | Running])
DRV - [2005/04/07 18:08:46 | 00,078,208 | ---- | M] (Acer Value Labs, USA) -- C:\WINDOWS\system32\drivers\epm-shd.sys -- (EpmShd [Auto | Running])
DRV - [2005/01/07 17:07:16 | 00,145,920 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\drivers\HdAudio.sys -- (HdAudAddService [On_Demand | Stopped])
DRV - [2008/04/13 18:36:06 | 00,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) -- C:\WINDOWS\system32\DRIVERS\HDAudBus.sys -- (HDAudBus [On_Demand | Running])
DRV - [2005/06/30 15:16:06 | 00,200,704 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys -- (HSFHWAZL [On_Demand | Running])
DRV - [2005/06/30 15:16:58 | 01,034,752 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys -- (HSF_DPV [On_Demand | Running])
DRV - [2005/06/07 20:27:00 | 01,050,140 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\ialmnt5.sys -- (ialm [On_Demand | Running])
DRV - [2005/08/09 16:43:00 | 03,855,360 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService [On_Demand | Running])
DRV - [2005/05/27 20:31:28 | 00,022,016 | R--- | M] (Logitech Inc.) -- C:\WINDOWS\system32\drivers\lvusbsta.sys -- (LVUSBSta [On_Demand | Running])
DRV - [2004/03/17 12:04:14 | 00,013,059 | ---- | M] (Conexant) -- C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys -- (mdmxsdk [Auto | Running])
DRV - [2001/08/17 13:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA [On_Demand | Running])
DRV - [2007/02/27 14:31:28 | 00,021,504 | ---- | M] (Motorola) -- C:\WINDOWS\system32\DRIVERS\motmodem.sys -- (motmodem [On_Demand | Stopped])
DRV - [2004/08/04 05:00:00 | 00,017,280 | ---- | M] (American Megatrends Inc.) -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x [Boot | Stopped])
DRV - [2007/06/28 11:44:58 | 00,137,216 | ---- | M] (Nokia) -- C:\WINDOWS\system32\drivers\nmwcd.sys -- (nmwcd [On_Demand | Stopped])
DRV - [2005/08/22 15:46:14 | 00,006,144 | ---- | M] (NewTech Infosystems, Inc.) -- C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys -- (NTIDrvr [On_Demand | Running])
DRV - [2005/06/30 16:58:24 | 00,007,296 | ---- | M] (OSA Technologies, An Avocent Company) -- C:\WINDOWS\system32\drivers\osaio.sys -- (osaio [Auto | Running])
DRV - [2005/01/14 15:57:16 | 00,004,010 | ---- | M] (Windows ® 2000 DDK provider) -- C:\WINDOWS\system32\drivers\osanbm.sys -- (osanbm [Auto | Running])
DRV - [2008/06/19 17:24:30 | 00,028,544 | ---- | M] (Panda Security, S.L.) -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot [Boot | Running])
DRV - [2005/05/27 20:38:00 | 00,007,136 | R--- | M] (Logitech Inc.) -- C:\WINDOWS\system32\DRIVERS\lv302af.sys -- (pepifilter [On_Demand | Running])
DRV - [2005/05/27 20:46:22 | 00,913,280 | R--- | M] (Logitech Inc.) -- C:\WINDOWS\system32\DRIVERS\LV302AV.SYS -- (PID_08A0 [On_Demand | Running])
DRV - [2004/08/04 05:00:00 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2004/08/04 05:00:00 | 00,040,320 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080 [Boot | Stopped])
DRV - [2004/08/04 05:00:00 | 00,045,312 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160 [Boot | Stopped])
DRV - [2004/08/04 05:00:00 | 00,049,024 | ---- | M] (QLogic Corporation) -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280 [Boot | Stopped])
DRV - [2005/03/04 11:10:26 | 00,074,496 | ---- | M] (Realtek Semiconductor Corporation ) -- C:\WINDOWS\system32\DRIVERS\Rtlnicxp.sys -- (RTL8023xp [On_Demand | Running])
DRV - [2006/02/28 15:35:56 | 00,013,568 | ---- | M] (Intel Corporation) -- C:\WINDOWS\system32\DRIVERS\s24trans.sys -- (s24trans [Auto | Running])
DRV - [2007/11/13 08:25:54 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2008/04/13 20:36:40 | 00,040,960 | ---- | M] (Silicon Integrated Systems Corporation) -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp [Boot | Stopped])
DRV - [2001/08/17 13:56:16 | 00,007,552 | ---- | M] (Sony Corporation) -- C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS -- (SONYPVU1 [On_Demand | Stopped])
DRV - [2004/08/04 05:00:00 | 00,019,072 | ---- | M] (Adaptec, Inc.) -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow [Boot | Stopped])
DRV - [2004/08/04 05:00:00 | 00,016,256 | ---- | M] (Symbios Logic Inc.) -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810 [Boot | Stopped])
DRV - [2004/08/04 05:00:00 | 00,032,640 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx [Boot | Stopped])
DRV - [2004/08/04 05:00:00 | 00,028,384 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi [Boot | Stopped])
DRV - [2004/08/04 05:00:00 | 00,030,688 | ---- | M] (LSI Logic) -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3 [Boot | Stopped])
DRV - [2004/10/08 14:33:46 | 00,185,824 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\system32\DRIVERS\SynTP.sys -- (SynTP [On_Demand | Running])
DRV - [2004/08/04 05:00:00 | 00,036,736 | ---- | M] (Promise Technology, Inc.) -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra [Boot | Stopped])
DRV - [2008/04/13 20:45:12 | 00,060,032 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Running])
DRV - [2008/04/13 20:45:36 | 00,026,112 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\usbser.sys -- (usbser [On_Demand | Stopped])
DRV - [2006/11/24 17:17:42 | 00,022,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\DRIVERS\usbsermpt.sys -- (usbsermpt [On_Demand | Stopped])
DRV - [2005/09/12 09:49:44 | 03,298,432 | ---- | M] (Intel® Corporation) -- C:\WINDOWS\system32\DRIVERS\w29n51.sys -- (w29n51 [On_Demand | Running])
DRV - [2005/06/30 15:16:02 | 00,716,416 | ---- | M] (Conexant Systems, Inc.) -- C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys -- (winachsf [On_Demand | Running])
DRV - [2005/01/13 14:46:16 | 00,069,632 | ---- | M] () -- C:\Program Files\Acer\eRecovery\int15.sys -- (int15.sys [Auto | Running])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie


IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-3049566677-1072768161-974850979-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
IE - HKU\S-1-5-21-3049566677-1072768161-974850979-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKU\S-1-5-21-3049566677-1072768161-974850979-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-3049566677-1072768161-974850979-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://google.atcomet.com/b/
IE - HKU\S-1-5-21-3049566677-1072768161-974850979-1005\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-3049566677-1072768161-974850979-1005\S-1-5-21-3049566677-1072768161-974850979-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.google.com/ig?hl=it"
FF - prefs.js..extensions.enabledItems: {3f963a5b-e555-4543-90e2-c3908898db71}:8.0
FF - prefs.js..extensions.enabledItems: {1d5287d1-8a92-0001-1f31-1cec198018d8}:2.0.20080710
FF - prefs.js..extensions.enabledItems: {B042753D-F57E-4e8e-A01B-7379A6D4CEFB}:1.04
FF - prefs.js..extensions.enabledItems: it-IT@dictionaries.addons.mozilla.org:3.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}:6.0.12
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: en-US@dictionaries.addons.mozilla.org:3.0.3
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.10

FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\PROGRAM FILES\AVG\AVG8\FIREFOX [2009/03/31 23:12:48 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{1d5287d1-8a92-0001-1f31-1cec198018d8}: C:\PROGRAM FILES\AVG\AVG8\TOOLBARFF [2009/03/31 23:12:50 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF [2009/03/06 15:06:20 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Components: C:\PROGRAM FILES\MOZILLA FIREFOX\COMPONENTS [2007/11/17 17:50:56 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.10\extensions\\Plugins: C:\PROGRAM FILES\MOZILLA FIREFOX\PLUGINS [2007/11/17 17:50:56 | 00,000,000 | ---D | M]

[2008/09/17 23:50:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Valued Client\Application Data\mozilla\Extensions
[2008/09/17 23:50:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Valued Client\Application Data\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2007/11/17 17:51:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Valued Client\Application Data\mozilla\Firefox\Profiles\mgr3z099.default\extensions
[2008/10/12 13:28:12 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Valued Client\Application Data\mozilla\Firefox\Profiles\mgr3z099.default\extensions\{B042753D-F57E-4e8e-A01B-7379A6D4CEFB}
[2008/12/11 16:54:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Valued Client\Application Data\mozilla\Firefox\Profiles\mgr3z099.default\extensions\en-US@dictionaries.addons.mozilla.org
[2009/02/10 22:58:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\Valued Client\Application Data\mozilla\Firefox\Profiles\mgr3z099.default\extensions\it-IT@dictionaries.addons.mozilla.org
[2007/11/17 17:50:56 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions
[2007/11/17 17:50:58 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2009/03/06 15:06:38 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
[2009/04/01 18:39:28 | 00,000,000 | ---D | M] -- C:\Program Files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2009/05/01 11:42:06 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browserdirprovider.dll
[2009/05/01 11:42:06 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\brwsrcmp.dll
[2008/09/17 23:49:48 | 00,001,525 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2008/09/17 23:49:48 | 00,001,706 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\google.xml
[2008/09/17 23:49:48 | 00,001,529 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\priberam.xml
[2008/09/17 23:49:48 | 00,002,071 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\sapo.xml
[2008/09/17 23:49:48 | 00,000,942 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\wikipedia-ptpt.xml
[2008/09/17 23:49:48 | 00,000,648 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-br.xml

O1 HOSTS File: (714 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O2 - BHO: (BitComet Helper) - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - D:\My Shared Folder\BitComet\tools\BitCometBHO_1.2.8.7.dll (BitComet)
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - Reg Error: Key error. File not found
O2 - BHO: (&iG) - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - Reg Error: Value error. File not found
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (AVG Security Toolbar) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll (Google Inc.)
O2 - BHO: (GbIehObj Class) - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\Program Files\GbPlugin\gbieh.dll (Banco do Brasil)
O2 - BHO: (GbIehObj Class) - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - Reg Error: Value error. File not found
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (&Google) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (&iG) - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - Reg Error: Value error. File not found
O3 - HKLM\..\Toolbar: (AVG Security Toolbar) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll (AVG Technologies CZ, s.r.o.)
O3 - HKU\S-1-5-21-3049566677-1072768161-974850979-1005\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found
O3 - HKU\S-1-5-21-3049566677-1072768161-974850979-1005\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (Google Inc.)
O3 - HKU\S-1-5-21-3049566677-1072768161-974850979-1005\..\Toolbar\WebBrowser: (no name) - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - Reg Error: Value error. File not found
O3 - HKU\S-1-5-21-3049566677-1072768161-974850979-1005\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\Program Files\AVG\AVG8\avgtoolbar.dll (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent (Microsoft Corporation)
O4 - HKLM..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" (Intel Corporation)
O4 - HKLM..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe (Acer Inc)
O4 - HKLM..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot (Acer Value Labs, Taiwan)
O4 - HKLM..\Run: [eRecoveryService] C:\Program Files\Acer\eRecovery\Monitor.exe (acer Inc.)
O4 - HKLM..\Run: [IME JPN 2007 Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEJP\IMJPKLMG.EXE /Preload (Microsoft Corporation)
O4 - HKLM..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless (Intel Corporation)
O4 - HKLM..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" (Intel Corporation)
O4 - HKLM..\Run: [Korean IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMEKR\IMKRMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE (Dritek System Inc.)
O4 - HKLM..\Run: [Microsoft Pinyin IME Migration] C:\PROGRA~1\COMMON~1\MICROS~1\IME12\IMESC\IMSCMIG.EXE /INSTALL (Microsoft Corporation)
O4 - HKLM..\Run: [QuickTime Task] "D:\My Shared Folder\Quicktime\qttask.exe" -atboottime (Apple Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" (Sun Microsystems, Inc.)
O4 - HKLM..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [WinVNC] "C:\winvnc.exe" -servicehelper (RealVNC Ltd.)
O4 - HKU\.DEFAULT..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe File not found
O4 - HKU\S-1-5-18..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe File not found
O4 - HKU\S-1-5-21-3049566677-1072768161-974850979-1005..\Run: [Google Update] "C:\Documents and Settings\Valued Client\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c (Google Inc.)
O4 - HKU\S-1-5-21-3049566677-1072768161-974850979-1005..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-3049566677-1072768161-974850979-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: &D&ownload &with BitComet - res://D:\My Shared Folder\BitComet\BitComet.exe/AddLink.htm (www.BitComet.com)
O8 - Extra context menu item: &D&ownload all video with BitComet - res://D:\My Shared Folder\BitComet\BitComet.exe/AddVideo.htm (www.BitComet.com)
O8 - Extra context menu item: &D&ownload all with BitComet - res://D:\My Shared Folder\BitComet\BitComet.exe/AddAllLink.htm (www.BitComet.com)
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 (Microsoft Corporation)
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 File not found
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - D:\My Shared Folder\BitComet\tools\BitCometBHO_1.2.8.7.dll (BitComet)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra Button: Barra do iG - {FD1672E0-AE0D-465B-B345-F7B0944A121D} - Reg Error: Value error. File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [Bluetooth Namespace] - C:\WINDOWS\system32\wshbth.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (Windows Genuine Advantage Validation Tool)
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab (Minesweeper Flags Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://update.microsoft.com/microsoftupdat...b?1149774839031 (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab (MessengerStatsClient Class)
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} http://messenger.msn.com/download/MsnMesse...pDownloader.cab (MsnMessengerSetupDownloadControl Class)
O16 - DPF: {B6C10489-FB89-11D4-93C9-006008A7EED4} http://www.netvmi.com/obj/Teechart5.cab (TeeChart Pro Activex control v5)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab (ZoneIntro Class)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} https://www14.bancobrasil.com.br/plugin/GbpDist.cab (GbpDistObj Class)
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} https://wwws.realsecureweb.com.br/mpr/plugi...GbPluginABN.cab (GbPluginObj Class)
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab (Minesweeper Flags Class)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Filter: - text/xml - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\SYSTEM32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\SYSTEM32\igfxdev.dll (Intel Corporation)
O24 - Desktop Components:0 (My Current Home Page) - About:Home
O28 - HKLM ShellExecuteHooks: {E37CB5F0-51F5-4395-A808-5FA49E399007} - Reg Error: Value error. File not found
O28 - HKLM ShellExecuteHooks: {E37CB5F0-51F5-4395-A808-5FA49E399F83} - C:\Program Files\GbPlugin\gbieh.dll (Banco do Brasil)
O29 - HKLM SecurityProviders - (zwebauth.dll) - C:\WINDOWS\SYSTEM32\zwebauth.dll ()
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/08/22 15:46:46 | 00,000,050 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
O33 - MountPoints2\{0fa25ab0-e3e0-11dc-8db1-001500015ce0}\Shell\AutoRun\command - "" = .\Encryption Tool\MaxtorEncryption.exe
O33 - MountPoints2\{9f5e82dc-096a-11dd-8e0d-001500015ce0}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{9f5e82dc-096a-11dd-8e0d-001500015ce0}\Shell\Open(&0)\command - "" = Recycled\ctfmon.exe
O33 - MountPoints2\{9f5e82dd-096a-11dd-8e0d-001500015ce0}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{9f5e82dd-096a-11dd-8e0d-001500015ce0}\Shell\Open(&0)\command - "" = Recycled\ctfmon.exe
O33 - MountPoints2\{ba1c011c-2387-11dd-8e5a-001500015ce0}\Shell - "" = AutoRun
O33 - MountPoints2\{ba1c011c-2387-11dd-8e5a-001500015ce0}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{f728659e-7cb8-11dc-8cf2-001500015ce0}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{f728659e-7cb8-11dc-8cf2-001500015ce0}\Shell\default\command - "" = wlan.exe
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/05/10 20:55:55 | 00,501,248 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Valued Client\Desktop\OTListIt2.exe
[2009/05/10 20:28:02 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Valued Client\Application Data\Malwarebytes
[2009/05/10 20:27:54 | 00,000,604 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/05/10 20:27:52 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/05/10 20:27:49 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/05/10 20:27:48 | 00,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2009/05/10 20:27:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2009/05/10 20:26:35 | 02,967,800 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Valued Client\Desktop\mbam-setup.exe
[2009/05/09 22:49:53 | 00,360,021 | ---- | C] () -- C:\Documents and Settings\Valued Client\Desktop\dds.scr
[2009/05/09 18:49:11 | 00,028,544 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys
[2009/05/09 18:47:22 | 00,000,000 | ---D | C] -- C:\Program Files\Panda Security
[2009/05/09 18:40:35 | 00,000,500 | ---- | C] () -- C:\Documents and Settings\Valued Client\Desktop\HijackThis.lnk
[2009/05/09 18:12:32 | 00,000,466 | ---- | C] () -- C:\Documents and Settings\Valued Client\Desktop\NoAdware5.lnk
[2009/05/08 23:07:58 | 00,000,000 | ---D | C] -- C:\Program Files\Western Digital
[2009/05/08 23:07:44 | 00,000,000 | ---D | C] -- C:\Documents and Settings\Valued Client\My Documents\WDC
[2009/05/08 19:26:09 | 00,284,160 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\pdh.dll
[2009/05/08 19:26:08 | 00,473,600 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\fastprox.dll
[2009/05/08 19:26:08 | 00,401,408 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\rpcss.dll
[2009/05/08 19:26:08 | 00,227,840 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvse.exe
[2009/05/08 19:26:08 | 00,110,592 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\services.exe
[2009/05/08 19:26:07 | 00,729,088 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\lsasrv.dll
[2009/05/08 19:26:07 | 00,453,120 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wmiprvsd.dll
[2009/05/08 19:26:06 | 00,714,752 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\ntdll.dll
[2009/05/08 19:26:06 | 00,617,472 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\advapi32.dll
[2009/05/08 19:25:48 | 01,203,922 | ---- | C] () -- C:\WINDOWS\System32\dllcache\sysmain.sdb
[2009/05/08 19:25:48 | 00,002,560 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\xpsp4res.dll
[2009/05/08 19:25:46 | 00,215,552 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\wordpad.exe
[2009/05/04 19:22:24 | 00,090,294 | ---- | C] () -- C:\Documents and Settings\Valued Client\Desktop\Gmail - R Report sulla set...pdf
[2009/04/18 14:26:05 | 00,000,000 | -H-D | C] -- C:\$AVG8.VAULT$
[2009/04/14 15:01:05 | 00,013,898 | ---- | C] () -- C:\Documents and Settings\Valued Client\Desktop\IELTS - scadenze 08 09.pdf
[2008/11/20 18:15:03 | 00,000,028 | ---- | C] () -- C:\WINDOWS\pdf995.ini
[2008/11/20 18:11:45 | 00,051,716 | ---- | C] () -- C:\WINDOWS\System32\pdf995mon.dll
[2008/11/20 18:11:45 | 00,000,059 | ---- | C] () -- C:\WINDOWS\wpd99.drv
[2008/10/13 14:21:43 | 00,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2008/10/13 13:49:50 | 00,000,022 | ---- | C] () -- C:\WINDOWS\Wininit.ini
[2008/09/17 23:55:33 | 00,000,032 | ---- | C] () -- C:\WINDOWS\GunzLauncher.INI
[2007/01/02 23:08:11 | 00,000,073 | ---- | C] () -- C:\WINDOWS\webica.ini
[2006/06/07 01:22:54 | 00,000,067 | ---- | C] () -- C:\WINDOWS\DVDIdle.INI
[2006/04/13 19:34:57 | 00,016,973 | ---- | C] () -- C:\WINDOWS\System32\ZWebAuth.dll
[2006/04/10 17:17:27 | 00,000,028 | ---- | C] () -- C:\WINDOWS\MotionDVSTUDIO.INI
[2006/04/10 17:14:35 | 00,000,028 | ---- | C] () -- C:\WINDOWS\Hmplayer.INI
[2006/02/14 21:01:12 | 00,000,975 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2006/02/14 17:28:31 | 00,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006/02/07 09:14:09 | 00,009,255 | R--- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2006/02/07 00:39:24 | 00,000,112 | ---- | C] () -- C:\WINDOWS\ActiveSkin.INI
[2006/01/28 03:24:02 | 00,000,000 | ---- | C] () -- C:\WINDOWS\System32\eRLog.ini
[2006/01/28 03:19:37 | 00,000,000 | ---- | C] () -- C:\WINDOWS\NT.INI
[2005/08/22 16:45:50 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/08/22 16:21:02 | 00,000,033 | ---- | C] () -- C:\WINDOWS\Acer.ini
[2005/08/22 16:21:01 | 00,000,328 | ---- | C] () -- C:\WINDOWS\uninstall.ini
[2005/08/22 15:47:09 | 00,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIBUN4.dll
[2005/08/22 15:46:16 | 00,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMPEG2.dll
[2005/08/22 15:46:16 | 00,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMP3.dll
[2005/08/22 15:46:16 | 00,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIFCD3.dll
[2005/08/22 15:46:16 | 00,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTICDMK7.dll
[2005/08/22 15:34:10 | 00,000,750 | ---- | C] () -- C:\WINDOWS\PowerOption.ini
[2005/08/22 15:33:41 | 00,037,776 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2005/08/22 15:25:38 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2005/08/22 15:14:24 | 00,000,603 | ---- | C] () -- C:\WINDOWS\win.ini
[2005/08/22 15:14:21 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2002/05/15 21:38:40 | 00,091,136 | ---- | C] () -- C:\WINDOWS\System32\mp4fil32.dll
[2002/05/14 18:26:28 | 00,158,208 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2002/05/04 11:19:00 | 00,049,152 | ---- | C] () -- C:\WINDOWS\System32\avisynthEx.dll
[2001/12/26 16:12:30 | 00,065,536 | R--- | C] () -- C:\WINDOWS\System32\multiplex_vcd.dll
[2001/09/03 23:46:38 | 00,110,592 | R--- | C] () -- C:\WINDOWS\System32\Hmpg12.dll
[2001/07/30 16:33:56 | 00,118,784 | R--- | C] () -- C:\WINDOWS\System32\HMPV2_ENC.dll
[2001/07/23 22:04:36 | 00,118,784 | R--- | C] () -- C:\WINDOWS\System32\HMPV2_ENC_MMX.dll
[2000/01/01 01:01:01 | 00,000,003 | -H-- | C] () -- C:\WINDOWS\System32\retsamebuc.ini
[1999/01/27 13:39:06 | 00,065,024 | ---- | C] () -- C:\WINDOWS\System32\indounin.dll
[1997/06/13 21:56:08 | 00,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll
[1980/01/01 00:00:00 | 00,002,772 | ---- | C] () -- C:\WINDOWS\ANTIV.INI
[1980/01/01 00:00:00 | 00,000,082 | ---- | C] () -- C:\WINDOWS\ALaunch.ini

========== Files - Modified Within 30 Days ==========

[2009/05/10 20:55:46 | 00,501,248 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Valued Client\Desktop\OTListIt2.exe
[2009/05/10 20:53:14 | 00,001,158 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/05/10 20:52:56 | 00,000,000 | ---- | M] () -- C:\WINDOWS\System32\eRLog.ini
[2009/05/10 20:52:00 | 00,000,062 | -HS- | M] () -- C:\Documents and Settings\Valued Client\Local Settings\desktop.ini
[2009/05/10 20:52:00 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/05/10 20:51:48 | 52,650,3936 | -HS- | M] () -- C:\hiberfil.sys
[2009/05/10 20:51:48 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/05/10 20:50:18 | 00,000,012 | ---- | M] () -- C:\WINDOWS\bthservsdp.dat
[2009/05/10 20:27:56 | 00,000,604 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2009/05/10 20:26:26 | 02,967,800 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Valued Client\Desktop\mbam-setup.exe
[2009/05/10 12:45:44 | 00,000,958 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3049566677-1072768161-974850979-1005.job
[2009/05/09 22:49:44 | 00,360,021 | ---- | M] () -- C:\Documents and Settings\Valued Client\Desktop\dds.scr
[2009/05/09 18:40:38 | 00,000,500 | ---- | M] () -- C:\Documents and Settings\Valued Client\Desktop\HijackThis.lnk
[2009/05/09 18:12:34 | 00,000,466 | ---- | M] () -- C:\Documents and Settings\Valued Client\Desktop\NoAdware5.lnk
[2009/05/09 14:15:56 | 00,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/05/08 20:05:38 | 00,422,494 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2009/05/08 20:05:38 | 00,071,618 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2009/05/08 20:05:36 | 00,501,076 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009/05/08 19:58:32 | 00,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2009/05/08 19:46:18 | 00,011,952 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\avgrsstx.dll
[2009/05/08 19:46:16 | 00,325,896 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgldx86.sys
[2009/05/08 19:46:16 | 00,027,784 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgmfx86.sys
[2009/05/08 19:46:00 | 00,108,552 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/05/07 21:49:36 | 00,009,777 | ---- | M] () -- C:\Documents and Settings\Valued Client\Desktop\Barcelona.xlsx
[2009/05/04 19:22:36 | 00,000,059 | ---- | M] () -- C:\WINDOWS\wpd99.drv
[2009/05/04 19:22:32 | 00,090,294 | ---- | M] () -- C:\Documents and Settings\Valued Client\Desktop\Gmail - R Report sulla set...pdf
[2009/04/14 15:00:54 | 00,013,898 | ---- | M] () -- C:\Documents and Settings\Valued Client\Desktop\IELTS - scadenze 08 09.pdf
< End of report >

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:26 PM

Posted 10 May 2009 - 06:41 PM

First step, please uninstall this older insecure version of java.

J2SE Runtime Environment 5.0 Update 4



Are you aware of this program running on your computer?

O4 - HKLM..\Run: [WinVNC] "C:\winvnc.exe" -servicehelper (RealVNC Ltd.)

winvnc.exe is a remote desktop control toll which allows you control someone's computer from remote or vice versa.





Run OTListIt2.exe
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTLI
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - Reg Error: Key error. File not found
    O2 - BHO: (&iG) - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - Reg Error: Value error. File not found
    O2 - BHO: (GbIehObj Class) - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\Program Files\GbPlugin\gbieh.dll (Banco do Brasil)
    O2 - BHO: (GbIehObj Class) - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - Reg Error: Value error. File not found
    O3 - HKLM\..\Toolbar: (&iG) - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - Reg Error: Value error. File not found
    O3 - HKU\S-1-5-21-3049566677-1072768161-974850979-1005\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key error. File not found
    O3 - HKU\S-1-5-21-3049566677-1072768161-974850979-1005\..\Toolbar\WebBrowser: (no name) - {7EEF1E3D-FD97-4401-BCDB-5827F2D11709} - Reg Error: Value error. File not found
    O9 - Extra Button: Barra do iG - {FD1672E0-AE0D-465B-B345-F7B0944A121D} - Reg Error: Value error. File not found
    O28 - HKLM ShellExecuteHooks: {E37CB5F0-51F5-4395-A808-5FA49E399007} - Reg Error: Value error. File not found
    O28 - HKLM ShellExecuteHooks: {E37CB5F0-51F5-4395-A808-5FA49E399F83} - C:\Program Files\GbPlugin\gbieh.dll (Banco do Brasil)
    O33 - MountPoints2\{9f5e82dc-096a-11dd-8e0d-001500015ce0}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{9f5e82dc-096a-11dd-8e0d-001500015ce0}\Shell\Open(&0)\command - "" = Recycled\ctfmon.exe
    O33 - MountPoints2\{9f5e82dd-096a-11dd-8e0d-001500015ce0}\Shell\AutoRun - "" = Auto&Play
    O33 - MountPoints2\{9f5e82dd-096a-11dd-8e0d-001500015ce0}\Shell\Open(&0)\command - "" = Recycled\ctfmon.exe
    
    :Files
    C:\Program Files\GbPlugin
    
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot when it is done
  • Then post a new OTL2 log

==============


Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 noposer

noposer
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 11 May 2009 - 12:53 PM

Hi Sam!

So, I was succeed deleting the "J2SE Runtime Environment 5.0 Update 4".

I'm completely not aware about this program "O4 - HKLM..\Run: [WinVNC] "C:\winvnc.exe" -servicehelper (RealVNC Ltd.)" .
Could it has something to do with the software for synchronization and cryptography of my Western Digital External HD?


Following the logs from OTL2 and GMER respectively:

==========================================

Files moved on Reboot...
C:\Program Files\GbPlugin\gbieh.dll unregistered successfully.
File move failed. C:\Program Files\GbPlugin\gbieh.dll scheduled to be moved on reboot.
Folder move failed. C:\Program Files\GbPlugin scheduled to be moved on reboot.

Registry entries deleted on Reboot...

===========================================

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-05-11 19:48:32
Windows 5.1.2600 Service Pack 3


---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\SYSTEM32\winlogon.exe[692] kernel32.dll!FreeLibrary 7C80AC7E 5 Bytes JMP 10059920 C:\Program Files\GbPlugin\gbieh.dll (Gbieh Module/Banco do Brasil)
.text C:\WINDOWS\SYSTEM32\winlogon.exe[692] kernel32.dll!FreeLibraryAndExitThread 7C80C210 5 Bytes JMP 100597C0 C:\Program Files\GbPlugin\gbieh.dll (Gbieh Module/Banco do Brasil)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] dozakiro <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] frfjqx <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] govwbmypa <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] lreqtgxwi <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] ncvmbje <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] scjtunz <-- ROOTKIT !!!
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] xmaromkln <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\000b6b5fa5f2
Reg HKLM\SYSTEM\CurrentControlSet\Services\dozakiro@DisplayName Server Network
Reg HKLM\SYSTEM\CurrentControlSet\Services\dozakiro@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\dozakiro@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\dozakiro@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\dozakiro@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\dozakiro@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\dozakiro@Description Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\CurrentControlSet\Services\dozakiro\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\dozakiro\Parameters@ServiceDll C:\WINDOWS\system32\ciktviu.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\frfjqx@DisplayName Config Microsoft
Reg HKLM\SYSTEM\CurrentControlSet\Services\frfjqx@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\frfjqx@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\frfjqx@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\frfjqx@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\frfjqx@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\frfjqx@Description Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\CurrentControlSet\Services\frfjqx\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\frfjqx\Parameters@ServiceDll C:\WINDOWS\system32\ciktviu.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\govwbmypa@DisplayName Config Helper
Reg HKLM\SYSTEM\CurrentControlSet\Services\govwbmypa@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\govwbmypa@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\govwbmypa@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\govwbmypa@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\govwbmypa@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\govwbmypa@Description Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\CurrentControlSet\Services\govwbmypa\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\govwbmypa\Parameters@ServiceDll C:\WINDOWS\system32\ciktviu.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\lreqtgxwi@DisplayName Config Server
Reg HKLM\SYSTEM\CurrentControlSet\Services\lreqtgxwi@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\lreqtgxwi@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\lreqtgxwi@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\lreqtgxwi@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\lreqtgxwi@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\lreqtgxwi@Description Service for G-Buster Browser Defense
Reg HKLM\SYSTEM\CurrentControlSet\Services\lreqtgxwi\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\lreqtgxwi\Parameters@ServiceDll C:\WINDOWS\system32\ciktviu.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\ncvmbje@DisplayName Center Microsoft
Reg HKLM\SYSTEM\CurrentControlSet\Services\ncvmbje@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\ncvmbje@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\ncvmbje@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\ncvmbje@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\ncvmbje@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\ncvmbje@Description Loads files to memory for later printing.
Reg HKLM\SYSTEM\CurrentControlSet\Services\ncvmbje\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\ncvmbje\Parameters@ServiceDll C:\WINDOWS\system32\ciktviu.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\scjtunz@DisplayName Monitor Time
Reg HKLM\SYSTEM\CurrentControlSet\Services\scjtunz@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\scjtunz@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\scjtunz@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\scjtunz@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\scjtunz@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\scjtunz@Description Intel® PROSet/Wireless Registry Service
Reg HKLM\SYSTEM\CurrentControlSet\Services\scjtunz\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\scjtunz\Parameters@ServiceDll C:\WINDOWS\system32\ciktviu.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\xmaromkln@DisplayName Boot Helper
Reg HKLM\SYSTEM\CurrentControlSet\Services\xmaromkln@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\xmaromkln@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\xmaromkln@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\xmaromkln@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\xmaromkln@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\xmaromkln@Description Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\CurrentControlSet\Services\xmaromkln\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\xmaromkln\Parameters@ServiceDll C:\WINDOWS\system32\ciktviu.dll
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\000b6b5fa5f2
Reg HKLM\SYSTEM\ControlSet002\Services\dozakiro@DisplayName Server Network
Reg HKLM\SYSTEM\ControlSet002\Services\dozakiro@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\dozakiro@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\dozakiro@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\dozakiro@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\dozakiro@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\dozakiro@Description Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\ControlSet002\Services\dozakiro\Parameters
Reg HKLM\SYSTEM\ControlSet002\Services\dozakiro\Parameters@ServiceDll C:\WINDOWS\system32\ciktviu.dll
Reg HKLM\SYSTEM\ControlSet002\Services\frfjqx@DisplayName Config Microsoft
Reg HKLM\SYSTEM\ControlSet002\Services\frfjqx@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\frfjqx@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\frfjqx@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\frfjqx@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\frfjqx@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\frfjqx@Description Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\ControlSet002\Services\frfjqx\Parameters
Reg HKLM\SYSTEM\ControlSet002\Services\frfjqx\Parameters@ServiceDll C:\WINDOWS\system32\ciktviu.dll
Reg HKLM\SYSTEM\ControlSet002\Services\govwbmypa@DisplayName Config Helper
Reg HKLM\SYSTEM\ControlSet002\Services\govwbmypa@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\govwbmypa@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\govwbmypa@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\govwbmypa@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\govwbmypa@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\govwbmypa@Description Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\ControlSet002\Services\govwbmypa\Parameters
Reg HKLM\SYSTEM\ControlSet002\Services\govwbmypa\Parameters@ServiceDll C:\WINDOWS\system32\ciktviu.dll
Reg HKLM\SYSTEM\ControlSet002\Services\lreqtgxwi@DisplayName Config Server
Reg HKLM\SYSTEM\ControlSet002\Services\lreqtgxwi@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\lreqtgxwi@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\lreqtgxwi@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\lreqtgxwi@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\lreqtgxwi@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\lreqtgxwi@Description Service for G-Buster Browser Defense
Reg HKLM\SYSTEM\ControlSet002\Services\lreqtgxwi\Parameters
Reg HKLM\SYSTEM\ControlSet002\Services\lreqtgxwi\Parameters@ServiceDll C:\WINDOWS\system32\ciktviu.dll
Reg HKLM\SYSTEM\ControlSet002\Services\ncvmbje@DisplayName Center Microsoft
Reg HKLM\SYSTEM\ControlSet002\Services\ncvmbje@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\ncvmbje@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\ncvmbje@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\ncvmbje@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\ncvmbje@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\ncvmbje@Description Loads files to memory for later printing.
Reg HKLM\SYSTEM\ControlSet002\Services\ncvmbje\Parameters
Reg HKLM\SYSTEM\ControlSet002\Services\ncvmbje\Parameters@ServiceDll C:\WINDOWS\system32\ciktviu.dll
Reg HKLM\SYSTEM\ControlSet002\Services\scjtunz@DisplayName Monitor Time
Reg HKLM\SYSTEM\ControlSet002\Services\scjtunz@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\scjtunz@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\scjtunz@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\scjtunz@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\scjtunz@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\scjtunz@Description Intel® PROSet/Wireless Registry Service
Reg HKLM\SYSTEM\ControlSet002\Services\scjtunz\Parameters
Reg HKLM\SYSTEM\ControlSet002\Services\scjtunz\Parameters@ServiceDll C:\WINDOWS\system32\ciktviu.dll
Reg HKLM\SYSTEM\ControlSet002\Services\xmaromkln@DisplayName Boot Helper
Reg HKLM\SYSTEM\ControlSet002\Services\xmaromkln@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\xmaromkln@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\xmaromkln@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\xmaromkln@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\xmaromkln@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\xmaromkln@Description Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Reg HKLM\SYSTEM\ControlSet002\Services\xmaromkln\Parameters
Reg HKLM\SYSTEM\ControlSet002\Services\xmaromkln\Parameters@ServiceDll C:\WINDOWS\system32\ciktviu.dll

---- EOF - GMER 1.0.15 ----

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:26 PM

Posted 11 May 2009 - 01:01 PM

If you are unaware of it and it has the capability to remotely control your computer, that's a very bad thing. We need to remove it.

Let's run Combofix.



Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 noposer

noposer
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 11 May 2009 - 01:23 PM

Sam,

The AVG didn't have any "Disable" button so I just clicked in "close".
After I run the combofix but it Warned e that AVG was still active.

I tried to delete but I couldn't. It says that it was not possible to uninstall it.

What should I do??

I still have the warning message.

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:26 PM

Posted 11 May 2009 - 01:25 PM

It should still run with AVG. That's a common issue. Proceed with combofix.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 noposer

noposer
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 11 May 2009 - 01:49 PM

I cannot find the Log.

There is no C:\ComboFix.txt

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:26 PM

Posted 11 May 2009 - 01:55 PM

The log should have opened up automatically. Did your computer reboot itself?

You may need to run it again.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 noposer

noposer
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 11 May 2009 - 01:59 PM

Yes, it reboot itself.

It showed a window from Windows saying that the computer has suffered a some big system reconfiguration and asked to send this to microsoft. I did it. I suppose not to?

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:26 PM

Posted 11 May 2009 - 02:10 PM

No, whether you send that info to Microsoft or not is insignificant. It sounds as if Combofix was not able to create a log.
Can you please rerun it?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 noposer

noposer
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 11 May 2009 - 02:14 PM

yes

#14 noposer

noposer
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:04:26 AM

Posted 11 May 2009 - 02:32 PM

Sam,

it didn't appear anything again! The same message from Windows pop up saying that a log was created but after close it no log message appears!

Weard?

What should I do?

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:09:26 PM

Posted 11 May 2009 - 02:35 PM

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back here in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users