Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Multiple infections (post x2): fake av + trojans + keyloggers + rootkit


  • This topic is locked This topic is locked
20 replies to this topic

#1 DeLuk

DeLuk

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:12:18 AM

Posted 02 June 2010 - 09:46 AM

Greetings to the forum. smile.gif

Once more I'm found in need of your expert help.

Early April, my brother brought me his girlfriend's laptop for a "routine check". (Let's say they're not much into these routines and he sometimes brings the laptop on for a "checkup"...) He asked me the usual; checking anything needing updating, defragging, running the antivirus etc. Said like that, I was all convinced it was indeed just an usual routine check. (He's brought me the laptop because of infections various times before, and since he mentioned nothing specifically about anything being wrong or any infection, I guessed that wasn't the case this time around.) Yet, as turning the laptop on, I was to find out it wasn't.

I firstly tried to update the onboard antivirus (currently they had ESET Smart Security 3.0) to start with a scan with it. It returned the message that no update was necessary as the signature database was already up-to-date. As I noticed the database date, though, it was actually as old as from 01-10-2009!? I made a few more tries to update the antivirus, but everytime it would not update and just report that the signature database was up-to-date!? How odd was that? Later, though, I was to notice that some of the ESET program files were actually on its own quarantine (all reported as probably a variant of Win32/Patched.NAE virus), namely the following:

C:\Program Files\ESET\ESET Smart Security\eguiEmon.dll
(Quarantined on 01-10-2009.)

C:\Program Files\ESET\ESET Smart Security\eguiEpfw.dll
C:\Program Files\ESET\ESET Smart Security\updater.dll

(Both quarantined on 05-10-2009.)

C:\Program Files\ESET\ESET Smart Security\ekrnEmon.dll
C:\Program Files\ESET\ESET Smart Security\ekrnEpfw.dll

(Both quarantined on 19-02-2010.)

I supposed by then that those missing dll's might be the reason why the antivirus program would not update?...

Later I ran a scan with it anyhow, and (or I should rather say but) it reported nothing found.

All in all, all that sounding as not so much of a good sign for starters, as I went to check on Task Manager, there I noticed this oddly named process, beebei.exe, which was also permanently taking up memory. Smelled like nasties were definitely onboard. Checked on WinPatrol, and the file C:\Documents and Settings\Sonia\beebei.exe was set to run on startup. Further checking WinPatrol's history log, startup alerts for this file had been reported from 13-03-2010 up untill 18-03-2010.

So I went to check the userprofile folder, C:\Documents and Settings\Sonia\. The file beebei.exe wasn't showing, as it certainly was an hidden one, thus I set hidden and system files to show. Only that, they didn't! The setting would "reset" back automatically and hidden and system files would not stay visible. There were, though, actually a few more odd files showing in there, namely:

C:\Documents and Settings\Sonia\kWab.dll
C:\Documents and Settings\Sonia\systemupdate.dll
C:\Documents and Settings\Sonia\mtsil.exe
C:\Documents and Settings\Sonia\homolog32.exe


All of these had been created on 18-02-2010.

Thus I made a search for files created/modified on that day, and these further 4 suspicious ones came up in the list:

C:\Documents and Settings\Sonia\Application Data\put.dat
(Opened with Notepad, this file had the user passwords to their POP3 e-mail accounts.)

C:\Documents and Settings\Sonia\Application Data\brasil.dat
(Opened with Notepad, this file had an e-mail address, which looked as possibly randomly collected from the user e-mail browsing or address book.)

C:\Documents and Settings\Sonia\Application Data\lts1.dat
(This was a 0 bytes file.)

C:\Documents and Settings\Sonia\Local Settings\Temp\V1twihdS.scr.part

Then there was also one item in ESET's quarantine, which had also been picked on that same day:

QUOTE
18-02-2010 11:21:33 Real-time file system protection file C:\Documents and Settings\Sonia\mptms.exe a variant of Win32/PSW.VB.NCL trojan cleaned by deleting (after the next restart) - quarantined NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\Documents and Settings\Sonia\homolog32.exe.


And then again, there were two further references to the file mptms.exe in ESET's quarantine, picked on 19-02-2010, namely:

QUOTE
C:\Documents and Settings\Sonia\strike32.zip » ZIP » mptms.exe - a variant of Win32/PSW.VB.NCL trojan - was a part of the deleted object
C:\Documents and Settings\Sonia\Local Settings\Temporary Internet Files\Content.IE5\O429WCP2\sistema[1].zip » ZIP » mptms.exe - a variant of Win32/PSW.VB.NCL trojan - was a part of the deleted object


Both these zip files, sistema[1].zip and strike32.zip, both actually contained, along with the file mptms.exe, also the files kWab.dll + systemupdate.dll + mtsil.exe, as found in C:\Documents and Settings\Sonia\.

Further checking in the Temporary Internet Files folder, I could see that the file sistema.zip pointed to the URL hxxp://www.31337corp.org/system/sistema.zip.

Notice that, coincidentally (?), 19-02-2010 was also when both ESET program files, C:\Program Files\ESET\ESET Smart Security\ekrnEmon.dll and C:\Program Files\ESET\ESET Smart Security\ekrnEpfw.dll, were both also quarantined.

One further note to add too: WinPatrol's log history had a startup alert for C:\Documents and Settings\Sonia\systemupdate.dll, reported on 18-02-2010.

Yet back again to C:\Documents and Settings\Sonia\, there were also 6 suspicious looking shortcut files in there, all created on 17-03-2010:

C:\Documents and Settings\Sonia\Documents.lnk
C:\Documents and Settings\Sonia\Music.lnk
C:\Documents and Settings\Sonia\New Folder.lnk
C:\Documents and Settings\Sonia\Passwords.lnk
C:\Documents and Settings\Sonia\Pictures.lnk
C:\Documents and Settings\Sonia\Video.lnk


Further, as I browsed with WinRAR to that folder, in order to archive each of the malware samples, I could then see the hidden file beebei.exe, as I could now see as well that there were 2 more hidden malware files in there:

C:\Documents and Settings\Sonia\beebei.scr
C:\Documents and Settings\Sonia\autorun.inf


The file beebei.scr was a copy of the file beebei.exe/had the same MD5 checksum, and was created on the same date, 13-03-2010. The file autorun.inf, which was created on 17-03-2010 (same date as those shortcuts mentioned above), pointed to beebei.exe and had the following contents:

CODE
actIon=Abrir pasta para exibir arquivos
ShElLEXecuTE=beEbeI.eXe
ICON=%sYstEMRoOt%\syStEM32\shEll32.dlL,4
USEaUtOPlaY=1


Note 1: "Abrir pasta para exibir arquivos" means "Open folder to show files" in Portuguese. Note 2: I've excluded the [autorun] line so that it won't eventually trigger security alerts for anyone browsing this page.

OK, from here, and after having run a scan with the outdated onboard ESET antivirus, as mentioned previously, I ran additional "preview" scans, to somehow see what I could try to fix with which tools. (By "preview" scans I mean running each scanner to check first what it finds, previous to running it to then clean the found threats.) First ran both Malwarebytes Anti-Malware and SUPERAntiSpyware.

MBAM detected the following items:

C:\Documents and Settings\Sonia\homolog32.exe --- (Trojan.Banker)
C:\Documents and Settings\Sonia\Application Data\brasil.dat --- (Malware.Trace)
C:\Documents and Settings\Sonia\Application Data\lst1.dat --- (Malware.Trace)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue --- (Hijack.System.Hidden) -> Bad: (0) Good: (1)


SAS detected the following one:

C:\Documents and Settings\Sonia\mtsil.exe --- (Trojan.Agent/Gen-FakeAlert[OShot])

I also ran a scan with ESET Online Scanner (installer version, not IE), yet, the scan with it did not complete. As reaching 100% of completion (and by then reporting 10 infected files found), Windows popped up a message saying that the program had encountered a problem and needed to be closed. I did make a couple new tries (even with the IE version also), but same result. So I could not get the report from this scanner, as it did never get saved (as I could not either count on with this scanner for the cleaning).

Ran a scan also with Dr.Web CureIt! and it detected the following items:

C:\Documents and Settings\Sonia\beebei.exe --- (Win32.HLLW.Autoruner.8325)
C:\Documents and Settings\Sonia\beebei.scr --- (Win32.HLLW.Autoruner.8325)


Dr.Web CureIt! also detected the following additional items:

C:\Documents and Settings\Sonia\Local Settings\Temp\is-NV5KQ.tmp\desktopxpadd.exe/data002\{tmp}\AdVantageSetup.exe --- (Adware.SaveNow.214)
C:\Program Files\Circle Developemet\Uninstall.exe --- (Trojan.Swizzor.based)

C:\Program Files\eGames\RahJongg\TSUninstaller.exe --- (Adware.TimeSink)
C:\Program Files\eGames\RahJongg\RahJongg\TSUninstaller.exe --- (Adware.TimeSink)

(Both files are the same/have the same MD5 checksum.)

Plus 3 mp3 files (all located in the same user personal folder and all 3 detected as Trojan.WMALoader) and also a handful of items in System Restore.

Ran a scan with F-Secure Online Scanner also and it detected the following additional items:

C:\Documents and Settings\Sonia\Local Settings\Temp\offer2.exe --- (Suspicious:W32/Malware!Gemini (vírus))
C:\Program Files\Atlantis\dlvbphk.exe --- (Backdoor.Generic.140430 (vírus))


F-Secure reported a handful of items in System Restore as well.

Finally ran a scan with Kaspersky Online Scanner 7.0 and it additionally reported the following items (pointed out as suspicious previously):

C:\Documents and Settings\Sonia\systemupdate.dll --- (Trojan.Win32.Delf.smc)
C:\Documents and Settings\Sonia\Local Settings\Temp\V1twihdS.scr.part --- (Trojan.Win32.Vilsel.ouq)


Additionally, for reference, I believe it's worth mentioning as well the rest of the files found in ESET's quarantine (as some may even be relevant to gather the whole of the mess going on). I'm listing them in ascending order, by date and time of quarantine:

C:\WINDOWS\~GLH00ae.TMP --- (Win32/Adware.TimeSink application)
(Quarantined on 05-08-2009.)

C:\Program Files\Big City Adventure - San Francisco\Big City Adventure - San Francisco.exe --- (probably a variant of Win32/Agent trojan)
(Quarantined on 17-08-2009.)

F:\Autorun.inf --- (Win32/Tifaut.C worm)
(Quarantined on 25-08-2009.)

This Autorun.inf file had the following contents:

CODE
;rPVviwlavPzbtYgTICnMoUpcMVpmHYee
;xZlYDImQzpzcgfdBXZQD
;ArriXlBeCxGMWWxEVxKAFGRyVBDqvDHPJFGFxPvCcuvQfAMqmAgVpWsotuyKsotFjbDi
;tVnVgnxzbXLTzVNJtRNLmxr
;ULRnhCOQqMSzxCCrinyTbhzrkEAzDwTfzOpuctMyzjXNQJWlvaVWnNCu
open=ymsaow.exe
Icon=%system%\shell32.dll,7
;45F27A231FCBBAE1D869005A0840BEAF8E880EECB727D2C7BFC81571
;khlfXgUPObHwIoEaXmlcENet
;peybuWxTPiRiIggdOnEcrqJCpewkqeUqPRQSjoTMbOhqWQk
UseAutoPlay=1
;Ch
;thuEvBYvZRYByvUZUnPGVlAPQoOyOQVUVrkmjznjMeFGHcsCfQeVhYLcBhASCphHgcdMMXyrWJq
;LTKjTIystssKVEXrKlRWmkqWdVHyKLRaELXHLAKPUKbGlkyQNvjzMyDJhLbzmEObC
;rvLdbLWledceBarIAUxhcXBpSkfzNDrZlBprMoUbTUuzmeebrHt
action=Open Drive
;oCjfifwmTTOOtRSzhNihRMvwacrmziWfqtvGiXhXGLEVVg
;TgGjczRqZaYRSZRvHSlMfKzdoXahDbZzAKWCZeRpeEClnpzHIikSZipmGjFCVscIQhtGnHKKlaS
action= @ymsaow.exe
;VTklcgBlsehbfgskCxTHNSZRCElTkgNbHNBJirnZfudkqhFOrZeUqdiTyfYdPTYaGkZxLjTFUhb
shell\open\Command=ymsaow.exe
;NoaiNlqafi
;mPMybuouRyCDrpPTDiOjSglRdXp
;gQAXvJIVPWQQxWFrTRIu
;MUOWIxtQbtPxYhBGhcAKAbmKlwyzvPsaRPZziKlsTCZfgPBlmsEWNIyHnskKuWCRG
shell\open\Default=1
shell\explore\Command=ymsaow.exe
;XSFrhxOvYH


Assuming that all those lines starting with ; are all dummy fillers (?) the contents would resume as:

CODE
open=ymsaow.exe
Icon=%system%\shell32.dll,7
UseAutoPlay=1
action=Open Drive
action= @ymsaow.exe
shell\open\Command=ymsaow.exe
shell\open\Default=1
shell\explore\Command=ymsaow.exe


G:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx --- (Win32/Conficker.AB worm)
(Quarantined on 02-09-2009.)

G:\Cátia\Konguito\Recycled\ctfmon.exe --- (Win32/VB.AQT trojan)
(Quarantined on 24-09-2009.)

C:\autorun.inf --- (Win32/PSW.OnLineGames.NNU trojan)
(Quarantined on 01-10-2009.)

C:\Documents and Settings\Sonia\Local Settings\Temp\herss.exe --- (Win32/PSW.OnLineGames.NNU trojan)
(Quarantined on 01-10-2009.)

D:\autorun.inf --- (Win32/PSW.OnLineGames.NNU trojan)
(Quarantined on 01-10-2009.)

F:\autorun.inf --- (Win32/PSW.OnLineGames.NNU trojan)
(Quarantined on 01-10-2009.)

These 3 autorun.inf files were all the same and had the following contents:

CODE
open=9jyhdim8.exe
shell\open\Command=9jyhdim8.exe


C:\Documents and Settings\Sonia\Local Settings\Temp\cvasds0.dll --- (Win32/PSW.OnLineGames.ODJ trojan)
(Quarantined on 01-10-2009.)

Notice that 01-10-2009 is the same date when the file C:\Program Files\ESET\ESET Smart Security\eguiEmon.dll was also quarantined (by time order, it was the last file to be quarantined on that day, about 2 minutes after C:\Documents and Settings\Sonia\Local Settings\Temp\cvasds0.dll had been quarantined) and also the same date of the onboard ESET antivirus signature database!

C:\Documents and Settings\Sonia\Local Settings\Temp\bisC6.exe --- (a variant of Win32/TrojanDownloader.Swizzor.NCH trojan)
(Quarantined on 12-12-2009.)

C:\Program Files\Zylom Games\UNO® - Undercover™\unoundercover.dll --- (a variant of Win32/Kryptik.YI trojan)
(Quarantined on 19-01-2010.)

C:\WINDOWS\Temp\NOD7F5.tmp --- (Win32/PSW.OnLineGames.ODJ trojan)
(Quarantined on 19-02-2010. The file is a copy of/has the same MD5 checksum as the file C:\Documents and Settings\Sonia\Local Settings\Temp\cvasds0.dll which had been quarantined on 01-10-2009.)

C:\WINDOWS\Temp\NOD845.tmp --- (probably a variant of Win32/Patched.NAE virus)
(Quarantined on 19-02-2010. The file is a copy of/has the same MD5 checksum as the file C:\Program Files\ESET\ESET Smart Security\eguiEmon.dll which had been quarantined on 01-10-2009.)

Notice that 19-02-2010 is the same date when the files C:\Program Files\ESET\ESET Smart Security\ekrnEmon.dll and C:\Program Files\ESET\ESET Smart Security\ekrnEpfw.dll were also quarantined.

Note: F:\ and G:\ refers to removable drives.

OK, followingly, and before moving on to try to clean the threats onboard, I submitted all detected files to VirusTotal + ThreatExpert + Norman Sandbox, to get the analysis for reference. One thing to mention is that VirusTotal reported "empty file/0 bytes file" (!) for the file C:\Documents and Settings\Sonia\autorun.inf which was the autorun file pointing to beebei.exe.

And so, from here, so I started the cleaning attempt.

Booted to Safe Mode and started with cleaning all temp files (which included at once part of the malware files) with both CCleaner and ATF-Cleaner.

Rebooted and ran MBAM + SAS + Dr.Web (each scanner ran in Safe Mode as well and rebooting in between each scan) removing/fixing all files/items detected by each (as listed above). (Only exception were both files C:\Program Files\eGames\RahJongg\TSUninstaller.exe and C:\Program Files\eGames\RahJongg\RahJongg\TSUninstaller.exe, which I chose not to remove at this point, as since they were part of a game installation, I wanted to check with the laptop owner first.) One further note, to add only that, when removing the files detected by Dr.Web, which included the file C:\Documents and Settings\Sonia\beebei.exe which was set to run on startup, then I also fixed the corresponding startup entry with HijackThis (since no scanner by then actually picked this malware trace in the registry):

O4 - HKCU\..\Run: [beebei] C:\Documents and Settings\Sonia\beebei.exe

Lastly, ran F-Secure Online Scanner, to remove the additional files detected by it.

Then, as for the remaining malware and infection related files which weren't picked by any of the mentioned scanners, namely:

C:\Documents and Settings\Sonia\autorun.inf
C:\Documents and Settings\Sonia\kWab.dll
C:\Documents and Settings\Sonia\systemupdate.dll
C:\Documents and Settings\Sonia\Music.lnk
C:\Documents and Settings\Sonia\Passwords.lnk
C:\Documents and Settings\Sonia\Documents.lnk
C:\Documents and Settings\Sonia\New Folder.lnk
C:\Documents and Settings\Sonia\Pictures.lnk
C:\Documents and Settings\Sonia\Video.lnk
C:\Documents and Settings\Sonia\Application Data\put.dat


All these I have deleted on reboot with KillBox. All deletions reported successful.

Subsequent scans with each scanner used reported nothing found.

To refer too that, before returning the laptop (since there was a certain urgency in the owner getting it back), I have at once updated at least some of the most "critical" programs, namely Java + Adobe Reader and web players. The rest (including the onboard antivirus, which, although outdated and unable to update, I didn't do anything about at this point, as I wanted to check about with the owner first too) I would be checking later, when there would be a new chance for my brother to bring the laptop back again, as there were as well still a handful of USB sticks and mp3 players to check, which they had brought on too when I mentioned about USB devices being (at least part) of the possible cause of infection.

And so, at this point (06-04-2010), the laptop returned to owner.

----------------------------------------------------------------------------------------------------

Then, a few days later (11-04-2010), my brother brought it back again. Again, I was all convinced it was now just for checking the USB devices left, plus updating the rest of the programs etc. My brother didn't mention anything otherwise either. Yet, now again, was I wrong! Scenery looked even worse than last time, I realized as I turned the laptop on.

Past the welcome screen, before the desktop would load (only the wallpaper was showing, no icons nor task bar), a window came up, of what had all looks of rogue security software: title bar readed "Control center". I called up Task Manager: the Applications tab listed "Control center" and among all processes running there was ccmain.exe which I gathered should be for "Control center". I did not want to close that "Control center" window by clicking the [X] button, as I didn't know what twisted effect that might eventually cause (didn't know whether it might, instead of closing the program, fire up some other unwanted/malicious process/action or something), and thus I chose to rather terminate the application in Task Manager. The termination of the application hang (i.e. Windows popped up a message saying that that program was not responding and asking whether I wanted to cancel and return to Windows or terminate the program at once) and "Control center" popped up a message saying: "Error | Your computer is in danger. Do you want to continue without any changes? Yes / No". I chose to terminate the program at once in Task Manager. The window for "Control center" closed and ccmain.exe was gone from the processes list. However, the desktop did not complete loading after this and I was left with only the wallpaper showing, and no icons nor task bar. So I lauched explorer.exe via Task Manager.

Desktop completed loading. On systray there was now an icon which wasn't there those few days ago I had had the laptop in hands, and which was the same as there was in that initiall "Control center" window title bar (a green circle with a white checkmark). The name displayed for that systray icon was "Control Components", and right-clicking it displayed no options menu.

Meanwhile, WinPatrol popped up a startup alert for "ccagent.exe" > C:\Documents and Settings\Sonia\Application Data\Control Components\ccagent.exe. As denying that, Windows popped up a message saying that WinPatrol had encountered a problem and needed to be closed, and WinPatrol got terminated, while ccagent.exe remained running, as checking the processes listed in Task Manager.

I should though refer by now that, in any follow up boot, never again WinPatrol warned about C:\Documents and Settings\Sonia\Application Data\Control Components\ccagent.exe being set for startup (and double checking via msconfig, the entry was not there) and never again the systray icon for "Control Components" appeared nor ccagent.exe showed running in Task Manager.

Further about this "Control center"/"Control Components" nasty, checking in Add/Remove Programs, an entry was listed for "Control Components". Also, in the Recycle Bin, there was a shortcut also named "Control Components", which had been deleted from the Desktop. And there in the Recycle Bin there was yet one further suspicious file, win_protection_update.exe, which in turn had been deleted from the My Documents folder.

Then again, as I had went to Control Panel to check in Add/Remove Programs, then I also checked the Security Centre, which was when I noticed that it wasn't working properly. Under "Essential security elements", no security elements at all were displayed, and there was the following message: "The Security Center isn't currently available because the Security Center service wasn't started or has been interrupted. Close this window, reboot the computer (or start the Security Center service) and, next, open the Security Center again.". Also, in the "Resources" menu in the left pane, the option "Modify the way the Security Center warns me" was not available/was greyed out. Under "Manage security settings for:", both links to Internet Options and Automatic Updates were working ok, yet, that to the Windows Firewall wasn't. The following message was displayed if clicking it: "Due to an unidentified problem, Windows cannot show the Windows Firewall settings.". If trying to open the Windows Firewall directly from the respective Control Pannel icon, result was the same and the same message was displayed.

Thinking about it now, I believe that this issue (the whole of it, or at least part) might exist already when I had the laptop in hands the first time ("beebei" infection), as in fact, then already, there was no warning from the Security Center about the onboard antivirus being outdated, as it should if the Security Center was working properly... This is something I failed to notice and check, that first time, I assume, thus I cannot confirm whether things were (all) like that already before... Yet, as I say, thinking about it now, and considering that fact that there was no warning about the outdated onboard antivirus, things might indeed be like that already before, concerning the Security Center... (Further, I later asked the laptop owner and she told me that there was never no warning about ESET being out-of-date, so perhaps the whole Security Center mess comes already from that same time when ESET got compromised with those dll's being quarantined by itself, back in October last year, who knows?...)

But so, back to the "Control center"/"Control Components" issue, as I went to check that "Control Components" folder, C:\Documents and Settings\Sonia\Application Data\Control Components\, so I noticed that the userprofile folder, C:\Documents and Settings\Sonia\, "wasn't there"! It was not visible. Which made me assume that, somewhere along the infection, its attributes had been modified and it had been made hidden. (I checked the attributes in the command prompt and the userprofile folder was set as hidden and system. I made no attempt to modify that at this point.) And so one time again I set hidden and system files to show. But again, as last time, they didn't. Again, the setting would "reset" back automatically and hidden and system files would not stay visible. So I typed the location in the address bar in Windows Explorer and entered the userprofile folder "manually". Insisting in setting back hidden and system files to show again, I could see that, strangely (?), though, the setting wouldn't "reset" immediately, and hidden and system files would show for few moments. (Namely, if I wouldn't move back/forth from the folder I was in when changing that setting. If moving back/forth from the folder I was in when changing that setting, then it would reset immediately. If not moving back/forth, though, hidden and system files would actually stay visible for some moments.) And there were yet new suspicious looking files in the userprofile folder (all hidden ones):

C:\Documents and Settings\Sonia\mwrioy.exe
C:\Documents and Settings\Sonia\mwrioy.scr
C:\Documents and Settings\Sonia\nlxis.exe


The file mwrioy.exe was among the processes running listed in Task Manager, and further checking WinPatrol's history log, startup alerts for "mwrioy" > C:\Documents and Settings\Sonia\mwrioy.exe had been reported from 07-04-2010 to 09-04-2010. The file mwrioy.scr was a copy of the file mwrioy.exe/had the same MD5 checksum.

WinPatrol's history log also showed a startup alert for "YVIBBBHA8C" > C:\Documents and Settings\Sonia\Local Settings\Temp\Nwo.exe, reported on 10-04-2010, and which was listed following to all those startup alerts for mwrioy.exe and right before that for ccagent.exe as referred above. The file Nwo.exe was also among the processes running listed in Task Manager, and this one was actually showing there already when I first called up Task Manager to close that initial "Control center" window, before the desktop loaded.

One more thing to add, as I noticed that the file iexplore.exe was also among the processes running listed in Task Manager, and this too was showing there already when I first called up Task Manager before the desktop loaded. Note that I had not launched Internet Explorer nor there was any visible window for Internet Explorer. Note also that, in Task Manager, Processes tab, User Name column, it showed "SYSTEM" for this instance of iexplore.exe. No connection to the internet was available at this point, though.

I then connected our cable modem to the laptop. (Since I'd anyway have to update the malware scanners etc.) As I couldn't find my way to manage to get to any traffic log off the ESET firewall or to monitor/control which program/process would be allowed access to the internet (actually I couldn't even find my way to find any firewall settings in the application user interface, which makes me even doubt whether the firewall was even functional at that point, or whether the ESET Smart Security suite onboard was actually so much compromised by then to the point that the firewall function didn't even really exist by then...) and even the Windows Firewall was not working properly, as just mentioned, so I used the netstat command in command prompt to check the active connections. And indeed several were being listed for iexplore.exe. It was continuously connecting via TCP from various ports (range 1xxx, i.e. 1058, 1059, 1100, 1102, 1353, etc ) to hosted-by.leaseweb.com:2900. At some point in between it also connected to snsprod-frr03.evip.aol.com:https.

Just a note to add, though, regarding the firewall(s) issue(s). I did run GRC's ShieldsUp! firewall test and the result was "trustealth". (So I assume that somehow the inbound protection was being assured.) Then again I also ran GRC's LeakTest yet the firewall(s) failled this one and was(were) penetrated. (Meaning the outbound protection was not being assured.)

OK, from here again I ran new "preview" scans, with MBAM + SAS + Dr.Web CureIt! + F-Secure Online Scanner + Kaspersky Online Scanner 7.0.

MBAM detected the following items:

C:\Documents and Settings\Sonia\nlxis.exe --- (Trojan.Agent)

Rogue.ControlComponents:
C:\Documents and Settings\Sonia\Application Data\Control Components
C:\Documents and Settings\Sonia\Application Data\Control Components\ccmain.exe
C:\Documents and Settings\Sonia\Application Data\Control Components\ccagent.exe
C:\Documents and Settings\Sonia\Application Data\Control Components\uninstall.exe
C:\Documents and Settings\Sonia\Application Data\Control Components\settings.ini
C:\Documents and Settings\Sonia\Application Data\Control Components\faq
C:\Documents and Settings\Sonia\Application Data\Control Components\faq\guide.html
C:\Documents and Settings\Sonia\Application Data\Control Components\faq\images
C:\Documents and Settings\Sonia\Application Data\Control Components\faq\images\05.png
C:\Documents and Settings\Sonia\Application Data\Control Components\faq\images\06.png
C:\Documents and Settings\Sonia\Application Data\Control Components\faq\images\07.png
C:\Documents and Settings\Sonia\Application Data\Control Components\faq\images\08.png
C:\Documents and Settings\Sonia\Application Data\Control Components\faq\images\09.png
C:\Documents and Settings\Sonia\Application Data\Control Components\faq\images\10.png
C:\Documents and Settings\Sonia\Application Data\Control Components\faq\images\Thumbs.db

C:\Documents and Settings\Sonia\Local Settings\Temp\Nwo.exe --- (Trojan.FraudPack)
C:\Documents and Settings\Sonia\Local Settings\Temp\Nwj.exe --- (Trojan.FraudPack)
C:\Documents and Settings\Sonia\Local Settings\Temp\Nwk.exe --- (Trojan.Downloader)
C:\Documents and Settings\Sonia\Local Settings\Temp\Nwm.exe --- (Trojan.FraudPack)
C:\Documents and Settings\Sonia\Local Settings\Temp\Nwn.exe --- (Trojan.FraudPack)
C:\Documents and Settings\Sonia\Local Settings\Temp\sshnas21.dll --- (Trojan.Downloader)

C:\Documents and Settings\All Users\Documents\Settings\cbss.dll --- (Trojan.Agent)

C:\WINDOWS\Nposua.exe --- (Trojan.Downloader)
C:\WINDOWS\Nposub.exe --- (Trojan.FraudPack)

C:\WINDOWS\system32\sshnas21.dll --- (Trojan.Downloader)

C:\WINDOWS\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job --- (Trojan.Downloader)
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job --- (Trojan.Downloader)

C:\Recycled\Dc2.exe --- (Rogue.Installer)

(This was C:\Documents and Settings\Sonia\My Documents\win_protection_update.exe in the Recycle Bin.)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\control components --- (Rogue.Installer)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cbssreg --- (Trojan.Agent)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sshnas --- (Trojan.Downloader)

HKEY_CURRENT_USER\Software\WEK9EMDHI9 --- (Trojan.Agent)
HKEY_CURRENT_USER\SOFTWARE\XML --- (Trojan.FakeAlert)
HKEY_CURRENT_USER\Software\YVIBBBHA8C --- (Trojan.Agent)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle --- (Malware.Trace)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yvibbbha8c --- (Trojan.FraudPack)


SAS additionally detected the following items:

C:\WINDOWS\Temp\sxqs.tmp\SVCHOST.EXE --- (Trojan.SVCHost/Fake)

Trojan.Agent/Gen-SSHNAS:
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SSHNAS\0000\Control#ActiveService


MBAM and SAS additionally reported also a couple of items in System Restore and in Prefetch.

Dr.Web CureIt! additionally detected the following items:

C:\Documents and Settings\Sonia\mwrioy.exe --- (Win32.HLLW.Autoruner.8325)
C:\Documents and Settings\Sonia\mwrioy.scr --- (Win32.HLLW.Autoruner.8325)


All items detected by both F-Secure and Kaspersky online scanners were only repeated with those detected by the first 3 scanners. There was no additional detection by none of these 2 online scanners.

A few notes to add at this point:

These malware files had all been created between 07-04-2010 (23:58) and 08-04-2010. Thus again I made a search for files created/modified on those days, and these further 3 suspicious ones came up in the list:

C:\Documents and Settings\Sonia\Local Settings\Temp\Nwl.exe
(This was a 0 bytes file.)

C:\WINDOWS\system32\drwtelog.dll
C:\WINDOWS\system32\svchost.bat


The file svchost.bat had the following contents:

CODE
:1
Erase "C:\WINDOWS\system32\svchost.exe"
If exist "C:\WINDOWS\system32\svchost.exe" Goto 1
Erase "C:\WINDOWS\system32\svchost.bat"


Regarding the files C:\WINDOWS\Nposua.exe and C:\WINDOWS\Nposub.exe, these were respectively copies of/had the same MD5 checksum as the files C:\Documents and Settings\Sonia\Local Settings\Temp\Nwk.exe and C:\Documents and Settings\Sonia\Local Settings\Temp\Nwn.exe. Also, on some (?) boots, checking in Task Manager, the file Nposub.exe was among the processes listed as running. There was no startup entry for it, though, double checking in msconfig.

Regarding both files sshnas21.dll, C:\WINDOWS\system32\sshnas21.dll was not the same as/did not match the MD5 checksum of C:\Documents and Settings\Sonia\Local Settings\Temp\sshnas21.dll.

Regarding the file C:\Documents and Settings\All Users\Documents\Settings\cbss.dll, as trying to archive that malware sample, WinRAR would always report the error that the file was in use and thus could not be archived. Also, when submitting it to VirusTotal, it would report it back as "empty file/0 bytes file" (which it wasn't).

Further, checking MBAM quarantine, there were several items in there which had been quarantined on 08-04-2010 (00:11) by the laptop owner then, namely (in ascending order by date/time):

HKEY_CURRENT_USER\Software\WEK9EMDHI9
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle
C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SSHNAS
C:\WINDOWS\system32\sshnas21.dll
C:\WINDOWS\Temp\55.tmp
I:\hbaaAM.exe


Notice that, with the exception of I:\hbaaAM.exe (detected as Trojan.Fraudpack and being that I:\ refers to a removable drive) and C:\WINDOWS\Temp\55.tmp (detected as Rootkit.TDSS), all further items (both files and registry traces) were detected in the scan I ran afterwards as mentioned above (meaning that those had meanwhile been re-created?).

Also notice that, although now again the option to set hidden and system files to show/hide was compromised, this time however MBAM did not report about the corresponding registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue

By now I'm not sure either whether I verified that in regedit, as I have made no note of it, thus I cannot confirm what value was in there then...

Then again, a couple more notes to mention:

On every new boot after that first time I turned on the laptop and WinPatrol popped up the startup alert for "ccagent.exe" > C:\Documents and Settings\Sonia\Application Data\Control Components\ccagent.exe, on every new boot after this one WinPatrol would pop up a startup alert for either "mwrioy" > C:\Documents and Settings\Sonia\mwrioy.exe or "YVIBBBHA8C" > C:\Documents and Settings\Sonia\Local Settings\Temp\Nwo.exe, alternately. Again, as choosing no to the respective alert each time, Windows would always pop up a message saying that WinPatrol had encountered a problem and needed to be closed, and WinPatrol would get terminated, while the respective process, mwrioy.exe or Nwo.exe, would always remain running, as checking in Task Manager, and the respective startup entries for both files would also remain, as double-checking in msconfig. (In fact, both processes, mwrioy.exe and Nwo.exe, were permanently running. And taking up quite some memory all the time, too.)

Also, after a couple of boots, and realizing that certainly the laptop owner and/or my brother had already done it that way in the meantime (as I don't think they would have known otherwise), so I chose to close that "Control center" window which always appeared before the desktop would load, chose to close it by clicking the [X] button, instead of terminating the application in Task Manager as I had done each time before. As when choosing to terminate the application in Task Manager (and after the termination would hang), closing it by clicking the [X] button would as well cause "Control center" to pop up the same message saying: "Error | Your computer is in danger. Do you want to continue without any changes? Yes / No". And choosing yes to that pop up message would, like before, close the "Control center" window, and ccmain.exe would be gone from the processes list. However, unlike before when terminating the application in Task Manager, doing it this other way, i.e. by clicking the window [X] button, then the desktop would finish loading normally.

OK, followingly, and before moving on to try to clean the new threats onboard, again I submitted all detected/suspicious files to VirusTotal + ThreatExpert + Norman Sandbox, to get the analysis for reference.

As later I prepared to start the cleaning attempt, though, as I prepared to update the malware scanners, the infection(s) "developed", if I can say it this way.

No idea if at all a coincidence or not, but, fact is, since on that moment I had no chance to connect to the internet via our cable modem, so I had to alternatively connect via the mobile internet modem which my brother had left along with the laptop in case it might be needed. It's a little Huawei USB modem. And which has this particular "feature" which actually annoys the heck out of me: it automatically launches Internet Explorer as it completes connection to the internet. (I mean, if at the very least it launched the default browser! But no, it launches Internet Explorer, regardless of whichever is the browser set as default! Argh! I even once contacted with the ISP, to ask if that "feature" could be disabled, or at least changed, so that the default browser would be launched instead, but, they only said that that is a "feature" which comes "from factory" and is set by the manufacturer of the modem, so it can't be altered. Or then they didn't know more, and sent me away with that answer, who can guess...) But so, as I was saying, fact is that, coincidence (?) or not, things "developed" by then (12-04-2010 21:40):

As the modem completed connection to the internet, and possibly (?) as it attempted to launch Internet Explorer, the following error message popped up: "iexplore.exe - Application error | The instruction on "0x10006faf" made reference to memory on "0x10006faf". Memory could not be "written". Click 'OK' to end the program. Click 'Cancel' to debug the program.". (The original message was in Portuguese, and I'm free translating, thus I apologise if this does not fully correspond to what the message would technically say if in English...) I clicked 'OK' to that and then continued with updating the malware scanners etc. Disconnected from the internet when finished.

Signs that "something had gone on" and that the infection(s) had "developed" came up then.

WinPatrol popped up a startup alert for "RegistryMonitor1" > C:\WINDOWS\system32\qtplugin.exe, which I denied. (Note that, for this startup alert, denying it caused no error nor WinPatrol to get terminated, as it had happened before, with the alerts for ccagent.exe + mwrioy.exe + Nwo.exe.)

Checking the userprofile folder, C:\Documents and Settings\Sonia\, there were now the same 6 odd shortcut files, as there were in that first time I had had the laptop in hands ("beebei" infection):

C:\Documents and Settings\Sonia\Documents.lnk
C:\Documents and Settings\Sonia\Music.lnk
C:\Documents and Settings\Sonia\New Folder.lnk
C:\Documents and Settings\Sonia\Passwords.lnk
C:\Documents and Settings\Sonia\Pictures.lnk
C:\Documents and Settings\Sonia\Video.lnk


Further, doing a new search, for files created/modified on this day, along with the obvious C:\WINDOWS\system32\qtplugin.exe, a few more suspicious ones came up in the list:

C:\WINDOWS\Temp\2B.tmp
C:\WINDOWS\Temp\2E.tmp
C:\WINDOWS\Temp\30.exe
C:\WINDOWS\Temp\32.exe
C:\WINDOWS\system32\bnis.mxo


All these 6 files were created at around the same time, 22:01/22:02.

The files C:\WINDOWS\system32\bnis.mxo and C:\WINDOWS\system32\qtplugin.exe were respectively copies of/had the same MD5 checksum as the files C:\WINDOWS\Temp\2B.tmp and C:\WINDOWS\Temp\2E.tmp.

Regarding the files C:\WINDOWS\Temp\30.exe and C:\WINDOWS\Temp\32.exe, checking each one's properties, these were supposedly and respectively Mail PassView and IE PassView, by NirSoft. (Thus I don't know how much these are really to be taken as malware files by themselves (?) or eventually "just" tools found useful by the malware creator to reach his intents?)

So I made new quick "preview" scans.

MBAM now reported the additional items:

C:\WINDOWS\Temp\2B.tmp --- (Backdoor.Bot)
C:\WINDOWS\Temp\2E.tmp --- (Rootkit.Agent)
C:\WINDOWS\Temp\32.exe --- (Trojan.Downloader)
C:\WINDOWS\system32\bnis.mxo --- (Backdoor.Bot)
C:\WINDOWS\system32\qtplugin.exe --- (Rootkit.Agent)

HKEY_CLASSES_ROOT\idid --- (Trojan.Sasfix)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell --- (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe bnis.mxo yfklng) Good: (Explorer.exe)


No additional scanner reported any item additional to these.

Also again I submitted all new detected/suspicious files to VirusTotal + ThreatExpert + Norman Sandbox. (Connection was now back with our cable modem, no longer the USB mobile internet modem.) And again I re-updated all malware scanners to then follow up with the cleaning attempt.

Out of curiosity at this point, and since things had "developed" since before, again I checked the active connections, via the netstat command in command prompt, and could confirm that iexplore.exe kept continuously establishing numerous connections. Here's a short (and shortened, as there were many repeated entries) "log" of that by then, if relevant:

QUOTE
All connections would either say "ESTABLISHED" or "TIME_WAIT" except where otherwise indicated.

TCP Sonia:1060 89.107.104.40:2501
TCP Sonia:1078 i01g00.smtp.mv.net:smtp
TCP Sonia:1061 89.107.104.40:2501
TCP Sonia:1106 smtp55.redcondor.net:smtp
TCP Sonia:1090 disli7.interdominios.com:smtp FIN_WAIT_2
TCP Sonia:1061 89.107.104.40:2501
TCP Sonia:1086 mail204.messagelabs.com:smtp
TCP Sonia:1087 89.107.104.40:2501
TCP Sonia:1094 gateway-f1.isp.att.net:smtp
TCP Sonia:1095 89.107.104.40:2501
TCP Sonia:1100 mx.poczta.onet.pl:smtp
TCP Sonia:1101 89.107.104.40:2501
TCP Sonia:1090 disli7.interdominios.com:smtp FIN_WAIT_2
TCP Sonia:1107 89.107.104.40:2501
TCP Sonia:kpop 89.107.104.40:2501
TCP Sonia:1111 89.107.104.40:2501
TCP Sonia:1124 di.mx.aol.com:smtp
TCP Sonia:1125 89.107.104.40:2501
TCP Sonia:1149 smtp.ucsc.edu:smtp
TCP Sonia:1090 disli7.interdominios.com:smtp FIN_WAIT_2
TCP Sonia:1060 89.107.104.40:2501
TCP Sonia:1157 postino12.prima.com.ar:smtp SYN_SENT
TCP Sonia:1131 89.107.104.40:2501
TCP Sonia:1179 golf935.server4you.de:smtp
TCP Sonia:1185 89.107.104.40:2501
TCP Sonia:1187 mailguard.acsol.net:smtp
TCP Sonia:1107 89.107.104.40:2501
TCP Sonia:kpop 89.107.104.40:2501
TCP Sonia:1111 89.107.104.40:2501
TCP Sonia:1186 mx0.mfg.onr.siteprotect.com:smtp


OK then, from here, so I started the cleaning.

As before, booted to Safe Mode and started with cleaning all temp files (which included at once part of the malware files) with both CCleaner and ATF-Cleaner.

Just a previous note, though, to add that, when booting to Safe Mode, the "Control center" window would still appear all the same, before the desktop would load. Also, checking in Task Manager, I could see that iexplore.exe was among the processes running all the same too. (Note: I had booted to Safe Mode without networking.) I actually even tried a couple of times to kill the process in Task Manager, before proceeding with the cleaning, but a new instance of iexplore.exe would automatically be launched each time, so I proceeded anyway.

Rebooted and ran MBAM + SAS + Dr.Web (each scanner ran in Safe Mode as well and rebooting in between each scan) removing/fixing all files/items detected by each (as listed above). One further note, to add that, as before as well, when removing the files detected by Dr.Web, which included the file C:\Documents and Settings\Sonia\mwrioy.exe which was set to run on startup, then I also fixed the corresponding startup entry with HijackThis (since no scanner by then actually picked this malware trace in the registry):

O4 - HKCU\..\Run: [mwrioy] C:\Documents and Settings\Sonia\mwrioy.exe

Then, as for the remaining malware and infection related files which weren't picked by any of the mentioned scanners, namely:

C:\Documents and Settings\Sonia\Music.lnk
C:\Documents and Settings\Sonia\Passwords.lnk
C:\Documents and Settings\Sonia\Documents.lnk
C:\Documents and Settings\Sonia\New Folder.lnk
C:\Documents and Settings\Sonia\Pictures.lnk
C:\Documents and Settings\Sonia\Video.lnk
C:\WINDOWS\system32\drwtelog.dll
C:\WINDOWS\system32\svchost.bat


All these, as before, I have deleted on reboot with KillBox. All deletions reported successful.

Subsequent scans with each scanner used reported nothing found.

By now I also removed the hidden and system attributes of the userprofile folder, C:\Documents and Settings\Sonia\, via command prompt. (I cross-checked with our home desktop, which also runs Windows XP Pro, and the userprofile there was not hidden, obviously, and nor system.)

I should also mention that, by now, after all the cleaning done, the option to set hidden and system files to show/hide was no longer compromised, it all worked properly again, now.

And again, at this point (14-04-2010), the laptop was to return to owner. Checking the USB devices would still have to be for a next chance.

To add, though, that before returning the laptop, ESET Smart Security was uninstalled. I checked with the owner, and she told me that it had been some colleague who had installed that, and that she didn't have the installation setup file nor anything (initially I thought of trying to repair the installation, should the installation setup file exist, but since it didn't, that option was dropped) and so it was ok and better to just go ahead and uninstall. And so I did, and installed the same AV+FW "suite" we use in our home desktop: Avast Antivirus (version 4.8, though, not the latest one yet, as I'm still "holding on" for the "right moment" to go for the upgrade) + Sygate Firewall (which I know it's an "end-of-life" product, yet, it's the one firewall I've used since ever and one I feel much confident with). Which is also an AV+FW "suite" which the laptop owner and surely my brother too are rather familiar with, since that was the AV+FW "suite" which had always been installed in this laptop up untill not long ago when it was replaced with ESET Smart Security.

A couple notes to add here:

As I connected the laptop to the internet, in order to configure Sygate, the first connection requested by each application requesting access to the internet was to empresa.majest1c.com [64.74.223.35] HTTP port 80. Be it Avast update, Avast Web Scanner, SiteAdvisor, SUPERAntiSpyware update, Windows Media Player, Windows Live Messenger, Adobe Reader update, etc; pretty much every program would first request that connection, to empresa.majest1c.com. Smelled fishy, and initially I denied the connection. But then, for the security programs at least, such as everything Avast related and SiteAdvisor, and also C:\WINDOWS\system32\svchost.exe, I had to configure Sygate to allow permanent internet access to these programs (i.e. choose Sygate to remember the choice and do not ask again for these programs), otherwise the laptop owner would go mad with all the many connection request pop ups... (I hope that was ok to choose, nonetheless, considering the programs in stake?...) For every other program, however, I left Sygate to ask each time. With the exception of both Google Toolbar Notifier (C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe) and Google Installer (C:\Program Files\Google\Update\GoogleUpdate.exe), which, for the time being, actually I chose to block access to internet. (Particularly, I was intrigued about GoogleUpdate.exe, as this program in particular pretty much insisted in wanting to connect to empresa.majest1c.com. I did even submit that .exe file to VirusTotal, for a rested mind, but all scanners reported nothing found. In any case, to cut things short, I just chose to permanently block both those Google applications.) I also warned the laptop owner to preferably deny connection to empresa.majest1c.com, whenever a program would request that connection.

Also, shortly after Avast Antivirus being up and running, the resident shield popped up a warning about the file C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\9NEVQ0RM\206a457a98f15361eaa8c95f52c93646721c3008411[1].js, which was detected as JS:FakeAV-EJ [Trj]. I first submitted the file to VirusTotal, and let Avast delete it afterwards. Also scanned the whole C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\ folder, just to be sure, and nothing further was reported.

But so, that was it for this time. No time to check nothing further, as the laptop owner needed to take it back at once, and was just waiting for me to finish, as I set up Avast and Sygate.

----------------------------------------------------------------------------------------------------

Then, another couple days later (16-04-2010), so my brother brought the laptop back again, to finally check all USB devices.

I started by, again, running new "preview" scans. Nothing found this time, no new threats at least, except for a few items in System Restore, which I removed with both Avast and ESET Online Scanner (which, at last, completed sucessfully). Also, I now quarantined with Avast both those TimeSink adware files, C:\Program Files\eGames\RahJongg\TSUninstaller.exe and C:\Program Files\eGames\RahJongg\RahJongg\TSUninstaller.exe, which I had left "on hold" when detected by Dr.Web CureIt! before (as I preferred to quarantine these with a resident scanner rather than removing them with a portable one, since the laptop owner might want or need to revert that for some reason because of the game which these files were part of).

One thing to refer at this point is that, in one of the attempts to run F-Secure Online Scanner, Firefox got redirected. Each time I'd try to launch F-Secure Online Scanner, it too (both C:\Documents and Settings\Sonia\Local Settings\Temp\fsols_launcher.exe and C:\Documents and Settings\Sonia\Local Settings\Temp\fsonlinescanner.exe) would first try to connect to empresa.majest1c.com, which each time I denied. Curiously, though, one of the times I denied that connection, (coincidentally?) Firefox got redirected, then to:

hxxp://feed.ndot.com/clickn.php?fb=WVRveU9udH....................U8zMD0=&b=MC4wMDE=&p=MA==

Connection was luckily blocked by the HOSTS file (I had long ago applied the MVPS HOSTS file on this laptop and had updated it previously). (MalwareURL URL report | hpHosts URL report) I did make yet even another try to run F-Secure Online Scanner, but it kept wanting to connect to empresa.majest1c.com, and as I didn't want to allow the connection, so I just dropped F-Secure Online Scanner for that time.

I then tried to "dig" further on these connection attempts to empresa.majest1c.com. I did a registry search and the following entries were found:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"="hxxp://empresa.majest1c.com/"

[HKEY_USERS\S-1-5-21-2594835689-3197258351-2018326800-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"="hxxp://empresa.majest1c.com/"

Seeing that these referred to Internet Settings, so I went to check those (Control Panel > Internet Options). In the Connections tab, checking the settings for both LAN and the other connection available (that set up for the USB mobile internet modem which I referred to before) listed under Dial-Up, for both, under "Automatic configuration", the "Use automatic configuration script" option was ticked on, and in the Address field there was hxxp://empresa.majest1c.com/.

Again, I cross-checked with our home desktop, and neither the "Use automatic configuration script" option was selected, nor much less there was any URL in the Address field. (Obviously, there was neither any AutoConfigURL entry in the corresponding CURRENT_USER Internet Settings registry key.)

So, what I did was delete hxxp://empresa.majest1c.com/ from the Address field, and then untick the "Use automatic configuration script" option, which I did for both connections (LAN and the other under Dial-Up). Then hit 'Apply' and 'OK'.

I re-checked in regedit and the AutoConfigURL entries were now gone and no further reference to empresa.majest1c.com was to be found anywhere in the registry.

As I also re-checked the Internet Settings in Control Panel, however, I could see that, although the "Use automatic configuration script" option remained unticked, hxxp://empresa.majest1c.com/ was actually still showing in the Address field, although greyed out now.

I repeated the whole "proceadure" again, and re-checked it all again, but still hxxp://empresa.majest1c.com/ was showing greyed out in the Address field. So I decided to rather change the address in there to one I hoped was "neutral", and so I changed it to http://www.microsoft.com. First applied that with the "Use automatic configuration script" option ticked on, and last left it unticked. Again re-checked in regedit and there were no AutoConfigURL entries nor further reference to empresa.majest1c.com anywhere in the registry. Also re-checked again the Internet Settings in Control Panel, and, although the Address field kept filled in even though greyed out, now at least it was http://www.microsoft.com showing in there. I wonder, though, is there not a way to erase for good the greyed out "meorized" URL from the Address field in there, leaving it simply blank again?...

From here, I didn't/don't know what else to do, concerning this empresa.majest1c.com issue?...

Note, though, that from here on, checking Sygate traffic logs, from here on no other application requesting access to the internet ever again tried to connect to empresa.majest1c.com [64.74.223.35], with the exception of Avast Web Scanner (C:\Program Files\Alwil Software\Avast4\ashWebSv.exe) + SiteAdvisor (C:\Program Files\McAfee\SiteAdvisor\McSACore.exe) + Google Installer (C:\Program Files\Google\Update\GoogleUpdate.exe) which all kept (randomly?) connecting/trying to connect to empresa.majest1c.com. (As mentioned above, as Sygate was configured to allow permanent internet access for both Avast Web Scanner and SiteAdvisor, so these two applications actually were always allowed connection to empresa.majest1c.com. Google Installer, however, was blocked all connections all the time. It would, though, pretty often try to connect to empresa.majest1c.com too; meanwhile I had re-set Sygate to ask each time for this application, to be aware of when and where it would try to connect to, and it was rather often that it would try to connect to empresa.majest1c.com.)

And still regarding internet traffic, mind you, along with those pointing to empresa.majest1c.com [64.74.223.35], there were actually some more entries showing in Sygate traffic logs which got me intrigued, namely:

C:\WINDOWS\system32\svchost.exe connecting to:

873hgf7xx60.com [112.121.181.26] (MalwareURL URL report | IP report)
34jh7alm94.asia [112.121.181.26] (MalwareURL URL report | IP report)
mfdclk001.org [213.163.89.104] (MalwareURL URL report | IP report)

SiteAdvisor (C:\Program Files\McAfee\SiteAdvisor\McSACore.exe) connecting to:

10search.com [8.5.1.41] (hpHosts URL report | IP report)

Avast Web Scanner (C:\Program Files\Alwil Software\Avast4\ashWebSv.exe) connecting to:

zxclk9abnz72.com [78.47.248.116] (MalwareURL URL report | IP report)
91jjak4555j.com [213.163.89.105] (MalwareURL IP report)
lk01ha71gg1.cc [213.163.89.106] (MalwareURL IP report)
zl091kha644.com [213.163.89.106] (MalwareURL IP report)
a74232357.cn [213.163.89.107] (MalwareURL IP report)
a67990067.cn [188.40.108.179] (IP range referenced @ MVPS HOSTS)

All these connections repeated (randomly?) countless times in the logs (except that to a67990067.cn which curiously actually appears only 3 single times in the logs).

Then there were yet some few other occasional connections (all also by Avast Web Scanner C:\Program Files\Alwil Software\Avast4\ashWebSv.exe) to another handful of URLs which also left me suspicious about:

wxw.directrdr.com [216.151.178.180]
ocsp.godaddy.com [188.121.36.239] (URL + IP range referenced @ MVPS HOSTS)
cheap-unlimitedhosting.com [216.240.187.152] (hpHosts IP report)
triggers.wp.bandoo.com [207.232.22.109] (hpHosts URL report | IP report)
logc158.xiti.com [62.161.94.222] (hpHosts URL report | IP report)

Then again, back about Firefox redirects, I did experience another couple of them (these, already after having "disabled" empresa.majest1c.com from being set as AutoConfigURL); one when I was going to download Adobe Reader from www.adobe.com, and the other when I was going to download GMER from www.gmer.net. Redirect was, on both occasions (although in different times), to:

hxxp://ad.xtendmedia.com/ipm?z=0&Z=0x0&s=843012&y=23&w=800&h=600&t=3

Again, connection was luckily blocked by the HOSTS file. (hpHosts URL report)

Then, yet the day after, another intriguing "symptom". Out of the blue, Avast resident shield popped up a warning about the file C:\WINDOWS\system32\drivers\ohci1394.sys (Microsoft 1394 OpenHCI Port Driver), which was detected as Win32:Alureon-FZ. And it repeated the warning a handful of times, within seconds. I chose to take no action at the moment, as I wanted to check further. As I went to the drivers folder and scanned the file, though, Avast now reported nothing found. And as I submitted it to VirusTotal, none of the scanners detected anything either. That left me rather intrigued. (As much as worried... Rootkit stuff maybe, I wondered?...)

Checking at file.net, and further cross-checking with our home desktop, also running Windows XP Pro (although SP2, whereas the laptop runs SP3), and where, although no ohci1394.sys file exists in the drivers folder C:\WINDOWS\system32\drivers\ (normal?), it does in the dllcache folder C:\WINDOWS\system32\dllcache\ and in the Service Pack files folder C:\WINDOWS\ServicePackFiles\i386\, as it happens in the laptop too (although file versions are different in both computers, since the SPs are different, thus obviously the MD5 checksums don't match), so I gathered this should indeed be a legit file to exist in the computer. I wondered, then, what might have triggered those warnings by Avast?...

Then, a couple hours later, new Avast warning, now another file detected among the Temporary Internet Files in C:\WINDOWS\system32\config\systemprofile\Local Settings\. C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GPU5S5WX\www3_saveus42_xorg_pl[1].htm, which was detected as JS:FakeAV-EN [Trj]. I submitted that to VirusTotal, and then let Avast delete it. (Just a note to add: this file, www3_saveus42_xorg_pl[1].htm, as that other one among these Temporary Internet Files which was previously detected by Avast too, 206a457a98f15361eaa8c95f52c93646721c3008411[1].js, both had been created on 13-04-2010 at 10:46, as so had been good part of all files in those Temporary Internet Files folders. Pretty much all rest had been created also on the same date and time, 12-04-2010 at 00:58.)

Following to these two new "issues", then, I decided to do a quick re-scan to the whole computer once again, with both Avast and Malwarebytes Anti-Malware. MBAM found nothing. Avast neither, with the exception of a couple items in System Restore. Noticing that one of those items found in System Restore was a .sys file detected as Win32:Alureon-FZ, so I gathered it should likely be a copy of the file ohci1394.sys when it had been detected as Win32:Alureon-FZ, and so I chose to quarantine that one, instead of deleting it, in order to then check further.

I submitted that quarantined .sys file to VirusTotal and, unlike ohci1394.sys when I submitted it before, this file was detected as malware by over half of the scanners. (Also, obviously, MD5 checksums of both didn't match.) And, as suspected, it was indeed mostly reported as rootkit. I thus submitted the file also to ThreatExpert and Norman Sandbox, to get the analysis for reference.

OK, from here, I moved on to at last check and try to clean the USB devices, if infected. (Note: I'm aware of Flash Disinfector. And even many times felt "tempted" to use it, at once to protect my own USB devices and our home desktop. Yet, truth is I don't feel much secure, about using it on my own, as I also am not sure whether I should run it in our clean home desktop "just for the purpose" of protecting my own USB devices?... So, this to say, as I never felt confident enough to use Flash Disinfector on my own, so I opted not to use it for checking and cleaning these USB devices I had to check and clean... Even though I'm aware that should possibly be the best method to go for, I just didn't feel confident enough to do it on my own, and so I didn't use it...)

Previously I disabled AutoRun according to the instructions in the respective Microsoft KB article (i.e. via gpedit.msc, as I also had done long ago in our home desktop) as referred by this US-CERT article. And further I also applied the registry fix as referred in that same US-CERT article (as a "double precaution" just to be on the safe side, as chances were high that those USB devices were indeed infected):

QUOTE
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"


My thought, already in the first time I had had the laptop in hands ("beebei" infection), was at once to disable AutoRun permanently (as I have, long ago, done in our home desktop too). I'm well aware of the recommendation to keep that feature disabled, as a preventive measure to avoid autorun infections, and made the laptop owner well aware of it too. Choice then, though, was to leave it enabled, as the laptop owner preferred it, also cos their USB mobile internet modem also runs with autorun, and in the end they considered it less practical for them to leave AutoRun disabled...

But so, after temporarily disabling AutoRun, only then I went on to check all USB devices (there were 3 sticks and 2 mp3 players).

Upon plugging each one, I'd first scan it with Avast + Malwarebytes Anti-Malware + SUPERAntiSpyware, prior to exploring the contents in Windows Explorer.

Scans on the first mp3 player reported nothing found. I further scanned it with Dr.Web CureIt! + ESET Online Scanner + F-Secure Online Scanner + Trend Micro HouseCall, and all scanners again reported nothing found. I then explored the contents, and there were only mp3 files. This one apparently was clean.

Next I plugged the other mp3 player. Avast warned about H:\mwrioy.exe and H:\mwrioy.scr, both detected as Win32:VB-NIE [Trj]. I further explored the contents, and file H:\autorun.inf was present. Contents as follows:

CODE
aCtIon=Abrir pasta para exibir arquivos
ShElLEXecuTE=mwRIoY.EXe
ICON=%sYsteMRoOt%\syStEM32\shEll32.dlL,4
uSEaUtOPlaY=1


There were also the same shortcut files as found before in the userprofile folder:

H:\Music.lnk
H:\Passwords.lnk
H:\Documents.lnk
H:\New Folder.lnk
H:\Pictures.lnk
H:\Video.lnk


A side note here, back about the "mwrioy" infection, to remind that then no autorun.inf file pointing to mwrioy.exe was present in the userprofile directory, C:\Documents and Settings\Sonia\, as it had happened the first time with the "beebei" infection. I wondered then whether that might have been because of the "dummy" autorun.inf folder which I created in that directory, and whether that might actually have prevented the "mwrioy" associated autorun.inf file from being copied to the userprofile directory that time... (Following to getting the "beebei" infection cleaned, I created a "dummy" autorun.inf folder both in each drive's root as in the userprofile directory, hoping that might in some way eventually help prevent new autorun infections from at least being fully successful. Regarding the "mwrioy" infection; yes, since the USB device which was primarily infected with "mwrioy" was plugged into the computer and opened anyway, consequently it obviously infected the computer as well, of course, since the AutoRun feature was enabled then. But at least the associated autorun.inf file was not copied to the computer this time, as confirmed. I wonder if hopefully due to that "dummy" autorun.inf folder located in the userprofile directory, then?... And then I wonder again, if because of the fact that at least the autorun.inf file pointing to mwrioy.exe was not copied to the computer, if then at least the ability of the "mwrioy" infection to successfully spread to any other USB device which eventually might be plugged into the computer in the meantime, if that ability was prevented, since there actually was no autorun.inf file to be copied/spread?... Or am I wrong in my thoughts?...)

And yet back on with the cleaning of the USB devices:

I then plugged one of the USB sticks. Avast warned about F:\ymsaow.exe, detected as Win32:Malware-gen, and F:\rdqszp.exe, detected as Win32:Crypt-FER [Trj]. I further explored the contents, and these 2 .exe files were in fact the only contents of this USB stick. A note here, to remind that an autorun.inf file pointing to ymsaow.exe had been quarantined from removable drive F:\ by ESET Smart Security back on 25-08-2009, as mentioned before.

Next I plugged another of the USB sticks. Avast warned about I:\beebei.exe and I:\beebei.scr, both detected as Win32:VB-NIE [Trj]. I further explored the contents, and file I:\autorun.inf pointing to beebei.exe was present (contents was the same as that mentioned before for the corresponding file found in the userprofile folder).

I then plugged the last USB stick. Avast warned about G:\beebei.exe and G:\beebei.scr, both detected also as Win32:VB-NIE [Trj]. I further explored the contents, and file G:\autorun.inf pointing to beebei.exe was present (contents was the same as that mentioned before for the corresponding file found in the userprofile folder). There were also the same shortcut files as found before in the userprofile folder:

G:\Music.lnk
G:\Passwords.lnk
G:\Documents.lnk
G:\New Folder.lnk
G:\Pictures.lnk
G:\Video.lnk


And there was yet one more autorun.inf file in there: G:\Trash-Loja\autorun.inf. Contents as follows:

CODE
aCtION=Abrir pasta para exibir arquivos
ShElleXECute=HomEp.exE
icon=%SySTEmrOoT%\SYsTEm32\SHeLL32.DLl,4
UseAuTopLAy=1


So I submitted all new malware files found in each of the USB devices to VirusTotal + ThreatExpert + Norman Sandbox, and then proceeded with the cleaning of each of them. All .exe files detected by Avast, I let Avast delete them. All deletions reported successful. Then, as for the autorun.inf files, I removed those with Trend Micro HouseCall (which I had seen, from the VirusTotal reports, that were all detected by this scanner). And lastly, all the .lnk shortcut files, I deleted them manually.

Followingly I re-scanned each of the USB devices with Avast + Malwarebytes Anti-Malware + SUPERAntiSpyware + Dr.Web CureIt! + ESET Online Scanner + F-Secure Online Scanner + Trend Micro HouseCall, and all scanners reported nothing found for all USB devices. All USB devices checked apparently were now clean.

I then re-enabled AutoRun. Also I created a "dummy" autorun.inf folder also in the root of each of those USB devices.

In between all these re-scans, though, another note to add, as at some point Avast resident shield popped up a warning about the file C:\WINDOWS\system32\drivers\ohci1394.sys again, detected again as Win32:Alureon-FZ. And again, it repeated the warning a handful of times, within seconds. Then, again, the warning suddenly stopped, and as I scanned the file, again Avast reported nothing found. Also, again I submitted it to VirusTotal, and again none of the scanners detected anything. I cross-checked the MD5 checksum of it, and it matched that of the copy of ohci1394.sys found in both C:\WINDOWS\system32\dllcache\ and C:\WINDOWS\ServicePackFiles\i386\. As referred before, too, that MD5 checksum is different of that when the file is detected as infected. Also note that, whenever the file is detected as infected, the date/time of modification of the file also changes. All these warnings happened on the same day, 19-04-2010, and the last time of modification was at 23:50. Up untill last time I had the laptop in hands, which was on 26-04-2010, that actually had not changed again. Last date/time of modification remained on 19-04-2010 at 23:50. (Also, checking Avast resident shield log, there had been no further warnings about C:\WINDOWS\system32\drivers\ohci1394.sys up untill that day, 26-04-2010). Also note that, curiously (?), the copy of ohci1394.sys in C:\WINDOWS\system32\dllcache\ also has the same date/time of modification as the copy in C:\WINDOWS\system32\drivers\, 19-04-2010 at 23:50.

From here, I didn't/don't know what else to do, concerning this ohci1394.sys issue?...

Then, one last note to add, as the next day (20-04-2010), as I was going to download Winamp (as my brother had asked me to install this additional player), again Firefox was redirected, this time to:

wxw1.savesysops21p.xorg.pl/?p=p52dcWpnaV%2FCj....................lnFxZ2o%3D

Avast network shield warned about the connection and blocked it (option was to abort connection, which I did). (hpHosts URL report)

This xorg.pl this time was familiar. (Remind that Avast had previously detected the file C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GPU5S5WX\www3_saveus42_xorg_pl[1].htm as JS:FakeAV-EN [Trj].) As I then checked Firefox browsing history, listed in between the Winamp website (from which Firefox got redirected) and the SiteAdvisor one (which I went next, to to check on this xorg.pl domain) there was this odd entry, named "search.php", pointing to hxxp://dolphin-th.com/search.php, and which had this icon (a kind of a purple "a") which actually I recalled to have seen already before, among those Temporary Internet Files in C:\WINDOWS\system32\config\systemprofile\Local Settings\. I checked there, and in fact in there was an icon like that one, C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\WI9YND6N\favicon[1].ico, created on 12-04-2010 at 00:58, same date and time as good part of all files in those Temporary Internet Files folders, as mentioned before (while pretty much all rest had been created on 13-04-2010 at 10:46, including both previously detected files, www3_saveus42_xorg_pl[1].htm and 206a457a98f15361eaa8c95f52c93646721c3008411[1].js, as also mentioned before). I then even submitted that .ico file for analysis at VirusTotal, for a rested mind, but no scanner detected anything.

If relevant, here's also a shortened traffic log from Sygate at the time Firefox got redirected:

QUOTE
All connections by Avast Web Scanner (C:\Program Files\Alwil Software\Avast4\ashWebSv.exe) except where otherwise indicated.

04/20/2010 11:11:09 Allowed Outgoing TCP wxw.winamp.com [206.222.227.38]
04/20/2010 11:11:15 Blocked Incoming UDP 195.74.229.216 (no application listed)
04/20/2010 11:11:56 Allowed Outgoing TCP b.winamp.com [207.200.65.161]
04/20/2010 11:12:11 Allowed Outgoing TCP a67990067.cn [188.40.108.179]
04/20/2010 11:12:11 Allowed Outgoing TCP dolphin-th.com [208.87.33.151]
04/20/2010 11:12:11 Allowed Outgoing TCP 88.214.193.251
04/20/2010 11:12:16 Allowed Outgoing TCP 88.214.197.187
04/20/2010 11:12:16 Allowed Outgoing TCP globalwarmingtray.info [193.34.168.112]
04/20/2010 11:12:21 Allowed Outgoing TCP wxw4.fiting58td.xorg.pl [95.169.186.25]
04/20/2010 11:13:18 Allowed Outgoing TCP 112.121.181.26 C:\WINDOWS\system32\svchost.exe
04/20/2010 11:13:18 Allowed Outgoing TCP wxw.download.windowsupdate.com [80.157.150.67] C:\WINDOWS\system32\svchost.exe
04/20/2010 11:14:04 Allowed Outgoing TCP images.scanalert.com [81.52.251.80]
04/20/2010 11:14:04 Allowed Outgoing TCP wxw.siteadvisor.com [208.69.152.108]
04/20/2010 11:14:04 Allowed Outgoing TCP empresa.majest1c.com [64.74.223.35] C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
04/20/2010 11:14:14 Blocked Incoming ICMP dolphin-th.com [208.87.33.151] (no application listed)


All in all, no idea if those were all irrelevant details/coincidences, yet I pretty much had had it, though, with those Temporary Internet Files, and decided to just get rid of it all and delete the folder C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\. (Note: I had been instructed on a previous occasion to delete this folder, by then in our home desktop, which also runs Windows XP Pro, so I was aware beforehand that this was a folder safe to delete, otherwise I would never had decided to go ahead and delete it now too in the laptop, not without expert advice. I hope that was an ok decision, after all?...)

Lastly, again I re-scanned the whole computer, with Avast + ESET Online Scanner + Malwarebytes Anti-Malware + SUPERAntiSpyware, to ensure that all was clean. All scanners reported nothing found. So the laptop returned to owner.

----------------------------------------------------------------------------------------------------

Few days later (26-04-2010), though, my brother brought me the laptop yet a last time, as meanwhile they had found yet one more USB device (another mp3 player) which hadn't been checked, so they wanted me to check that last one too.

Again, first I did a quick scan to the whole computer, with both Avast and Malwarebytes Anti-Malware. Both reported nothing found.

One note to add, though, as, checking Avast network shield log, I could confirm that in this meantime there had been yet another Firefox redirect, again to xorg.pl:

wxw2.securepccare6.xorg.pl/?p=p52dcWpnaV%2FCj....................6roZ2eZZeY

Again if relevant, here's also a shortened traffic log from Sygate at the time Firefox got redirected (seemingly, whoever was using the computer was surfing Hi5 and/or Hotmail, when the redirect happened this time):

QUOTE
All connections by Avast Web Scanner (C:\Program Files\Alwil Software\Avast4\ashWebSv.exe) except where otherwise indicated.

04/24/2010 11:59:35 Allowed Outgoing TCP wxw.hi5.com [66.218.161.68]
04/24/2010 11:59:40 Allowed Outgoing TCP css.wlxrs.com [195.23.79.41]
04/24/2010 11:59:40 Allowed Outgoing TCP gfx8.hotmail.com [195.23.79.40]
04/24/2010 11:59:50 Allowed Outgoing TCP login.live.com [65.54.186.47] C:\Program Files\Mozilla Firefox\firefox.exe
04/24/2010 12:00:11 Allowed Outgoing TCP wxw.recados.com [64.191.20.134]
04/24/2010 12:00:26 Allowed Outgoing TCP 63.236.62.180
04/24/2010 12:00:26 Allowed Outgoing TCP wxw.farmsrv.com [63.236.62.185]
04/24/2010 12:00:36 Allowed Outgoing TCP cdn.farmsrv.com [93.188.128.26]
04/24/2010 12:00:41 Allowed Outgoing TCP extasys.com [206.207.85.33]
04/24/2010 12:00:41 Allowed Outgoing TCP 174.36.108.69
04/24/2010 12:00:47 Allowed Outgoing TCP globalwarmingtray.info [193.34.168.112]
04/24/2010 12:00:47 Allowed Outgoing TCP extasys.com [206.207.85.33]
04/24/2010 12:00:47 Allowed Outgoing TCP 88.214.193.251
04/24/2010 12:00:47 Allowed Outgoing TCP wxw4.fiting58td.xorg.pl [95.169.186.25]
04/24/2010 12:00:47 Allowed Outgoing TCP a67990067.cn [188.40.108.179]
04/24/2010 12:00:47 Allowed Outgoing TCP 88.214.197.187
04/24/2010 12:00:52 Allowed Outgoing TCP wxw.hi5.com [66.218.161.68]


At this point, and still regarding internet traffic, a few coincidences to underline:

As already referred above, the connection to a67990067.cn [188.40.108.179] appears only 3 single times in the traffic logs, precisely at the time when those 3 Firefox redirects happened, the one to ndot.com and those two to xorg.pl.

The connections to dolphin-th.com [208.87.33.151] (hpHosts IP report) happened only at the time of the first Firefox redirect to xorg.pl whereas the connections to extasys.com [206.207.85.33] (hpHosts IP report) happened only at the time of the second Firefox redirect to xorg.pl. Also, the connections to both IPs 88.214.193.251 and 88.214.197.187 (IP range referenced @ MVPS HOSTS), as also those to globalwarmingtray.info [193.34.168.112], all happened only at the time of both Firefox redirects to xorg.pl.

Then, another couple side notes:

As I could confirm as well, the folder C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\, which I had previously deleted, so far had not been re-created.

As referred above, too, date/time of modification of the file C:\WINDOWS\system32\drivers\ohci1394.sys remained on 19-04-2010 at 23:50, and further checking Avast resident shield log, there had been no further warnings about this file (nor any other, for that matter) up untill this day, 26-04-2010.

So, I moved on to check that last USB device. Firstly disabled AutoRun again, same way as described previously. Then plugged it. Avast warned about F:\beebei.exe and F:\beebei.scr, both detected as Win32:VB-NIE [Trj]. I further explored the contents, and file F:\autorun.inf pointing to beebei.exe was present (contents was the same as that mentioned before for the corresponding file found in the userprofile folder). Again I removed beebei.exe and beebei.scr with Avast, and autorun.inf with Trend Micro HouseCall. Next re-scanned the USB device with Avast + Malwarebytes Anti-Malware + SUPERAntiSpyware + + ESET Online Scanner + F-Secure Online Scanner + Dr.Web CureIt! + Trend Micro HouseCall, and all scanners reported nothing found, so this one too apparently was now clean. I then re-enabled AutoRun again. And also I created a "dummy" autorun.inf folder also in the root of that last USB device.

Followingly, again re-scanned the whole computer too, with Avast + ESET Online Scanner + MBAM + SAS, to ensure that all was clean. All scanners reported nothing found. And so the laptop returned to owner, at last, for good (after having also already again updated all programs needing updating + defragging and such).

----------------------------------------------------------------------------------------------------

So, in the end of it all, and, as I was saying in the topic subject, after having cleaned the most I knew and could, so these are the summed up remaining symptoms/signs which I'm left worrying and wondering about (at least those visible to this layman's eyes) or which I at least twist my nose to:

>>> The empresa.majest1c.com issue, and the fact that Google Installer (GoogleUpdate.exe) constantly keeps trying to connect to that URL (along with Avast Web Scanner ashWebSv.exe and SiteAdvisor McSACore.exe too).

>>> Also all those constant (!) random (?) connections by C:\WINDOWS\system32\svchost.exe to mfdclk001.org [213.163.89.104] + 873hgf7xx60.com [112.121.181.26] + 34jh7alm94.asia [112.121.181.26] and by Avast Web Scanner to zxclk9abnz72.com [78.47.248.116] + 91jjak4555j.com [213.163.89.105] + lk01ha71gg1.cc [213.163.89.106] + a74232357.cn [213.163.89.107].

>>> The casual Firefox redirects (it happened to ndot.com + xtendmedia.com + xorg.pl).

>>> The ohci1394.sys issue, and why it was detected as infected in more than one occasion, and then not. (Note that, following to each time the file was detected as infected, a new info message would be listed in Event Viewer, reading as follows: "Windows File Protection [64002] - File substitution has been attempted in the protected system file c:\windows\system32\drivers\ohci1394.sys. This file has been restored to the original version to maintain the system stability. Version of the damaged file is 5.1.2600.5512!.".)

>>> The Windows Security Center issue. Further about this, note that:

Checking in services.msc, the Security Center service does not appear listed.

The registry key corresponding to the service does not exist:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc]

>>> The Windows Firewall issue. Further about this, note that:

Checking in services.msc, the Windows Firewall service does not appear listed.

Export of the registry key corresponding to the service:

QUOTE
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall"=dword:00000001


>>> Reference to malware "sshnas" is still found in the registry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
-> value: netsvcs -> data: SSHNAS

Also note, regarding this registry key, date and time of last writing is 08-04-2010 0:02, precisely the same date and time when the file C:\WINDOWS\system32\sshnas21.dll had been created and last modified.

>>> Reference to malware "Control Components" is still found in the registry:

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="C:\\Documents and Settings\\Sonia\\Application Data\\Control Components\\ccmain.exe"

>>> Reference to malware is found in the MountPoints2 registry key:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8735f32-97a5-11de-8159-0018de978965}\Shell\AutoRun\command]
@="F:\\9jyhdim8.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8735f32-97a5-11de-8159-0018de978965}\Shell\open\Command]
@="F:\\9jyhdim8.exe"

A note to remind that an autorun.inf file pointing to 9jyhdim8.exe had been quarantined from removable drive F:\ by ESET Smart Security back on 01-10-2009, as mentioned before.

Then there are also another dubious entries in the MountPoints2 key which I'm suspicious about... Thus I'd take this chance to ask if and how the MountPoints2 key can actually be safely "reset/cleared"?... (I've been wondering about this doubt for long, also cos I'd even wish to also "reset/clear" this key in our home desktop too, if such is at all possible to be done?...)

>>> The eventual atapi.sys issue, as GMER refers this file, as you'll later see in the respective logs.

QUOTE
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification


Note that the first GMER log ("beebei" infection) did not report this. Only from the second time on ("mwrioy" + "Control Components" infections) it started reporting it.

I checked further, and the copy of atapi.sys in C:\WINDOWS\system32\drivers\ and that in C:\WINDOWS\ServicePackFiles\i386\ both do have the same MD5 checksum and same modification date and time, 13-04-2008 19:40. Curiously, however, no copy of atapi.sys exists in C:\WINDOWS\system32\dllcache\; no idea if that's normal to happen?... (Once more cross-checked with our home desktop, running XP Pro SP2, and a copy of atapi.sys does exist in the dllcache folder...)

I submitted the file to VirusTotal and there was 1 detection (eSafe detected Win32.Rootkit). (Out of curiosity, and although the files are different versions, since the laptop's is SP3, still I also submitted the atapi.sys file in our home desktop to VirusTotal just to see if eSafe would detect the same too, but no, no scanner reported anything.)

>>> Internet Explorer default pages (i.e. start page, search page, etc); I'd wish to get all those reset. Take IE's home page: initially that was showing as hxxp://www.vompi.com (whereas SUPERAntiSpyware actually reported hxxp://search.conduit.com/?SearchSource=10&ctid=CT1392740). The laptop owner told me it wasn't her who set it like that, so I just set the homepage to a blank page. And then I even thought of trying SAS (Preferences > Repairs) to reset the other pages too, but, I wasn't too sure?... Or perhaps HijackThis should be preferred, choosing to fix the corresponding entries?... But I wasn't too sure about this either, as I don't know what effect exactly that action would have?... So I wonder, if and how I could reset Internet Explorer pages?...

>>> Then, lastly, I also twist my nose to those Internet Explorer toolbars, namely those MyPlayCity/conduit.com ones, and wonder whether that all is good or some not so good stuff?... At some point I had disabled those, but later on those appeared re-enabled, even though the laptop owner again told me it wasn't her who set it like that, so I wonder how the toolbars got re-enabled then?...

----------------------------------------------------------------------------------------------------

I'll include next the requested DDS + GMER logs for your analysis (for your reference, I'll include both the preliminary ones, taken previously to cleaning each of the infections, and the final one, taken after all the cleaning done, the last time I had the laptop in hands) and would greatly appreciate that you'd please advise on what else is necessary to do, to hopefully get rid of all the infection/malware remainders. (Then again, additionally I also saved logs from RSIT + HJT + HJT Startup List + AutoRuns, both from pre-clean and after-clean; if any at all needed for further reference, please let me know and I'll include them next time. Also I did save each malware sample, if required for any further analysis.)

I'll also include next both VirusTotal + ThreatExpert reports of each malware sample, if useful for reference.

And yet I do at last apologise for the rather extensive long post, and all the many details included, some even perhaps irrelevant or useless, I don't know, but in any case I thought I'd detail it all the most I could, hoping that it may be of help, who knows, also to any other users "googling" for helpful hints in any such similar cases as this... Thank you greatly, again, for your understanding, and patience overall. And sorry, also again, for the post x2 (had to, given the huge mess)... :-S

Thank you. smile.gif

P.S. Just a note, to apologise also if I won't be able to provide fresh logs at once as soon as you eventually request them, as such will depend on a chance for my brother to bring the laptop back here again. I appeal to your understanding and patience once more. Thank you kindly.

P.S. Given the nature of the infections, at once I urged the laptop owner as well as my brother to reset all passwords with any banking institutions etc, of course.

----------------------------------------------------------------------------------------------------

VirusTotal + ThreatExpert reports

~GLH00ae.TMP (VT | TE) | 30.exe (VT | TE) | 32.exe (VT | TE) | 206a457a98f15361eaa8c95f52c93646721c3008411[1].js (VT) | atapi.sys (VT) | autorun.inf [beebei.exe] (VT) | autorun.inf [mwrioy.exe] (VT) | autorun.inf [homep.exe] (VT) | beebei.exe (VT | TE) | Big_City_Adventure_-_San_Francisco.exe (VT | TE) | bisC6.exe (VT | TE) | bnis.mxo/2B.tmp (VT | TE) | ccagent.exe (VT | TE) | ccmain.exe (VT | TE) | ctfmon.exe [G:\ recycled] (VT | TE) | cvasds0.dll (VT | TE) | desktopxpadd.exe (VT | TE) | dlvbphk.exe (VT | TE) | drwtelog.dll (VT | TE) | eguiEmon.dll [ESET Smart Security] (VT) | eguiEpfw.dll [ESET Smart Security] (VT) | ekrnEmon.dll [ESET Smart Security] (VT) | ekrnEpfw.dll [ESET Smart Security] (VT) | herss.exe (VT | TE) | homolog32.exe (VT | TE) | jwgkvsq.vmx (VT | TE) | kWab.dll (VT | TE) | mptms.exe (VT | TE) | mtsil.exe (VT | TE) | mwrioy.exe (VT | TE) | nlxis.exe (VT | TE) | Nposua.exe/Nwk.exe (VT | TE) | Nposub.exe/Nwn.exe (VT | TE) | Nwj.exe (VT | TE) | Nwm.exe (VT | TE) | Nwo.exe (VT | TE) | offer2.exe (VT | TE) | ohci1394.sys [System Restore] (VT | TE) | qtplugin.exe/2E.tmp (VT | TE) | rdqszp.exe (VT | TE) | sshnas21.dll [system32] (VT | TE) | sshnas21.dll [temp] (VT | TE) | strike32.zip (VT | TE) | SVCHOST.EXE [temp] (VT | TE) | systemupdate.dll (VT) | TSUninstaller.exe (VT | TE) | Uninstall.exe [Circle Developemet] (VT | TE) | uninstall.exe [Control Components] (VT | TE) | unoundercover.dll (VT | TE) | updater.dll [ESET Smart Security] (VT) | V1twihdS.scr.part (VT | TE) | win_protection_update.exe (VT | TE) | www3_saveus42_xorg_pl_1_.htm (VT) | ymsaow.exe (VT | TE)

----------------------------------------------------------------------------------------------------

Edited by DeLuk, 03 June 2010 - 06:18 AM.


BC AdBot (Login to Remove)

 


#2 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:12:18 AM

Posted 02 June 2010 - 09:49 AM

DDS main log 03-04-2010 ["beebei" infection | pre-clean]

----------

DDS (Ver_10-03-17.01) - FAT32x86
Run by Sonia at 15:44:30,09 on 03-04-2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Professional 5.1.2600.3.1252.351.1033.18.2047.1550 [GMT 1:00]

AV: ESET Smart Security 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Firewall pessoal do ESET *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
SVCHOST.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Sonia\beebei.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
SVCHOST.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Documents and Settings\Sonia\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.vompi.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.codecguide.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: compliance 54328 Toolbar: {4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac} - c:\program files\myplaycity\tbMyP0.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Congoo Netpass: {40498def-8b13-44a6-a1a7-69dfe36e9210} - c:\program files\congoo netpass\congootb.dll
BHO: compliance 54328 Toolbar: {4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac} - c:\program files\myplaycity\tbMyP0.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Programa Auxiliar de Início de Sessão do Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: compliance 54328 Toolbar: {4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac} - c:\program files\myplaycity\tbMyP0.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Congoo Netpass: {40498def-8b13-44a6-a1a7-69dfe36e9210} - c:\program files\congoo netpass\congootb.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [beebei] c:\documents and settings\sonia\beebei.exe
mRun: [HControl] c:\windows\atk0100\HControl.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [RemoteControl] "c:\program files\asustek\asusdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Wireless Console 2] c:\program files\wireless console 2\wcourier.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [EOUApp] "c:\program files\intel\wireless\bin\EOUWiz.exe"
mRun: [Power_Gear] c:\program files\asus\power4 gear\BatteryLife.exe 1
mRun: [ASUS Live Update] c:\program files\asus\asus live update\ALU.exe
mRun: [ABLKSR] c:\windows\ablksr\ABLKSR.exe
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [LXCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCFtime.dll,_RunDLLEntry@16
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\sonia\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\sonia\startm~1\programs\startup\inicia~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\asusch~1.lnk - c:\program files\asus\asus chkmail\ChkMail.exe
IE: E&xportar para o Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {18955D47-882E-48fc-B903-A4BDD030E7FD}
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {0AD475F1-D955-40a7-9FFF-C3BF075F04AA} - {40498DEF-8B13-44A6-A1A7-69DFE36E9210} {40498DEF-8B13-44A6-A1A7-69DFE36E9210} - {40498def-8b13-44a6-a1a7-69dfe36e9210}\inprocserver32 does not exist!
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Paradise%20Pet%20Salon/Images/stg_drm.ocx
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1248778929546
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sonia\applic~1\mozilla\firefox\profiles\jijm76ob.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2425831&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://pt-PT.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:pt-PT:official
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2425831&q=
FF - prefs.js: network.proxy.type - 2
FF - component: c:\documents and settings\sonia\application data\mozilla\firefox\profiles\jijm76ob.default\extensions\{d3ecaceb-7079-4530-b82c-b20ece0422c5}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\sonia\application data\mozilla\firefox\profiles\jijm76ob.default\extensions\{d3ecaceb-7079-4530-b82c-b20ece0422c5}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\sonia\application data\mozilla\firefox\profiles\jijm76ob.default\extensions\{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\sonia\application data\mozilla\firefox\profiles\jijm76ob.default\extensions\{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}\components\RadioWMPCore.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\all users\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-8-5 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 66632]
R2 ekrn;Eset Service;c:\program files\eset\eset smart security\ekrn.exe [2007-12-21 468224]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2009-8-16 210216]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 gupdate;Serviço Google Update (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-17 135664]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 12872]

=============== Created Last 30 ================

2010-04-03 14:06:39 0 d-----w- c:\windows\system32\Adobe
2010-04-03 13:39:12 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-04-02 14:00:26 0 d-----w- C:\Instaladores
2010-03-31 11:16:22 0 d-----w- c:\program files\Trend Micro
2010-03-30 23:46:50 0 d-----w- C:\Infection
2010-03-30 18:41:42 0 d-----w- c:\program files\Utilitários Portáteis
2010-03-30 18:17:46 0 d-----w- c:\windows\pss
2010-03-18 16:24:10 0 d-----w- c:\docume~1\alluse~1\applic~1\FarmFrenzy2
2010-03-17 13:09:26 148 ----a-w- c:\documents and settings\sonia\Video.lnk
2010-03-17 13:09:26 148 ----a-w- c:\documents and settings\sonia\Pictures.lnk
2010-03-17 13:09:26 148 ----a-w- c:\documents and settings\sonia\Passwords.lnk
2010-03-17 13:09:26 148 ----a-w- c:\documents and settings\sonia\New Folder.lnk
2010-03-17 13:09:26 148 ----a-w- c:\documents and settings\sonia\Music.lnk
2010-03-17 13:09:26 148 ----a-w- c:\documents and settings\sonia\Documents.lnk
2010-03-17 13:09:26 132 --sh--r- c:\documents and settings\sonia\autorun.inf
2010-03-14 21:32:09 293376 ------w- c:\windows\system32\browserchoice.exe
2010-03-13 21:47:40 53428 --sh--r- c:\documents and settings\sonia\beebei.scr
2010-03-13 21:47:40 53428 --sh--r- c:\documents and settings\sonia\beebei.exe
2010-03-11 16:14:02 3558912 ------w- c:\windows\system32\dllcache\moviemk.exe

==================== Find3M ====================

2010-04-03 13:39:02 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-29 23:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 23:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-25 10:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 09:54:26 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-19 10:34:34 90112 ----a-w- c:\windows\DUMP08bb.tmp
2010-02-18 09:21:30 210432 ----a-w- c:\documents and settings\sonia\systemupdate.dll
2010-02-18 09:21:30 204 ---h--w- c:\docume~1\sonia\applic~1\put.dat
2010-02-07 10:20:24 274944 ----a-w- c:\documents and settings\sonia\mtsil.exe
2010-01-25 18:34:34 98304 ----a-w- c:\windows\DUMPfbfa.tmp
2010-01-20 13:31:46 29184 ----a-w- c:\documents and settings\sonia\kWab.dll
2010-01-19 16:40:26 796672 ----a-w- c:\windows\GPInstall.exe

============= FINISH: 15:45:41,87 ===============


----------------------------------------------------------------------------------------------------


GMER log 04-04-2010 ["beebei" infection | pre-clean]

(Note: This first time GMER was run having also the option "Sections" unchecked as that was the instruction by then in BC's Preparation Guide. All posterior runs were then having the option "Sections" checked according to the current instructions in the guide.)

----------

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-04 11:51:39
Windows 5.1.2600 Service Pack 3
Running: u12uheo8.exe; Driver: C:\DOCUME~1\Sonia\LOCALS~1\Temp\uxtdypod.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

---- EOF - GMER 1.0.15 ----


**********************************************************************


DDS main log 11-04-2010 ["mwrioy" + Control Components infections | pre-clean]

----------

DDS (Ver_10-03-17.01) - FAT32x86
Run by Sonia at 11:51:37,14 on 11-04-2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Professional 5.1.2600.3.1252.351.1033.18.2047.1478 [GMT 1:00]

AV: ESET Smart Security 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Firewall pessoal do ESET *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
SVCHOST.EXE
SVCHOST.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\DOCUME~1\Sonia\LOCALS~1\Temp\Nwo.exe
SVCHOST.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
SVCHOST.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Sonia\Application Data\Control Components\ccagent.exe
C:\Documents and Settings\Sonia\mwrioy.exe
C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\Nposub.exe
C:\Documents and Settings\Sonia\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.vompi.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.codecguide.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: compliance 54328 Toolbar: {4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac} - c:\program files\myplaycity\tbMyP0.dll
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uWinlogon: Shell=c:\documents and settings\sonia\application data\control components\ccmain.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Congoo Netpass: {40498def-8b13-44a6-a1a7-69dfe36e9210} - c:\program files\congoo netpass\congootb.dll
BHO: compliance 54328 Toolbar: {4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac} - c:\program files\myplaycity\tbMyP0.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Programa Auxiliar de Início de Sessão do Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: compliance 54328 Toolbar: {4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac} - c:\program files\myplaycity\tbMyP0.dll
TB: Congoo Netpass: {40498def-8b13-44a6-a1a7-69dfe36e9210} - c:\program files\congoo netpass\congootb.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [mwrioy] c:\documents and settings\sonia\mwrioy.exe
uRun: [YVIBBBHA8C] c:\docume~1\sonia\locals~1\temp\Nwo.exe
mRun: [HControl] c:\windows\atk0100\HControl.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [RemoteControl] "c:\program files\asustek\asusdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Wireless Console 2] c:\program files\wireless console 2\wcourier.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [EOUApp] "c:\program files\intel\wireless\bin\EOUWiz.exe"
mRun: [Power_Gear] c:\program files\asus\power4 gear\BatteryLife.exe 1
mRun: [ASUS Live Update] c:\program files\asus\asus live update\ALU.exe
mRun: [ABLKSR] c:\windows\ablksr\ABLKSR.exe
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [LXCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCFtime.dll,_RunDLLEntry@16
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\sonia\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\sonia\startm~1\programs\startup\inicia~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\asusch~1.lnk - c:\program files\asus\asus chkmail\ChkMail.exe
IE: E&xportar para o Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {18955D47-882E-48fc-B903-A4BDD030E7FD}
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {0AD475F1-D955-40a7-9FFF-C3BF075F04AA} - {40498DEF-8B13-44A6-A1A7-69DFE36E9210} {40498DEF-8B13-44A6-A1A7-69DFE36E9210} - {40498def-8b13-44a6-a1a7-69dfe36e9210}\inprocserver32 does not exist!
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Paradise%20Pet%20Salon/Images/stg_drm.ocx
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1248778929546
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: cbssreg - c:\documents and settings\all users\documents\settings\cbss.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sonia\applic~1\mozilla\firefox\profiles\jijm76ob.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2425831&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://pt-PT.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:pt-PT:official
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2425831&q=
FF - prefs.js: network.proxy.type - 2
FF - component: c:\documents and settings\sonia\application data\mozilla\firefox\profiles\jijm76ob.default\extensions\{d3ecaceb-7079-4530-b82c-b20ece0422c5}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\sonia\application data\mozilla\firefox\profiles\jijm76ob.default\extensions\{d3ecaceb-7079-4530-b82c-b20ece0422c5}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\sonia\application data\mozilla\firefox\profiles\jijm76ob.default\extensions\{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\sonia\application data\mozilla\firefox\profiles\jijm76ob.default\extensions\{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}\components\RadioWMPCore.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\all users\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-8-5 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 66632]
R2 ekrn;Eset Service;c:\program files\eset\eset smart security\ekrn.exe [2007-12-21 468224]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2010-4-6 93320]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 SSHNAS;SSHNAS;c:\windows\system32\svchost.exe -k netsvcs [2006-9-18 14336]
S2 gupdate;Serviço Google Update (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-17 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-8-16 38224]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 12872]

=============== Created Last 30 ================

2010-04-11 10:07:08 0 d-----w- C:\Infection2
2010-04-09 11:51:05 189952 ----a-w- c:\windows\Nposub.exe
2010-04-08 19:41:04 0 d-----w- c:\docume~1\sonia\applic~1\Control Components
2010-04-08 17:02:29 44544 ---ha-w- c:\windows\system32\drwtelog.dll
2010-04-07 23:25:34 137 ----a-w- c:\windows\system32\svchost.bat
2010-04-07 23:04:23 187392 ----a-w- c:\windows\Nposua.exe
2010-04-07 23:02:19 210944 ----a-w- c:\windows\system32\sshnas21.dll
2010-04-07 23:02:03 229376 --sh--r- c:\documents and settings\sonia\nlxis.exe
2010-04-07 22:57:58 53428 --sh--r- c:\documents and settings\sonia\mwrioy.exe
2010-04-06 14:26:11 17027430 ---ha-w- C:\Infection-Malware.rar
2010-04-06 14:08:27 0 d-sha-r- C:\autorun.inf
2010-04-06 14:07:33 0 d-sha-r- c:\documents and settings\sonia\autorun.inf
2010-04-06 11:11:17 0 d-----w- c:\windows\system32\Adobe
2010-04-06 10:50:51 0 d-----w- c:\program files\common files\McAfee
2010-04-06 10:50:24 0 d-----w- c:\program files\McAfee
2010-04-06 10:46:46 0 d-----w- c:\program files\CCleaner
2010-04-04 20:51:17 886008 ----a-w- c:\windows\system32\SNU.dll
2010-04-04 20:51:16 0 d-----w- c:\program files\2BrightSparks
2010-04-04 20:51:16 0 d-----w- c:\docume~1\alluse~1\applic~1\2BrightSparks
2010-04-04 19:05:20 0 d-----w- c:\docume~1\alluse~1\applic~1\F-Secure
2010-04-04 11:58:06 0 d-----w- c:\documents and settings\sonia\DoctorWeb
2010-04-03 21:38:06 0 d-sh--w- C:\FOUND.005
2010-04-03 13:39:12 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-03-31 11:16:22 0 d-----w- c:\program files\Trend Micro
2010-03-30 18:41:42 0 d-----w- c:\program files\Utilitários Portáteis
2010-03-30 18:17:46 0 d-----w- c:\windows\pss
2010-03-18 16:24:10 0 d-----w- c:\docume~1\alluse~1\applic~1\FarmFrenzy2
2010-03-14 21:32:09 293376 ------w- c:\windows\system32\browserchoice.exe

==================== Find3M ====================

2010-04-03 13:39:02 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-29 23:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 23:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-25 10:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 09:54:26 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-19 10:34:34 90112 ----a-w- c:\windows\DUMP08bb.tmp
2010-01-25 18:34:34 98304 ----a-w- c:\windows\DUMPfbfa.tmp
2010-01-19 16:40:26 796672 ----a-w- c:\windows\GPInstall.exe

============= FINISH: 11:54:00,20 ===============


----------------------------------------------------------------------------------------------------


GMER log 11-04-2010 ["mwrioy" + Control Components infections | pre-clean]

----------

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-11 16:33:16
Windows 5.1.2600 Service Pack 3
Running: ddyhu9cr.exe; Driver: C:\DOCUME~1\Sonia\LOCALS~1\Temp\uxtdypog.sys


---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8A640AC8

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


**********************************************************************


DDS main log 12-04-2010 ["qtplugin" + "bnis.mxo" infection-development | pre-clean]

(Note: I'm not posting here both the GMER and the DDS attach logs from this day since those two are pretty much equal to those of 11-04-2010 as posted above. No relevant differences between them.)

----------

DDS (Ver_10-03-17.01) - FAT32x86
Run by Sonia at 23:51:01,28 on 12-04-2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Professional 5.1.2600.3.1252.351.1033.18.2047.1513 [GMT 1:00]

AV: ESET Smart Security 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: Firewall pessoal do ESET *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\DOCUME~1\Sonia\LOCALS~1\Temp\Nwo.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Sonia\mwrioy.exe
C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Documents and Settings\Sonia\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.vompi.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.codecguide.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: compliance 54328 Toolbar: {4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac} - c:\program files\myplaycity\tbMyP0.dll
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
mWinlogon: Shell=Explorer.exe rundll32.exe bnis.mxo yfklng
uWinlogon: Shell=c:\documents and settings\sonia\application data\control components\ccmain.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Congoo Netpass: {40498def-8b13-44a6-a1a7-69dfe36e9210} - c:\program files\congoo netpass\congootb.dll
BHO: compliance 54328 Toolbar: {4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac} - c:\program files\myplaycity\tbMyP0.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Programa Auxiliar de Início de Sessão do Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: compliance 54328 Toolbar: {4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac} - c:\program files\myplaycity\tbMyP0.dll
TB: Congoo Netpass: {40498def-8b13-44a6-a1a7-69dfe36e9210} - c:\program files\congoo netpass\congootb.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [mwrioy] c:\documents and settings\sonia\mwrioy.exe
uRun: [YVIBBBHA8C] c:\docume~1\sonia\locals~1\temp\Nwo.exe
mRun: [HControl] c:\windows\atk0100\HControl.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [RemoteControl] "c:\program files\asustek\asusdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Wireless Console 2] c:\program files\wireless console 2\wcourier.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [EOUApp] "c:\program files\intel\wireless\bin\EOUWiz.exe"
mRun: [Power_Gear] c:\program files\asus\power4 gear\BatteryLife.exe 1
mRun: [ASUS Live Update] c:\program files\asus\asus live update\ALU.exe
mRun: [ABLKSR] c:\windows\ablksr\ABLKSR.exe
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [egui] "c:\program files\eset\eset smart security\egui.exe" /hide /waitservice
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [LXCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCFtime.dll,_RunDLLEntry@16
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\sonia\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\sonia\startm~1\programs\startup\inicia~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\asusch~1.lnk - c:\program files\asus\asus chkmail\ChkMail.exe
IE: E&xportar para o Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {18955D47-882E-48fc-B903-A4BDD030E7FD}
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {0AD475F1-D955-40a7-9FFF-C3BF075F04AA} - {40498DEF-8B13-44A6-A1A7-69DFE36E9210} {40498DEF-8B13-44A6-A1A7-69DFE36E9210} - {40498def-8b13-44a6-a1a7-69dfe36e9210}\inprocserver32 does not exist!
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Paradise%20Pet%20Salon/Images/stg_drm.ocx
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1248778929546
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: cbssreg - c:\documents and settings\all users\documents\settings\cbss.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sonia\applic~1\mozilla\firefox\profiles\jijm76ob.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2425831&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://pt-PT.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:pt-PT:official
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2425831&q=
FF - prefs.js: network.proxy.type - 2
FF - component: c:\documents and settings\sonia\application data\mozilla\firefox\profiles\jijm76ob.default\extensions\{d3ecaceb-7079-4530-b82c-b20ece0422c5}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\sonia\application data\mozilla\firefox\profiles\jijm76ob.default\extensions\{d3ecaceb-7079-4530-b82c-b20ece0422c5}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\sonia\application data\mozilla\firefox\profiles\jijm76ob.default\extensions\{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\sonia\application data\mozilla\firefox\profiles\jijm76ob.default\extensions\{fed66dc5-1b74-4a04-8f5c-15c5ace2b9a5}\components\RadioWMPCore.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\all users\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-8-5 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 66632]
R2 ekrn;Eset Service;c:\program files\eset\eset smart security\ekrn.exe [2007-12-21 468224]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2010-4-6 93320]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 SSHNAS;SSHNAS;c:\windows\system32\svchost.exe -k netsvcs [2006-9-18 14336]
S2 gupdate;Serviço Google Update (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-17 135664]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 12872]

=============== Created Last 30 ================

2010-04-12 21:02:31 481280 ----a-w- c:\windows\system32\qtplugin.exe
2010-04-12 21:02:01 19968 ----a-w- c:\windows\system32\bnis.mxo
2010-04-12 16:34:46 148 ----a-w- c:\documents and settings\sonia\Video.lnk
2010-04-12 16:34:46 148 ----a-w- c:\documents and settings\sonia\Pictures.lnk
2010-04-12 16:34:46 148 ----a-w- c:\documents and settings\sonia\Passwords.lnk
2010-04-12 16:34:46 148 ----a-w- c:\documents and settings\sonia\New Folder.lnk
2010-04-12 16:34:46 148 ----a-w- c:\documents and settings\sonia\Music.lnk
2010-04-12 16:34:46 148 ----a-w- c:\documents and settings\sonia\Documents.lnk
2010-04-12 09:36:59 0 d-----w- C:\Infection
2010-04-11 10:07:08 0 d-----w- C:\Infection2
2010-04-09 11:51:05 189952 ----a-w- c:\windows\Nposub.exe
2010-04-08 19:41:04 0 d-----w- c:\docume~1\sonia\applic~1\Control Components
2010-04-08 17:02:29 44544 ---ha-w- c:\windows\system32\drwtelog.dll
2010-04-07 23:25:34 137 ----a-w- c:\windows\system32\svchost.bat
2010-04-07 23:04:23 187392 ----a-w- c:\windows\Nposua.exe
2010-04-07 23:02:19 210944 ----a-w- c:\windows\system32\sshnas21.dll
2010-04-07 23:02:03 229376 --sh--r- c:\documents and settings\sonia\nlxis.exe
2010-04-07 22:57:58 53428 --sh--r- c:\documents and settings\sonia\mwrioy.scr
2010-04-07 22:57:58 53428 --sh--r- c:\documents and settings\sonia\mwrioy.exe
2010-04-06 14:26:11 17858890 ----a-w- C:\Infection1.rar
2010-04-06 14:08:27 0 d-sha-r- C:\autorun.inf
2010-04-06 14:07:33 0 d-sh--r- c:\documents and settings\sonia\autorun.inf
2010-04-06 11:11:17 0 d-----w- c:\windows\system32\Adobe
2010-04-06 10:50:51 0 d-----w- c:\program files\common files\McAfee
2010-04-06 10:50:24 0 d-----w- c:\program files\McAfee
2010-04-06 10:46:46 0 d-----w- c:\program files\CCleaner
2010-04-04 20:51:17 886008 ----a-w- c:\windows\system32\SNU.dll
2010-04-04 20:51:16 0 d-----w- c:\program files\2BrightSparks
2010-04-04 20:51:16 0 d-----w- c:\docume~1\alluse~1\applic~1\2BrightSparks
2010-04-04 19:05:20 0 d-----w- c:\docume~1\alluse~1\applic~1\F-Secure
2010-04-04 11:58:06 0 d-----w- c:\documents and settings\sonia\DoctorWeb
2010-04-03 21:38:06 0 d-sh--w- C:\FOUND.005
2010-04-03 13:39:12 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-03-31 11:16:22 0 d-----w- c:\program files\Trend Micro
2010-03-30 18:41:42 0 d-----w- c:\program files\Utilitários Portáteis
2010-03-30 18:17:46 0 d-----w- c:\windows\pss
2010-03-18 16:24:10 0 d-----w- c:\docume~1\alluse~1\applic~1\FarmFrenzy2
2010-03-14 21:32:09 293376 ------w- c:\windows\system32\browserchoice.exe

==================== Find3M ====================

2010-04-03 13:39:02 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-29 23:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 23:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-25 10:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 09:54:26 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-19 10:34:34 90112 ----a-w- c:\windows\DUMP08bb.tmp
2010-01-25 18:34:34 98304 ----a-w- c:\windows\DUMPfbfa.tmp
2010-01-19 16:40:26 796672 ----a-w- c:\windows\GPInstall.exe

============= FINISH: 23:52:09,93 ===============


**********************************************************************


DDS main log 26-04-2010 [FINAL after-clean log]

----------

DDS (Ver_10-03-17.01) - FAT32x86
Run by Sonia at 15:54:11,04 on 26-04-2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.351.1033.18.2047.1453 [GMT 1:00]

AV: avast! antivirus 4.8.1368 [VPS 100426-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Sygate\SPF\smc.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Wireless Console 2\wcourier.exe
c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\sm56hlpr.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Documents and Settings\Sonia\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.codecguide.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: compliance 54328 Toolbar: {4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac} - c:\program files\myplaycity\tbMyP0.dll
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uWinlogon: Shell=c:\documents and settings\sonia\application data\control components\ccmain.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Congoo Netpass: {40498def-8b13-44a6-a1a7-69dfe36e9210} - c:\program files\congoo netpass\congootb.dll
BHO: compliance 54328 Toolbar: {4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac} - c:\program files\myplaycity\tbMyP0.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Programa Auxiliar de Início de Sessão do Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.4723.1820\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: compliance 54328 Toolbar: {4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac} - c:\program files\myplaycity\tbMyP0.dll
TB: Congoo Netpass: {40498def-8b13-44a6-a1a7-69dfe36e9210} - c:\program files\congoo netpass\congootb.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [HControl] c:\windows\atk0100\HControl.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [RemoteControl] "c:\program files\asustek\asusdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Wireless Console 2] c:\program files\wireless console 2\wcourier.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [EOUApp] "c:\program files\intel\wireless\bin\EOUWiz.exe"
mRun: [Power_Gear] c:\program files\asus\power4 gear\BatteryLife.exe 1
mRun: [ASUS Live Update] c:\program files\asus\asus live update\ALU.exe
mRun: [ABLKSR] c:\windows\ablksr\ABLKSR.exe
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SmcService] c:\progra~1\sygate\spf\smc.exe -startgui
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [LXCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCFtime.dll,_RunDLLEntry@16
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\sonia\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\sonia\startm~1\programs\startup\inicia~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\asusch~1.lnk - c:\program files\asus\asus chkmail\ChkMail.exe
IE: E&xportar para o Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: {18955D47-882E-48fc-B903-A4BDD030E7FD}
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {0AD475F1-D955-40a7-9FFF-C3BF075F04AA} - {40498DEF-8B13-44A6-A1A7-69DFE36E9210} {40498DEF-8B13-44A6-A1A7-69DFE36E9210} - {40498def-8b13-44a6-a1a7-69dfe36e9210}\inprocserver32 does not exist!
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Paradise%20Pet%20Salon/Images/stg_drm.ocx
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1248778929546
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sonia\applic~1\mozilla\firefox\profiles\jijm76ob.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2425831&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://pt-PT.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:pt-PT:official
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2425831&q=
FF - prefs.js: network.proxy.type - 2
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\all users\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2010-4-14 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-8-5 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-4-14 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2010-4-14 138680]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2010-4-6 93320]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2010-4-14 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2010-4-14 352920]
S2 gupdate;Serviço Google Update (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-17 135664]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 12872]
S4 vsdatant;vsdatant; [x]

=============== Created Last 30 ================

2010-04-26 11:14:11 35714124 ----a-w- C:\Laptop_Infection.rar
2010-04-26 10:09:50 0 d-----w- C:\Verificar
2010-04-25 20:49:36 0 d-sh--w- C:\FOUND.006
2010-04-20 14:38:29 0 d-----w- c:\docume~1\sonia\applic~1\Softland
2010-04-20 14:38:14 7549 ----a-w- c:\windows\system32\dopdf7.ctm
2010-04-20 14:38:14 22856 ----a-w- c:\windows\system32\dopdfmn7.dll
2010-04-20 14:38:14 19784 ----a-w- c:\windows\system32\dopdfmi7.dll
2010-04-20 14:38:13 1700352 ----a-w- c:\windows\system32\GdiPlus.dll
2010-04-20 14:38:11 0 d-----w- c:\program files\Softland
2010-04-20 14:22:06 0 d-----w- c:\program files\Winamp Detect
2010-04-20 14:09:25 9200 ------w- c:\windows\system32\drivers\cdralw2k.sys
2010-04-20 14:09:25 9072 ------w- c:\windows\system32\drivers\cdr4_xp.sys
2010-04-20 14:09:25 129520 ------w- c:\windows\system32\pxafs.dll
2010-04-19 19:22:32 0 d-----w- c:\program files\Trend Micro HouseCall Online Virus Scan
2010-04-19 19:19:33 0 d-----w- c:\docume~1\sonia\applic~1\QuickScan
2010-04-17 23:25:15 0 d-----w- c:\program files\MyDefrag v4.2.9
2010-04-17 14:22:06 0 d--h--w- c:\windows\system32\GroupPolicy
2010-04-17 13:11:19 0 d-----w- c:\windows\system32\Adobe
2010-04-17 13:01:44 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-04-17 13:01:44 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-17 12:59:44 0 d-----w- c:\program files\SpywareBlaster
2010-04-14 10:27:25 14568 ----a-w- c:\windows\system32\drivers\wg5n.sys
2010-04-14 10:27:24 60496 ----a-w- c:\windows\system32\drivers\Teefer.sys
2010-04-14 10:27:24 14568 ----a-w- c:\windows\system32\drivers\wg6n.sys
2010-04-14 10:27:24 14568 ----a-w- c:\windows\system32\drivers\wg4n.sys
2010-04-14 10:27:24 14568 ----a-w- c:\windows\system32\drivers\wg3n.sys
2010-04-14 10:27:23 21075 ----a-w- c:\windows\system32\drivers\wpsdrvnt.sys
2010-04-14 10:27:21 83096 ----a-w- c:\windows\system32\SSSensor.dll
2010-04-14 10:27:10 0 d-----w- c:\program files\Sygate
2010-04-06 14:08:27 0 d-sha-r- C:\autorun.inf
2010-04-06 14:07:33 0 d-sha-r- c:\documents and settings\sonia\autorun.inf
2010-04-06 10:50:51 0 d-----w- c:\program files\common files\McAfee
2010-04-06 10:50:24 0 d-----w- c:\program files\McAfee
2010-04-06 10:46:46 0 d-----w- c:\program files\CCleaner
2010-04-04 20:51:17 886008 ----a-w- c:\windows\system32\SNU.dll
2010-04-04 20:51:16 0 d-----w- c:\program files\2BrightSparks
2010-04-04 20:51:16 0 d-----w- c:\docume~1\alluse~1\applic~1\2BrightSparks
2010-04-04 19:05:20 0 d-----w- c:\docume~1\alluse~1\applic~1\F-Secure
2010-04-04 11:58:06 0 d-----w- c:\documents and settings\sonia\DoctorWeb
2010-04-03 21:38:06 0 d-sh--w- C:\FOUND.005
2010-03-31 11:16:22 0 d-----w- c:\program files\Trend Micro
2010-03-30 18:41:42 0 d-----w- c:\program files\Portable Utilities
2010-03-30 18:17:46 0 d-----w- c:\windows\pss

==================== Find3M ====================

2010-04-19 22:50:34 61696 ----a-w- c:\windows\system32\drivers\ohci1394.sys
2010-04-19 22:50:34 61696 ----a-w- c:\windows\system32\dllcache\ohci1394.sys
2010-03-29 23:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 23:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll
2010-02-25 10:54:36 11070976 ------w- c:\windows\system32\dllcache\ieframe.dll
2010-02-24 13:11:08 455680 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2010-02-24 09:54:26 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-02-19 10:34:34 90112 ----a-w- c:\windows\DUMP08bb.tmp
2010-02-17 08:10:28 2189952 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-16 14:08:50 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 14:08:50 2146304 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-12 09:03:04 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-12 04:33:12 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-12 04:33:12 100864 ------w- c:\windows\system32\dllcache\6to4svc.dll
2010-02-11 12:02:16 226880 ------w- c:\windows\system32\dllcache\tcpip6.sys

============= FINISH: 15:55:30,98 ===============


----------------------------------------------------------------------------------------------------


GMER log 26-04-2010 [FINAL after-clean log]

----------

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-26 16:13:33
Windows 5.1.2600 Service Pack 3
Running: 54gg75yq.exe; Driver: C:\DOCUME~1\Sonia\LOCALS~1\Temp\uxtdypog.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwAllocateVirtualMemory [0xBAABAB30]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB772A6B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB772A574]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwCreateThread [0xBAABA6F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB772AA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB772A14C]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwMapViewOfSection [0xBAABA470]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB772A64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB772A08C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB772A0F0]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwProtectVirtualMemory [0xBAABAC50]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB772A76E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB772A72E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB772A8AE]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwShutdownSystem [0xBAABA990]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwTerminateProcess [0xBAABA8D0]
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwWriteVirtualMemory [0xBAABAD60]

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xBA23C360, 0x213A6D, 0xE8000020]
.text tcpip.sys!IPTransmit + 10FC B78ECD3A 6 Bytes CALL BA63EE50 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPTransmit + 2A52 B78EE690 6 Bytes CALL BA63EE50 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text tcpip.sys!IPRegisterProtocol + 930 B7904454 6 Bytes CALL BA63EE50 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text wanarp.sys BAAAD3FD 4 Bytes CALL BA63EFA0 Teefer.sys (Teefer Driver/Sygate Technologies, Inc.)
.text wanarp.sys BAAAD402 2 Bytes [90, 90] {NOP ; NOP }

---- Devices - GMER 1.0.15 ----

Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Tcpip \Device\IPMULTICAST wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8A60EAC8

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


**********************************************************************

Attached Files


Edited by DeLuk, 02 June 2010 - 09:54 AM.


#3 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:18 PM

Posted 05 June 2010 - 05:24 PM

Hello, and welcome.gif to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!

If you have since resolved the original problem you were having, we would appreciate you letting us know.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. smile.gif

***************************************************

Please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

~Blade


In your next reply, please include the following:
DDS.txt
Attach.txt

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#4 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:12:18 AM

Posted 07 June 2010 - 11:19 AM

Hi Blade, and thank you, for your prompt reply and assistance. smile.gif

My brother could just bring the laptop in a flash, so I could get the updated logs quicker than I'd hoped, luckily.

I though didn't have longer than a handful of minutes as he urged in taking the laptop back at once, so I couldn't verify things in much detail, yet here's a summarized check:

Updated Malwarebytes Anti-Malware and ran a quick scan; it found nothing. Also checked MBAM quarantine and reports, to confirm whether the laptop owner might eventually have run any further scan and quarantined any further item in the meantime, but no, MBAM had not been run since that last time I had had the laptop in hands back on 26-04-2010.

Checking WinPatrol's log history, there seemed to be no trace of malware entries, since that day either.

Checking Avast network shield log, seemingly in this meantime there has been at least another Firefox redirect, on 29-04-2010, again to xorg.pl:

wxw4.fiting58td.xorg.pl/?p=p52dcWpnaV%2FRlsijZFaZp29plGOIpKTSapqVxGVoaZmXxJuf

Checking Avast resident shield log, there have also been new warnings about C:\WINDOWS\system32\drivers\ohci1394.sys being detected as Win32:Alureon-FZ, also on 29-04-2010. There is a sequence of 5 warnings on this file; first two reporting that the file was successfully deleted, next two reporting that the file was successfully quarantined, and the last one reporting that the file was successfully repaired. (I gather that the laptop owner by then tried to take different actions on the file, as it was repeatedly being flagged by Avast. All 5 warnings happened in less than an hour interval, between 18:45 and 19:23.)

Checking also Avast on-demand scan log, there's a report of a full scan, on this same day, 29-04-2010, at 19:24, which found nothing, and then there's a follow-up partial scan (1.5 GB / 2 min) ran at 1:48 the next day, 30-04-2010, and which reports that the file C:\WINDOWS\system32\drivers\ohci1394.sys, detected as Win32:Alureon-FZ, was again by then successfully quarantined.

After this day, no Avast logs show no more warnings on the file C:\WINDOWS\system32\drivers\ohci1394.sys.

Also, re-checking the MD5 checksum of this file, it all the same matches that of the copy of ohci1394.sys found in both C:\WINDOWS\system32\dllcache\ and C:\WINDOWS\ServicePackFiles\i386\. Last date/time of modification of C:\WINDOWS\system32\drivers\ohci1394.sys now is 29-04-2010 at 19:23.

Then again, now regarding the file C:\WINDOWS\system32\drivers\atapi.sys, MD5 checksum and date/time of modification remain unaltered since last time checked, as referred in the previous post. Also re-checked, and indeed no copy of atapi.sys exists in C:\WINDOWS\system32\dllcache\; no idea if that's normal to happen?... (Regrettably, I just had no time to run GMER now again, just to confirm whether it would still flag the file C:\WINDOWS\system32\drivers\atapi.sys...)

Lastly, checking Sygate traffic log, curiously I now spotted no connection of those referred before: C:\WINDOWS\system32\svchost.exe connecting to mfdclk001.org [213.163.89.104] + 873hgf7xx60.com [112.121.181.26] + 34jh7alm94.asia [112.121.181.26] nor Avast Web Scanner connecting to zxclk9abnz72.com [78.47.248.116] + 91jjak4555j.com [213.163.89.105] + lk01ha71gg1.cc [213.163.89.106] + a74232357.cn [213.163.89.107] and neither Avast Web Scanner or SiteAdvisor or even C:\Program Files\Google\Update\GoogleUpdate.exe or any application at all connecting/attempting to connect to empresa.majest1c.com [64.74.223.35]. Not a single one of any of those. But then, the log covered less than a day interval, and just a couple sessions at both Facebook and Hi5, so I don't know how much one can actually conclude that these specific "symptoms" are now gone really, or whether they eventually were just missed "by a whisker" in that portion of traffic logging?...

Next are updated DDS logs for your review, as requested, and so I stand-by for your further instructions. I do though, again, appeal to your understanding and patience, as my quickness in getting back to you will depend on a chance for my brother to bring the laptop back here again, as referred before. I shall let you know beforehand, however, if the time frame extends for too long, ok? Thank you.

And thank you greatly, and mostly, for your time and willingness. smile.gif

P.S. Thought I'd as well include here for reference (also to any other users browsing this topic for helpful hints in any such similar cases) the link to BleepingComputer's Uninstall Guide for the "Control Components" infection. (Having now the chance to have searched further so I see that Grinler had posted an uninstall guide for this specific infection not long before this laptop too had gotten hit by it...)


----------------------------------------------------------------------------------------------------


DDS main log

----------

DDS (Ver_10-03-17.01) - FAT32x86
Run by Sonia at 16:54:21,48 on 06-06-2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.351.1033.18.2047.1443 [GMT 1:00]

AV: avast! antivirus 4.8.1368 [VPS 100606-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Sygate\SPF\smc.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\eHome\ehSched.exe
c:\PROGRA~1\mcafee\SITEAD~1\mcsacore.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Sonia\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = hxxp://www.codecguide.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: compliance 54328 Toolbar: {4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac} - c:\program files\myplaycity\tbMyP1.dll
uURLSearchHooks: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
uWinlogon: Shell=c:\documents and settings\sonia\application data\control components\ccmain.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Congoo Netpass: {40498def-8b13-44a6-a1a7-69dfe36e9210} - c:\program files\congoo netpass\congootb.dll
BHO: compliance 54328 Toolbar: {4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac} - c:\program files\myplaycity\tbMyP1.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
BHO: Programa Auxiliar de Início de Sessão do Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.5.5126.1836\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: compliance 54328 Toolbar: {4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac} - c:\program files\myplaycity\tbMyP1.dll
TB: Congoo Netpass: {40498def-8b13-44a6-a1a7-69dfe36e9210} - c:\program files\congoo netpass\congootb.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [HControl] c:\windows\atk0100\HControl.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [RemoteControl] "c:\program files\asustek\asusdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Wireless Console 2] c:\program files\wireless console 2\wcourier.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [EOUApp] "c:\program files\intel\wireless\bin\EOUWiz.exe"
mRun: [Power_Gear] c:\program files\asus\power4 gear\BatteryLife.exe 1
mRun: [ASUS Live Update] c:\program files\asus\asus live update\ALU.exe
mRun: [ABLKSR] c:\windows\ablksr\ABLKSR.exe
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SmcService] c:\progra~1\sygate\spf\smc.exe -startgui
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [LXCFCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXCFtime.dll,_RunDLLEntry@16
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\sonia\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\sonia\startm~1\programs\startup\inicia~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\asusch~1.lnk - c:\program files\asus\asus chkmail\ChkMail.exe
IE: E&xportar para o Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
IE: {18955D47-882E-48fc-B903-A4BDD030E7FD}
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {0AD475F1-D955-40a7-9FFF-C3BF075F04AA} - {40498DEF-8B13-44A6-A1A7-69DFE36E9210} {40498DEF-8B13-44A6-A1A7-69DFE36E9210} - {40498def-8b13-44a6-a1a7-69dfe36e9210}\inprocserver32 does not exist!
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Paradise%20Pet%20Salon/Images/stg_drm.ocx
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1248778929546
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Handler: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sonia\applic~1\mozilla\firefox\profiles\jijm76ob.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2425831&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://pt-PT.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:pt-PT:official
FF - prefs.js: network.proxy.type - 2
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\sonia\application data\mozilla\firefox\profiles\jijm76ob.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\sonia\application data\mozilla\firefox\profiles\jijm76ob.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\all users\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2010-4-14 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-8-5 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-8-5 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-4-14 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2010-4-14 138680]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\sitead~1\mcsacore.exe [2010-4-6 93320]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2010-4-14 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2010-4-14 352920]
S2 gupdate;Serviço Google Update (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-17 135664]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-8-5 12872]
S4 0155631274870288mcinstcleanup;McAfee Application Installer Cleanup (0155631274870288);c:\windows\temp\015563~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\015563~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S4 vsdatant;vsdatant; [x]

=============== Created Last 30 ================

2010-06-06 14:55:12 0 d-----w- C:\Verificar
2010-06-03 16:43:24 0 d-----w- c:\program files\Zynga
2010-05-24 09:56:15 0 d-----w- c:\program files\common files\xing shared
2010-05-24 09:55:34 0 d-----w- c:\program files\common files\Real
2010-05-12 20:55:59 2414360 ----a-w- c:\windows\system32\d3dx9_31.dll
2010-05-12 20:55:59 236824 ----a-w- c:\windows\system32\xactengine2_3.dll
2010-05-12 20:55:55 62744 ----a-w- c:\windows\system32\xinput1_2.dll
2010-05-12 20:50:16 0 d--h--w- c:\windows\msdownld.tmp
2010-05-12 20:50:13 0 d-----w- c:\windows\Logs
2010-05-12 20:50:11 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2010-05-12 20:50:11 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2010-05-12 20:50:11 0 d-----w- c:\program files\OpenAL
2010-05-12 20:50:03 0 d--h--w- c:\program files\FX Uninstall Information
2010-05-12 20:49:57 0 d-----w- c:\program files\Navy Moves

==================== Find3M ====================

2010-04-29 18:23:38 61696 ----a-w- c:\windows\system32\drivers\ohci1394.sys
2010-04-29 18:23:38 61696 ----a-w- c:\windows\system32\dllcache\ohci1394.sys
2010-04-29 14:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 14:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-17 13:01:36 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-01 14:02:06 22856 ----a-w- c:\windows\system32\dopdfmn7.dll
2010-04-01 14:02:04 19784 ----a-w- c:\windows\system32\dopdfmi7.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\dllcache\vbscript.dll

============= FINISH: 16:55:39,71 ===============


----------------------------------------------------------------------------------------------------

Attached Files


Edited by DeLuk, 07 June 2010 - 11:25 AM.


#5 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:18 PM

Posted 08 June 2010 - 05:13 PM

Hello DeLuk.

Couple things I need to mention before we start going at this.

QUOTE
My brother could just bring the laptop in a flash, so I could get the updated logs quicker than I'd hoped, luckily.

I though didn't have longer than a handful of minutes as he urged in taking the laptop back at once


Not having the laptop in your possession is going to make this somewhat more difficult, as removing infections of this type tend to require multiple steps. If your brother is unwilling to leave the laptop with you during the cleaning process, I must ask that he also abide by the guidelines set forth in my previous post, and also refrain from making any system changes (this includes things such as installing/uninstalling programs, altering the registry, modifying any Windows or web browser settings) until the machine is declared clean. To not do so carries the possibility of us missing something, and him becoming reinfected. This would be wasting my, your, and his time.

That being said. . . let's see if we can root out this little bugger. smile.gif

***************************************************

Download Combofix from any of the links below but rename it to renamed.exe before saving it to your desktop.


Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.
  • Double click on renamed.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


~Blade


In your next reply, please include the following:
ComboFix log

Edited by Blade Zephon, 08 June 2010 - 05:17 PM.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#6 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:12:18 AM

Posted 11 June 2010 - 06:21 AM

Hi Blade, and thank you for new reply. smile.gif

QUOTE
Not having the laptop in your possession is going to make this somewhat more difficult, as removing infections of this type tend to require multiple steps. If your brother is unwilling to leave the laptop with you during the cleaning process, I must ask that he also abide by the guidelines set forth in my previous post, and also refrain from making any system changes (this includes things such as installing/uninstalling programs, altering the registry, modifying any Windows or web browser settings) until the machine is declared clean. To not do so carries the possibility of us missing something, and him becoming reinfected. This would be wasting my, your, and his time.


Yes, I'm certainly aware that this is a multiple steps job (not the first time, that my brother "brings me" to "bother" you guys for help rolleyes.gif) and I certainly agree that it won't make it any easier, much the opposite, to be doing it in this "bring and take the laptop" scheme. It's not a matter of being unwilling to leave the laptop here, though, it's indeed that the owner needs it, pretty regularly, thus it isn't always possible for them to leave it, let alone for longer than a couple days at most... I'm truly sorry, anyhow, for the bothersome this can be to you too. sad.gif Then again, yes, I'm well aware too that, once the cleanup job is started, one must refrain from making system changes, yes, and I have of course made both my brother and the laptop owner well aware of this demand too. I had warned them about it already the moment I received your first topic reply, yet, anyway, now reinforced the idea.

I shall then return with the requested ComboFix log asap. And thank you, one time again, for your understanding and help. smile.gif

P.S. Oh and if by chance you're too a soccer fan, then have a nice World Cup, and good luck too USA! (Sorry, just couldn't avoid myself today's off-topic excitement... tongue.gif)


#7 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:18 PM

Posted 12 June 2010 - 05:07 PM

okay. . . will keep an eye out for it.


Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#8 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:12:18 AM

Posted 17 June 2010 - 03:47 PM

Hi Blade, and sorry again for the delay; only now I had the chance to get you the ComboFix log, as requested.

As before, previous to running ComboFix, I ran a quick scan with Malwarebytes Anti-Malware, just to check. It reported nothing found. Also, checking Avast + WinPatrol + Sygate logs, there seemed to be no traces of anything suspicious, except for those connects/connect attempts to empresa.majest1c.com [64.74.223.35] which were logged back again (connect attempts by GoogleUpdate.exe always blocked, connects by Avast Web Scanner ashWebSv.exe + SiteAdvisor McSACore.exe always allowed).

Next ran ComboFix. The Recovery Console was installed successfully and the malware scan was completed with no glitches. I then rebooted. (Don't suppose an automatic reboot should have happened, or?...)

Checked to confirm, and both the Windows Security Center and the Windows Firewall were now restored/reset. thumbup2.gif (I had assumed that ComboFix would do that, correct?)

Also one last note, just to say that I did change the default browser back to Firefox. (I know that was reset to IE by ComboFix, yet don't suppose this was a "disallowed" change to make?...)

ComboFix log follows below. And thank you once more, for your time and help. smile.gif

P.S. Sorry, for the post being all this "large"; that's due to that line with the endless question marks in the ComboFix log. No idea if there's a way to "fix" that, to try to make the post be displayed in a way more practical for reading?... unsure.gif (As it is now, it is indeed rather hard to read properly...)



----------------------------------------------------------------------------------------------------


ComboFix log


ComboFix 10-06-15.03 - Sonia 16-06-2010 15:45:23.1.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.351.1033.18.2047.1539 [GMT 1:00]
Executando de: c:\documents and settings\Sonia\Desktop\renamed.exe
AV: avast! antivirus 4.8.1368 [VPS 100616-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Sygate Personal Firewall *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
* Criado um novo ponto de restauração
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.\documents\settings

.
(((((((((((((((( Arquivos/Ficheiros criados de 2010-05-16 to 2010-06-16 ))))))))))))))))))))))))))))
.

2010-06-12 18:51 . 2010-06-12 18:51 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-11 15:38 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-08 17:13 . 2010-06-08 17:13 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Zynga
2010-06-03 16:43 . 2010-06-03 16:43 -------- d-----w- c:\documents and settings\Sonia\Local Settings\Application Data\Zynga
2010-06-03 16:43 . 2010-06-03 16:43 -------- d-----w- c:\program files\Zynga
2010-06-01 17:13 . 2010-06-01 17:13 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-06-01 17:00 . 2010-06-01 17:00 503808 ----a-w- c:\documents and settings\Sonia\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-199cda29-n\msvcp71.dll
2010-06-01 17:00 . 2010-06-01 17:00 499712 ----a-w- c:\documents and settings\Sonia\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-199cda29-n\jmc.dll
2010-06-01 17:00 . 2010-06-01 17:00 348160 ----a-w- c:\documents and settings\Sonia\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-199cda29-n\msvcr71.dll
2010-06-01 17:00 . 2010-06-01 17:00 61440 ----a-w- c:\documents and settings\Sonia\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3a2fc034-n\decora-sse.dll
2010-06-01 17:00 . 2010-06-01 17:00 12800 ----a-w- c:\documents and settings\Sonia\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3a2fc034-n\decora-d3d.dll
2010-05-27 23:54 . 2010-05-27 23:54 -------- d-----w- c:\documents and settings\Sonia\Application Data\Apple Computer
2010-05-27 23:26 . 2010-05-27 23:26 -------- d-----w- c:\program files\QuickTime
2010-05-27 23:26 . 2010-05-27 23:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-05-27 23:26 . 2010-05-27 23:26 -------- d-----w- c:\program files\Common Files\Apple
2010-05-27 23:26 . 2010-05-27 23:26 -------- d-----w- c:\documents and settings\Sonia\Local Settings\Application Data\Apple
2010-05-27 23:26 . 2010-05-27 23:26 -------- d-----w- c:\program files\Apple Software Update
2010-05-27 23:26 . 2010-05-27 23:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-05-27 23:25 . 2010-05-27 23:25 -------- d-----w- c:\documents and settings\Sonia\Local Settings\Application Data\Apple Computer
2010-05-24 09:55 . 2010-05-24 09:55 -------- d-----w- c:\program files\Real
2010-05-24 09:55 . 2010-05-24 09:55 -------- d-----w- c:\program files\Common Files\Real
2010-05-19 20:54 . 2010-03-29 08:59 52224 ----a-w- c:\documents and settings\Sonia\Application Data\Mozilla\Firefox\Profiles\jijm76ob.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
2010-05-19 20:54 . 2010-03-29 08:59 101376 ----a-w- c:\documents and settings\Sonia\Application Data\Mozilla\Firefox\Profiles\jijm76ob.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-24 09:56 . 2010-05-24 09:56 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-05-24 09:56 . 2010-05-24 09:56 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-05-24 09:56 . 2010-05-24 09:56 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-05-24 09:56 . 2010-05-24 09:56 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-05-24 09:56 . 2010-05-24 09:56 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-05-24 09:56 . 2010-05-24 09:56 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-05-24 09:56 . 2010-05-24 09:56 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-05-24 09:56 . 2010-05-24 09:56 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-05-24 09:56 . 2010-05-24 09:56 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-05-24 09:56 . 2010-05-24 09:56 -------- d-----w- c:\program files\Common Files\xing shared
2010-05-12 20:50 . 2010-05-12 20:50 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2010-05-12 20:50 . 2010-05-12 20:50 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2010-05-12 20:50 . 2010-05-12 20:50 -------- d-----w- c:\program files\OpenAL
2010-05-12 20:50 . 2010-05-12 20:50 -------- d--h--w- c:\program files\FX Uninstall Information
2010-05-12 20:49 . 2010-05-12 20:49 -------- d-----w- c:\program files\Navy Moves
2010-05-11 17:25 . 2010-05-11 17:25 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Softland
2010-05-06 10:41 . 2006-09-18 13:45 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 18:04 . 2010-05-02 18:04 -------- d-----w- c:\documents and settings\Sonia\Application Data\Merscom
2010-05-02 18:04 . 2010-05-02 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Merscom
2010-05-02 05:22 . 2006-09-18 13:45 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 18:23 . 2004-08-03 22:10 61696 ----a-w- c:\windows\system32\drivers\ohci1394.sys
2010-04-29 14:39 . 2009-08-16 15:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 14:39 . 2009-08-16 15:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 10:43 . 2009-08-16 14:58 117760 ----a-w- c:\documents and settings\Sonia\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-03-30 19:06 . 2010-03-30 19:06 52224 ----a-w- c:\documents and settings\Sonia\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}"= "c:\program files\MyPlayCity\tbMyP1.dll" [2010-05-26 2515552]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{40498DEF-8B13-44A6-A1A7-69DFE36E9210}]
2007-03-05 20:39 915160 ------w- c:\program files\Congoo Netpass\congootb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}]
2010-05-26 21:37 2515552 ----a-w- c:\program files\MyPlayCity\tbMyP1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
2010-02-22 11:05 2353176 ----a-w- c:\program files\Zynga\tbZyng.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}"= "c:\program files\MyPlayCity\tbMyP1.dll" [2010-05-26 2515552]
"{40498DEF-8B13-44A6-A1A7-69DFE36E9210}"= "c:\program files\Congoo Netpass\congootb.dll" [2007-03-05 915160]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}]

[HKEY_CLASSES_ROOT\clsid\{40498def-8b13-44a6-a1a7-69dfe36e9210}]
[HKEY_CLASSES_ROOT\congootb.Band.1]
[HKEY_CLASSES_ROOT\TypeLib\{7AB2CD40-C33A-4C5A-B701-A68541DFF7DF}]
[HKEY_CLASSES_ROOT\congootb.Band]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{4724C5D8-DFA7-417A-A2F5-1EABFEE9B4AC}"= "c:\program files\MyPlayCity\tbMyP1.dll" [2010-05-26 2515552]
"{7B13EC3E-999A-4B70-B9CB-2617B8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{4724c5d8-dfa7-417a-a2f5-1eabfee9b4ac}]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-28 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="c:\windows\ATK0100\HControl.exe" [2006-02-22 106496]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-11-21 7335936]
"nwiz"="nwiz.exe" [2005-11-21 1519616]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"RemoteControl"="c:\program files\ASUSTeK\ASUSDVD\PDVDServ.exe" [2004-11-02 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 61952]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-06 14850560]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-20 761945]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2005-10-17 987136]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-04-14 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-04-14 602182]
"EOUApp"="c:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2006-04-14 569413]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2006-03-06 86016]
"ASUS Live Update"="c:\program files\ASUS\ASUS Live Update\ALU.exe" [2006-02-21 180224]
"ABLKSR"="c:\windows\ABLKSR\ABLKSR.exe" [2006-01-02 61440]
"SMSERIAL"="sm56hlpr.exe" [2005-05-26 544768]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-10-10 320832]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-05-24 202256]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]
"LXCFCATS"="c:\windows\system32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 73728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Sonia\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Inicia‡Æo R pida do Microsoft Office OneNote 2007.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ASUS ChkMail.lnk - c:\program files\ASUS\Asus ChkMail\ChkMail.exe [2006-11-14 32768]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-03-30 18:58 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager\appcertdlls]
regwdupd REG_SZ c:\windows\system32\drwtelog.dll

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [14-04-2010 11:20 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [05-08-2009 16:06 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05-08-2009 16:06 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [14-04-2010 11:20 20560]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [06-04-2010 11:50 93320]
S2 gupdate;Serviço Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [17-02-2010 20:29 135664]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05-08-2009 16:06 12872]
S4 0155631274870288mcinstcleanup;McAfee Application Installer Cleanup (0155631274870288);c:\windows\TEMP\015563~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\015563~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
.
Conteúdo da pasta 'Tarefas Agendadas'

2010-06-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-17 19:29]

2010-06-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-17 19:29]

2010-06-16 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2594835689-3197258351-2018326800-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-06-16 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2594835689-3197258351-2018326800-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-06-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Scan Suplementar -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.codecguide.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xportar para o Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
IE: {{18955D47-882E-48fc-B903-A4BDD030E7FD}
IE: {{0AD475F1-D955-40a7-9FFF-C3BF075F04AA} - {40498DEF-8B13-44A6-A1A7-69DFE36E9210} {40498DEF-8B13-44A6-A1A7-69DFE36E9210} - {40498def-8b13-44a6-a1a7-69dfe36e9210}\inprocserver32 does not exist!
FF - ProfilePath - c:\documents and settings\Sonia\Application Data\Mozilla\Firefox\Profiles\jijm76ob.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2425831&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.startup.homepage - hxxp://pt-PT.start3.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:pt-PT:official
FF - prefs.js: network.proxy.type - 2
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\Sonia\Application Data\Mozilla\Firefox\Profiles\jijm76ob.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\Sonia\Application Data\Mozilla\Firefox\Profiles\jijm76ob.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-16 15:48
Windows 5.1.2600 Service Pack 3 FAT NTAPI

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCFCATS = rundll32 c:\windows\system32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(880)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1588)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Tempo para conclusão: 2010-06-16 15:50:41
ComboFix-quarantined-files.txt 2010-06-16 14:50

Pré-execução: 21.944.926.208 bytes free
Pós execução: 21.956.788.224 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-PTB.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - DCBF79833FC8BC739E994089D42C803D


----------------------------------------------------------------------------------------------------

Edited by DeLuk, 17 June 2010 - 04:03 PM.


#9 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:18 PM

Posted 18 June 2010 - 02:55 AM

Hello.

QUOTE
As before, previous to running ComboFix, I ran a quick scan with Malwarebytes Anti-Malware, just to check. It reported nothing found. Also, checking Avast + WinPatrol + Sygate logs, there seemed to be no traces of anything suspicious, except for those connects/connect attempts to empresa.majest1c.com [64.74.223.35] which were logged back again (connect attempts by GoogleUpdate.exe always blocked, connects by Avast Web Scanner ashWebSv.exe + SiteAdvisor McSACore.exe always allowed).

Please stop doing this. I realize that you are well intentioned and trying to be helpful, which I appreciate. However, of these "harmless checks" could create an effect that, in a best case scenario may cause one of my scan results to fail to detect something. In a worst case scenario. . . let's just say it would be bad.

I'm not getting onto or yelling at you. . . just reminding you of an earlier request.

QUOTE(Blade Zephon @ Jun 5 2010, 06:24 PM) View Post
I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.


This does not mean "Run them and told me you did so."

***************************************************

Please use Add/Remove Programs to remove any references to the following software from the computer (if found there).

Zynga
MyPlayCity
Congoo (or Congoo Netpass)


While these programs are not necessarily responsible for your issues, we need to remove them for the time being to eliminate the possibility.

After these programs have been removed, please re-run ComboFix and post the log for my review. Additionally, please list for me briefly exactly what the remaining issues are.

~Blade

In your next reply, please include the following:
ComboFix Log
List of remaining issues.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#10 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:12:18 AM

Posted 28 June 2010 - 10:11 AM

Hello Blade, once more my apologies for the time taken in getting back to you, and thank you for your understanding and patience.

QUOTE(Blade Zephon @ Jun 18 2010, 08:55 AM) View Post
...
Please stop doing this. I realize that you are well intentioned and trying to be helpful, which I appreciate. However, of these "harmless checks" could create an effect that, in a best case scenario may cause one of my scan results to fail to detect something. In a worst case scenario. . . let's just say it would be bad.

I'm not getting onto or yelling at you. . . just reminding you of an earlier request.

QUOTE(Blade Zephon @ Jun 5 2010, 06:24 PM) View Post
I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.


This does not mean "Run them and told me you did so."


As well I appreciate your words of double awareness. And which, absolutely, I did not take in no reprehensible way, no worries there. smile.gif I do, however, take from these that there may be some kind of misunderstanding perhaps, either mine or yours?... Perhaps I failed to express myself in the clearest manner and caused you to misunderstand me? (Apologies at once if so.) Or perhaps I failed to understand you?

Allow me to try to clear it hopefully better, then? (It's not me trying to be helpful, nor much less trying to be helpful beyond your instructions, not at all that.) As I had mentioned before, the purpose why I ran a previous quick scan with Malwarebytes Anti-Malware was just to check. Not with the intent of fixing or removing anything in the event of something being found, but with the sole purpose of checking to confirm whether there might eventually be any new threats on board. And the reason alone I did this was the fact that the laptop had been away/"out of my control" for several days. Thus, as I say, just for being aware of whether any new threats might have come on board in that meantime that I didn't had the laptop with me (and I repeat, not for fixing or removing anything if anything found), for this reason alone so I ran a previous quick scan with MBAM. At the same time also cos I couldn't be certain, if any new malware would actually be on board, I couldn't be certain whether running ComboFix would then still be the appropriate next step to take or otherwise (as I'm aware that ComboFix is a very specific/sensible tool to run), so I wanted to make double sure. Should new malware had been detected, I would anyway check with you previous to going ahead and running ComboFix, that was the intention after all.

On the other hand, the MBAM scan having been a check-scan only, and not a fix-scan, I would have assumed that would not cause changes to the system and not interfere with whatever else?... Or would I be wrong in such assumption?... unsure.gif (When you warned "please refrain from running tools other than those I suggest to you", I took it from the start that you were by that referring to fix-tools, not check-only-scans; perhaps I failed to understand your point there?) I would much appreciate you would then please enlighten me on the matter, also so that I'm double aware on any next occasion. I do appreciate all the learning "on the go" everytime. smile.gif And thank you already for your patience with my humble ignorance.

Then again, still a parenthesis, just to add and clarify that, the Avast + WinPatrol + Sygate logs which I also referred to and mentioned to have checked, these are simply the Avast resident shield and network shield logs, the WinPatrol history log, and the Sygate traffic log, and which are automatically produced by the normal running of each of the programs as certainly you may know. I mean, they don't result from any on-demand scan nor any of such, and all I do to "check" these logs is view the respective text files saved in the respective program folders. I would assume there isn't anything wrong/any negative effect in doing this either, or?...

----------

On to your latest instructions, so I have removed Zynga Toolbar + MyPlayCity Toolbar + Congoo Netpass from Add/Remove Programs. Two notes about this, though:

1) Don't know if relevant to mention, yet, when removing Zynga Toolbar and MyPlayCity Toolbar from Add/Remove Programs, a RUNDLL error message popped up both times, reading respectively:

Error loading C:\Programas\Zynga\tbZyn0.dll. Impossible to load the specified module.

Error loading C:\Programas\MyPlayCity\tbMyP0.dll. Impossible to load the specified module.

The removal of both programs completed apparently successfully, though...

2) Checking in IE's add-ons list, I noticed that Congoo Netpass was still showing there, under "Unavailable", yet saying "Enabled". I changed that to "Disabled". (No idea why it is still listed there, though, after having been removed?) Then again, checking Firefox add-ons too, listed there were also Zynga Toolbar and MyPlayCity Toolbar. I removed those as well.

Also, concerning the browsers, I noticed that there's now Ask.com among the search engines dry.gif plus the Firefox homepage has changed to hxxp://www.plusnetwork.com (no idea if by the user or otherwise, my brother couldn't tell me).

----------

Of all issues initially pointed out, I believe the one remaining at this point (assuming that to be an issue?) is still those connects/connect attempts to empresa.majest1c.com [64.74.223.35], by Google Installer C:\Program Files\Google\Update\GoogleUpdate.exe + Avast Web Scanner C:\Program Files\Alwil Software\Avast4\ashWebSv.exe + SiteAdvisor C:\Program Files\McAfee\SiteAdvisor\McSACore.exe. (Notice that now a connection has also been made by Java application C:\Program Files\Java\jre6\bin\javaw.exe.)

On an added note, also regarding internet traffic, there's now again been logged a connection to 10search.com [8.5.1.41] (this one also by Java application C:\Program Files\Java\jre6\bin\javaw.exe) + to ocsp.godaddy.com [188.121.36.239] + triggers.wp.bandoo.com [207.232.22.109] (both these by Avast Web Scanner C:\Program Files\Alwil Software\Avast4\ashWebSv.exe). I remain suspicious about these URLs?...

Then again, I also go on wondering about both files C:\WINDOWS\system32\drivers\ohci1394.sys + C:\WINDOWS\system32\drivers\atapi.sys?... Apparently there's been no further detection on the file ohci1394.sys; would this be a resolved issue by now, then, or?... On the other hand, the file atapi.sys; I still wonder why it was flagged by GMER, and is or was that an issue, or?...

Lastly, although apparently there's been no further Firefox redirects, the laptop user however complains of some random crashes... Firefox had actually crashed on me once, too, back when I was in the process of removing all malware as referred in the initial post, but I took that as casual, as it only happened once as I say, thus why I also made no mention to that fact... I know it had crashed at least one more time in between that first crash that happened with me and these complaints by the laptop user now, as I had already spotted the crashreport application in Sygate's applications list while it wasn't there initially, meaning the application obviously had connected to the internet, thus meaning a Firefox crash had certainly happened in the meantime. But, as I say, I've no idea to what extent this is or may be also an issue, and then whether at all connected to the whole malware mess that brought me here?... Could it be that it's just some casual coincidence?...

----------

New ComboFix log follows below, as requested.

Thank you one time again, for your assistance. smile.gif

And sorry again, that the post is so "large", due to that line with the endless question marks in the ComboFix log...


----------------------------------------------------------------------------------------------------


ComboFix log


ComboFix 10-06-26.03 - Sonia 27-06-2010 17:28:22.2.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.351.1033.18.2047.1420 [GMT 1:00]
Executando de: c:\documents and settings\Sonia\Desktop\renamed.exe
AV: avast! antivirus 4.8.1368 [VPS 100627-0] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: Sygate Personal Firewall *disabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}
* Criado um novo ponto de restauração
.

(((((((((((((((( Arquivos/Ficheiros criados de 2010-05-27 to 2010-06-27 ))))))))))))))))))))))))))))
.

2010-06-23 10:41 . 2010-06-23 10:41 -------- d-----w- c:\program files\Ask Search Assistant
2010-06-12 18:51 . 2010-06-12 18:51 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-06-11 15:38 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-08 17:13 . 2010-06-08 17:13 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Zynga
2010-06-01 17:13 . 2010-06-01 17:13 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2010-06-01 17:00 . 2010-06-01 17:00 503808 ----a-w- c:\documents and settings\Sonia\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-199cda29-n\msvcp71.dll
2010-06-01 17:00 . 2010-06-01 17:00 499712 ----a-w- c:\documents and settings\Sonia\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-199cda29-n\jmc.dll
2010-06-01 17:00 . 2010-06-01 17:00 348160 ----a-w- c:\documents and settings\Sonia\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-199cda29-n\msvcr71.dll
2010-06-01 17:00 . 2010-06-01 17:00 61440 ----a-w- c:\documents and settings\Sonia\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3a2fc034-n\decora-sse.dll
2010-06-01 17:00 . 2010-06-01 17:00 12800 ----a-w- c:\documents and settings\Sonia\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-3a2fc034-n\decora-d3d.dll

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-27 23:54 . 2010-05-27 23:54 -------- d-----w- c:\documents and settings\Sonia\Application Data\Apple Computer
2010-05-27 23:26 . 2010-05-27 23:26 -------- d-----w- c:\program files\QuickTime
2010-05-27 23:26 . 2010-05-27 23:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-05-27 23:26 . 2010-05-27 23:26 -------- d-----w- c:\program files\Common Files\Apple
2010-05-27 23:26 . 2010-05-27 23:26 -------- d-----w- c:\program files\Apple Software Update
2010-05-27 23:26 . 2010-05-27 23:26 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-05-24 09:56 . 2010-05-24 09:56 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-05-24 09:56 . 2010-05-24 09:56 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-05-24 09:56 . 2010-05-24 09:56 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-05-24 09:56 . 2010-05-24 09:56 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-05-24 09:56 . 2010-05-24 09:56 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-05-24 09:56 . 2010-05-24 09:56 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-05-24 09:56 . 2010-05-24 09:56 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-05-24 09:56 . 2010-05-24 09:56 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-05-24 09:56 . 2010-05-24 09:56 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-05-24 09:56 . 2010-05-24 09:56 -------- d-----w- c:\program files\Common Files\xing shared
2010-05-24 09:55 . 2010-05-24 09:55 -------- d-----w- c:\program files\Real
2010-05-24 09:55 . 2010-05-24 09:55 -------- d-----w- c:\program files\Common Files\Real
2010-05-12 20:50 . 2010-05-12 20:50 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2010-05-12 20:50 . 2010-05-12 20:50 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2010-05-12 20:50 . 2010-05-12 20:50 -------- d-----w- c:\program files\OpenAL
2010-05-12 20:50 . 2010-05-12 20:50 -------- d--h--w- c:\program files\FX Uninstall Information
2010-05-12 20:49 . 2010-05-12 20:49 -------- d-----w- c:\program files\Navy Moves
2010-05-11 17:25 . 2010-05-11 17:25 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Softland
2010-05-06 10:41 . 2006-09-18 13:45 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 18:04 . 2010-05-02 18:04 -------- d-----w- c:\documents and settings\Sonia\Application Data\Merscom
2010-05-02 18:04 . 2010-05-02 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Merscom
2010-05-02 05:22 . 2006-09-18 13:45 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-29 18:23 . 2004-08-03 22:10 61696 ----a-w- c:\windows\system32\drivers\ohci1394.sys
2010-04-29 14:39 . 2009-08-16 15:10 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 14:39 . 2009-08-16 15:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-27 10:43 . 2009-08-16 14:58 117760 ----a-w- c:\documents and settings\Sonia\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-20 05:30 . 2006-09-18 13:44 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-17 13:01 . 2010-04-17 13:01 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-01 14:02 . 2010-04-20 14:38 22856 ----a-w- c:\windows\system32\dopdfmn7.dll
2010-04-01 14:02 . 2010-04-20 14:38 19784 ----a-w- c:\windows\system32\dopdfmi7.dll
2010-03-30 23:16 . 2010-03-30 23:16 99176 ----a-w- c:\windows\system32\PresentationHostProxy.dll
2010-03-30 23:10 . 2010-03-30 23:10 295264 ----a-w- c:\windows\system32\PresentationHost.exe
2010-03-30 19:06 . 2010-03-30 19:06 52224 ----a-w- c:\documents and settings\Sonia\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-07-28 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="c:\windows\ATK0100\HControl.exe" [2006-02-22 106496]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-11-21 7335936]
"nwiz"="nwiz.exe" [2005-11-21 1519616]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"RemoteControl"="c:\program files\ASUSTeK\ASUSDVD\PDVDServ.exe" [2004-11-02 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 61952]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-06 14850560]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-20 761945]
"Wireless Console 2"="c:\program files\Wireless Console 2\wcourier.exe" [2005-10-17 987136]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-04-14 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-04-14 602182]
"EOUApp"="c:\program files\Intel\Wireless\Bin\EOUWiz.exe" [2006-04-14 569413]
"Power_Gear"="c:\program files\ASUS\Power4 Gear\BatteryLife.exe" [2006-03-06 86016]
"ASUS Live Update"="c:\program files\ASUS\ASUS Live Update\ALU.exe" [2006-02-21 180224]
"ABLKSR"="c:\windows\ABLKSR\ABLKSR.exe" [2006-01-02 61440]
"SMSERIAL"="sm56hlpr.exe" [2005-05-26 544768]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-10-10 320832]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-04-04 36272]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-03-24 952768]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-05-24 202256]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-17 421888]
"LXCFCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 73728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Sonia\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
Inicia‡Æo R pida do Microsoft Office OneNote 2007.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ASUS ChkMail.lnk - c:\program files\ASUS\Asus ChkMail\ChkMail.exe [2006-11-14 32768]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2010-03-30 18:58 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [14-04-2010 11:20 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [05-08-2009 16:06 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [05-08-2009 16:06 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [14-04-2010 11:20 20560]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [06-04-2010 11:50 93320]
S2 gupdate;Serviço Google Update (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [17-02-2010 20:29 135664]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [05-08-2009 16:06 12872]
S4 0155631274870288mcinstcleanup;McAfee Application Installer Cleanup (0155631274870288);c:\windows\TEMP\015563~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\015563~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
.
Conteúdo da pasta 'Tarefas Agendadas'

2010-06-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-17 19:29]

2010-06-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-17 19:29]

2010-06-16 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-2594835689-3197258351-2018326800-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-06-27 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-2594835689-3197258351-2018326800-1005.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-24 21:09]

2010-06-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Scan Suplementar -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.codecguide.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xportar para o Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_2EC7709873947E87.dll/cmsidewiki.html
IE: {{18955D47-882E-48fc-B903-A4BDD030E7FD}
FF - ProfilePath - c:\documents and settings\Sonia\Application Data\Mozilla\Firefox\Profiles\jijm76ob.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2425831&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.plusnetwork.com
FF - prefs.js: network.proxy.type - 2
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwachk.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 10);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORFÃOS REMOVIDOS - - - -

BHO-{40498DEF-8B13-44A6-A1A7-69DFE36E9210} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-27 17:35
Windows 5.1.2600 Service Pack 3 FAT NTAPI

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCFCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(872)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3144)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Tempo para conclusão: 2010-06-27 17:39:43
ComboFix-quarantined-files.txt 2010-06-27 16:39
ComboFix2.txt 2010-06-16 14:50

Pré-execução: 21.191.917.568 bytes free
Pós execução: 21.200.076.800 bytes free

- - End Of File - - CAB31ADE8B9EEE3F536B9949E6FEDCCA


----------------------------------------------------------------------------------------------------

Edited by DeLuk, 28 June 2010 - 12:03 PM.


#11 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:18 PM

Posted 14 July 2010 - 06:20 AM

Hello DeLuk.

Sorry for the delay, unfortunately I overlooked your reply.

I'm not seeing any further evidence of malware on the machine from the logs you've posted. I would recommend completely uninstalling Firefox and removing all files and folders associated with it, then reinstalling a clean copy. Additionally, I would recommend restoring Internet Explorer to default settings. Information on how to do that can be found here. http://support.microsoft.com/kb/923737

Finally, please run the following tool.

Download TFC by OldTimer to your desktop.
(TFC only cleans temp folders. It will not clean URL history, prefetch, or cookies).
Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job.
Once its finished it should automatically reboot your machine, if it doesn't, manually reboot to ensure a complete clean

NOTE:
It's normal after running TFC that the PC will be slower to boot the first time.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.


Let me know if things improve.

~Blade


In your next reply, please include the following:
Update on computer status.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#12 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:12:18 AM

Posted 17 July 2010 - 10:30 AM

Hello Blade, thank you for new reply. And please, no need for no apologies. All in all, as mentioned previously, this is not a real urgent case anyway, since I don't each time have immediate access to the machine being cleaned. And in fact, it won't be untill a couple more weeks that I'll have access to it again, as my brother and girlfriend are away on vacations at the moment. So, once more, I thank you in advance for your understanding with my own delay, in getting back to you with the updated status of the laptop.

QUOTE
I'm not seeing any further evidence of malware on the machine from the logs you've posted.


Good to hear that, though. smile.gif Later asap I shall then reinstall Firefox from scratch and reset Internet Explorer, as you recommend, plus clear the temp folders with TFC; ok.

I do, however, have two additional questions at this point:

Regarding atapi.sys, should we run a new GMER scan, just to confirm whether it still flags that file? Or shouldn't I worry further about that?

Regarding ComboFix, should it be uninstalled now? Or not just yet?

-----

Then again, while on the waiting for the laptop, I'd also have a couple doubts for you, if I may take the chance?...

One is regarding TFC, since you mentioned it. I've always wondered, whether one can occasinally or even regularly use TFC on any clean (i.e. not infected) computer to safely get temp stuff cleared? I mean, like one uses CCleaner or ATF-Cleaner. Is TFC a temp cleaner that any computer user can or even should use? Is that at all advisable/recommended? Or is it rather a more specific tool that must only be used in specific situations and upon request of an expert?

Then, the other doubt, is still regarding that "issue" from before (about running check-scans vs fix-scans in general terms):

QUOTE(DeLuk @ Jun 28 2010, 04:11 PM) View Post
...
As I had mentioned before, the purpose why I ran a previous quick scan with Malwarebytes Anti-Malware was just to check. Not with the intent of fixing or removing anything in the event of something being found, but with the sole purpose of checking to confirm whether there might eventually be any new threats on board.
...
On the other hand, the MBAM scan having been a check-scan only, and not a fix-scan, I would have assumed that would not cause changes to the system and not interfere with whatever else?... Or would I be wrong in such assumption?... unsure.gif (When you warned "please refrain from running tools other than those I suggest to you", I took it from the start that you were by that referring to fix-tools, not check-only-scans; perhaps I failed to understand your point there?) I would much appreciate you would then please enlighten me on the matter, also so that I'm double aware on any next occasion. I do appreciate all the learning "on the go" everytime.
...


As I say, I would indeed very much appreciate your input and comment on this matter, please, so that I may be aware any next time. Thank you once again. smile.gif

-----

I shall then update you on the laptop status asap as soon as I have access to it again. Thank you for your patience and help overall.

Edited by DeLuk, 17 July 2010 - 10:33 AM.


#13 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:18 PM

Posted 19 July 2010 - 11:01 PM

Hi.

QUOTE
Regarding atapi.sys, should we run a new GMER scan, just to confirm whether it still flags that file? Or shouldn't I worry further about that?

No need to worry about it. That problem has been resolved.

QUOTE
Regarding ComboFix, should it be uninstalled now? Or not just yet?

Not just yet. Ill let you know smile.gif

QUOTE
Is TFC a temp cleaner that any computer user can or even should use?

TFC is safe for regular use.

***************************************************

Now, in regard to the issue you mention above. I will be upfront with you; from a technical aspect, running a scan to "check", provided it doesn't make any changes, isn't going to compromise the fix. However, there are a couple issues with this. First of all, some scanners may make changes that you (or I) aren't aware that they make, depending on how they scan files. while subtle and seemingly harmless, it could show up in a scan and make the helper think that malware is still active, and waste both yours and the helper's time chasing down something that doesn't exist.

The big issue here is that running scans "just to check" is a show of bad faith. Every helper here has been through a rigorous and comprehensive training process to hunt down, identify, and eliminate malware infections, and every single one of those helpers has the best interests of you and your machine at heart. We aren't getting paid or receiving any sort of reward for what we do here, and many of us (myself included) even operate under an alias, further obscuring ourselves. If we think that running a scan is going to provide any sort of useful information or benefit your machine in some way, I can assure you that we will ask you to run that scan. When a user begins running scans on their own "just to check", it's as if that user doesn't trust our judgment and recommendation, despite how hard we've worked to obtain considerable knowledge and experience on the subject.

Hopefully that makes sense.

Let me know when you've completed the above steps and we'll wrap things up.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#14 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:12:18 AM

Posted 25 July 2010 - 03:44 PM

Hi Blade.

Still regarding the "check scans" issue, thank you for your comment and further clarifications; yes, all makes absolute sense and I do fully understand your point.

At once thank you for the heads up, concerning the fact that some scanners, even when run in check-only mode, still they can produce changes to the system that one may not be or get aware of. As mentioned earlier, I would have assumed otherwise, so double thanks for the heads up. (I hope now that MBAM isn't among those? As I hope that having run a quick check scan with it previous to having run ComboFix the first time hasn't compromised the ComboFix scan and overall your analysis of the outcome? Do hope not.)

On the other hand, about that running scans "just to check" is a show of bad faith, yes, I totally understand your view, totally. I do however hope too that you had understood that that was absolutely not the case, and I do hope that you did not interpret it as such? sad.gif Please, absolutely not, not for a moment my intention was in any way to question or disrespect your effort and knowledge, not at all. And again, I do more than anything hope you did not take it that way? sad.gif

As I said before, not in any way have I wanted to show myself helpful beyond your instructions, and the purpose why I ran a quick check scan with MBAM previous to running ComboFix the first time was only to confirm whether there was any new malware on board, and the sole reason for this, as I have underlined above, was only because the laptop had been away/"out of my control" for several days. (Cos we do well know it takes no more than for ex. plugging an infected USB device to get new nasties in. Or doing some less safe browsing or downloading. Plus I do well know too that, truth to be told, neither the laptop owner nor my brother are the most cautious and aware computer and internet users. *sigh* So I took it as best to confirm whether any new malware had crawled in since last time by at least doing a previous quick check scan with MBAM. And as I also said before, also because I wouldn't know whether running ComboFix would still be the appropriate step to take next, depending of there being new nasties in the system and depending of which those might be, thus I just wanted to make sure of that first and confirm things with you as needed. I hope you do understand my point and my uncertainty here?)

But above all else, I do truly hope you did not take it as a sign of bad faith, me running the check scan with MBAM, as that surely was not at all my intention, not at all. Various times have I come here in seek of help, and grateful as I am for the assistance I have been provided every time, plus for all the invaluable learning that comes attached always, I do as much certainly appreciate and regard the work and commitment of all of you, and not in any circumstance would I ever disrespect your knowledge and experience mistrusting your judgment and recommendation or taking any such "I know best" kind of attitude. Please, it's absolutely not that, absolutely not.

I hope all this makes sense too and hopefully that I can be "forgiven" from my unintentional "fault" then? smile.gif

And thank you once more for all clarifications above. smile.gif

-----

Around next weekend or so I hope I can get you the update on the laptop status.

Just one last doubt, though: would you recommend that I'd uninstall Ask.com too? (I had checked before and there is an entry for it in Add/Remove Programs.) Opinions don't tend to be too positive about it, I reckon, or?...


#15 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:07:18 PM

Posted 26 July 2010 - 09:42 PM

Hello.

QUOTE
I hope all this makes sense too and hopefully that I can be "forgiven" from my unintentional "fault" then?

Of course. . . no offense taken.

As for Ask.com, there are mixed feelings about it. Personally, I'd uninstall it as I do not find it useful. Some versions of the Ask toolbar are known to collect information while others are not. To be safe I'd remove it, but it's up to you.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users