Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

vx2 virus suspection


  • This topic is locked This topic is locked
13 replies to this topic

#1 bspirit

bspirit

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 07 June 2010 - 04:51 AM

Hello all!

a few days i put pen drive of my sister into pc, and the pen is infected, after this, my pc started popup windows. so i think that pen infected my pc. So i had run 2 applications hijack this and l2mfix. And here is the log files:

Hijack this
CODE
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:58:36, on 06-06-2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\VTTimer.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\RocketDock\RocketDock.exe
E:\Programas\MirandaCasa\Casa.exe
C:\Programas\SpywareGuard\sgmain.exe
E:\Programas\MirandaCasa\App\miranda\miranda32.exe
C:\Programas\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\Programas\MSN Messenger\msnmsgr.exe
C:\WINDOWS\regedit.exe
E:\Programas\FirefoxPortable3\FirefoxPortable.exe
E:\Programas\FirefoxPortable3\App\firefox\firefox.exe
E:\Programas\PNotepad\pn.exe
E:\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Programas\FlashGet\jccatch.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programas\SpywareGuard\dlprotect.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Programas\FlashGet\getflash.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Programas\RocketDock\RocketDock.exe"
O4 - Startup: Casa.lnk = E:\Programas\MirandaCasa\Casa.exe
O4 - Startup: SpywareGuard.lnk = C:\Programas\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Programas\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Programas\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Programas\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Programas\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{35A4B5F5-3605-4977-A660-1BD15E249A4A}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{78C92770-E06D-436C-BE27-4EA661405E95}: NameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A56EEBD-3A33-4F4C-AE5B-D6DAD83D2EA2}: NameServer = 192.168.0.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{35A4B5F5-3605-4977-A660-1BD15E249A4A}: NameServer = 192.168.0.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{35A4B5F5-3605-4977-A660-1BD15E249A4A}: NameServer = 192.168.0.1
O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon da cache de categorias dos componentes - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programas\Java\jre6\bin\jqs.exe

--
End of file - 4717 bytes



l2mfix
CODE
L2MFIX find log 032106
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
  6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
  6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Folha de propriedades de ficheiros multim‚dia"
"{176d6597-26d3-11d1-b350-080036a75b03}"="Gestor de scanner ICM"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="P gina de seguran‡a de NTFS"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="P gina de propriedades OLE DOCFIlE"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Extensäes da shell para partilha"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Apresentar extensÆo de adaptador CPL"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Apresentar extensÆo de monitor CPL"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Apresentar extensÆo de panorÆ’mica CPL"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="P gina de seguran‡a de DS"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="P gina de compatibilidade"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Rotina de tratamento de dados de fragmentos da shell"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="ExtensÆo da c¢pia de discos"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Extensäes da shell para objectos de rede Microsoft Windows"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="GestÆo de monitor ICM"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="GestÆo de impressora ICM"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Extensäes da shell para compressÆo de ficheiros"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="ExtensÆo da shell de impressora na Web"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Menu de contexto de encripta‡Æo"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Porta-documentos"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="ExtensÆo de ¡cone HyperTerminal"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Tipos de letra"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="Perfil de ICC"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="P gina de seguran‡a de impressoras"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Extensäes da shell para partilha"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="ExtensÆo PKO cripto"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="ExtensÆo de sinal cripto"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Liga‡äes de rede"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Liga‡äes de rede"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners e cÆ’maras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners e cÆ’maras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners e cÆ’maras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners e cÆ’maras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners e cÆ’maras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Extensäes da shell para script anfitriÆo do Windows"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Tarefas agendadas"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Barra de tarefas e menu 'Iniciar'"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Procurar"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Ajuda e suporte"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Ajuda e suporte"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Executar..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="Correio electr¢nico"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Tipos de letra"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Ferramentas administrativas"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="P gina de propriedades de versäes anteriores"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Versäes anteriores"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Barra de ferramentas da Internet"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Estado da transferˆncia"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Pasta 'Shell' aumentada"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Pasta 'Shell' 2 aumentada"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="IE Search Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="Pesquisa no painel"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Pesquisa na Web"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Utilit rio de op‡äes da  rvore de registo"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Endere‡o"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Caixa de edi‡Æo de endere‡o"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Preenchimento autom tico da Microsoft"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="Lista de preenchimento autom tico MRU"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Personalizar lista de preenchimento autom tico MRU"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Acess¡vel"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Barra pendente de rastreio"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Lista de preenchimento autom tico do hist¢rico da Microsoft"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Lista de conclusÆo autom tica da pasta Shell da Microsoft"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Contentor da lista de conclusÆo autom tica m£ltipla da Microsoft"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="Assistˆncia ao utilizador"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Defini‡äes de pasta global"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Gestor de aplica‡äes da shell"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Enumerador de aplica‡äes instaladas"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Fabricante da aplica‡Æo Darwin"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="Extractor de imagens miniatura de ficheiros GDI+"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Rotina de tratamento de miniaturas de informa‡äes de resumo (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="Programa de extrac‡Æo de miniaturas de HTML"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Assistente de coloca‡Æo na Web"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Encomendar c¢pias atrav‚s da Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Objecto do assistente de publica‡Æo da Shell"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Assistente para obter passaporte"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="Contas de utilizadores"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Pasta 'Ficheiros offline'"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="&Pessoas..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}"="ShellLink for Application References"
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}"="Shell Icon Handler for Application References"
"{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}"="UnlockerShellExtension"
"{C52AF81D-F7A0-4AAB-8E87-F80A60CCD396}"="OpenOffice.org Column Handler"
"{087B3AE3-E237-4467-B8DB-5A38AB959AC9}"="OpenOffice.org Infotip Handler"
"{63542C48-9552-494A-84F7-73AA6A7C99C1}"="OpenOffice.org Property Sheet Handler"
"{3B092F0C-7696-40E3-A80F-68D74DA84210}"="OpenOffice.org Thumbnail Viewer"
"{472083B0-C522-11CF-8763-00608CC02F24}"="avast"
"{07C45BB1-4A8C-4642-A1F5-237E7215FF66}"="IE Microsoft BrowserBand"
"{11016101-E366-4D22-BC06-4ADA335C892B}"="IE History and Feeds Shell Data Source for Windows Search"
"{1C1EDB47-CE22-4bbb-B608-77B48F83C823}"="IE Fade Task"
"{205D7A97-F16D-4691-86EF-F3075DCCA57D}"="IE Menu Desk Bar"
"{25336920-03f9-11cf-8fd0-00aa00686f13}"="HTML Document"
"{3028902F-6374-48b2-8DC6-9725E775B926}"="IE AutoComplete"
"{3050f3d9-98b5-11cf-bb82-00aa00bdce0b}"="MSHTML Document"
"{43886CD5-6529-41c4-A707-7B3C92C05E68}"="IE Navigation Bar"
"{44C76ECD-F7FA-411c-9929-1B77BA77F524}"="IE Menu Site"
"{4B78D326-D922-44f9-AF2A-07805C2A3560}"="IE Menu Band"
"{6038EF75-ABFC-4e59-AB6F-12D397F6568D}"="IE Microsoft History AutoComplete List"
"{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE}"="IE Tracking Shell Menu"
"{6CF48EF8-44CD-45d2-8832-A16EA016311B}"="IE IShellFolderBand"
"{73CFD649-CD48-4fd8-A272-2070EA56526B}"="IE BandProxy"
"{8856f961-340a-11d0-a96b-00c04fd705a2}"="Microsoft Web Browser"
"{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8}"="IE MRU AutoComplete List"
"{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E}"="IE RSS Feeder Folder"
"{9D958C62-3954-4b44-8FAB-C4670C1DB4C2}"="IE Microsoft Shell Folder AutoComplete List"
"{B31C5FAE-961F-415b-BAF0-E697A5178B94}"="IE Microsoft Multiple AutoComplete List Container"
"{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A}"="IE Shell Rebar BandSite"
"{E6EE9AAC-F76B-4947-8260-A9F136138E11}"="IE Shell Band Site Menu"
"{F2CF5485-4E02-4f68-819C-B92DE9277049}"="&Links"
"{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E}"="IE Registry Tree Options Utility"
"{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75}"="IE User Assist"
"{FDE7673D-2E19-4145-8376-BBD58C4BC7BA}"="IE Custom MRU AutoCompleted List"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{23170F69-40C1-278A-1000-000100020000}"="7-Zip Shell Extension"
"{45670FA8-ED97-4F44-BC93-305082590BFB}"="Microsoft.XPS.Shell.Metadata.1"
"{44121072-A222-48f2-A58A-6D9AD51EBBE9}"="Microsoft.XPS.Shell.Thumbnail.1"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}"="Microsoft Office Metadata Handler"
"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}"="Microsoft Office Thumbnail Handler"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
   vbscript.dll   Wed 10 Mar 2010   7:16:46   A....        420.352   410,50 K

1 item found:  1 file, 0 directories.
   Total of file sizes:  420.352 bytes    410,50 K
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
O volume na unidade C ‚ Disco local
O n£mero de s‚rie do volume ‚ E08C-7B90

Direct¢rio de C:\WINDOWS\System32

02-06-2010  01:37    <DIR>          dllcache
12-04-2009  00:07    <DIR>          Microsoft
22-02-2001  14:55            13.347 Vfpodbc.txt
07-12-1999  05:00           977.680 vfpodbc.dll
24-04-1998  00:00           203.641 Drvvfp.hlp
24-04-1998  00:00             5.446 Drvvfp.cnt
               4 ficheiro(s)        1.200.114 bytes
               2 Dir(s)        11.094.794.240 bytes livres


i would appreciate if someone could analyze this, and tell me if my pc is infected, and how i resolve this.

i think i posted in wrong forum. how i move to another forum?
regards

Edited by bspirit, 07 June 2010 - 04:57 AM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,313 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:31 AM

Posted 10 June 2010 - 07:12 AM

Hello ,
And welcome.gif to the Bleeping Computer Malware Removal Forum
. My name is Elise and I'll be glad to help you with your computer problems.


I will be working on your malware issues, this may or may not solve other issues you may have with your machine.

Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.
  • The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen.
  • Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic.
  • The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.
You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.
-----------------------------------------------------------

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

If you have already posted a log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

-------------------------------------------------------------
In the meantime please, do NOT install any new programs or update anything unless told to do so while we are fixing your problem

If you still need help, please include the following in your next reply
  • A detailed description of your problems
  • A new OTL log (don't forget extra.txt)
  • GMER log

Thanks and again sorry for the delay.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 bspirit

bspirit
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 10 June 2010 - 08:28 AM

Hi, thanks for you welcome.

I hope i followed your instructions correctly, here is the logs.

OTL.txt
OTL logfile created on: 10-06-2010 13:16:43 - Run 1
OTL by OldTimer - Version 3.2.6.0 Folder = C:\Documents and Settings\ezyx\Ambiente de trabalho
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000816 | Country: Portugal | Language: PTG | Date Format: dd-MM-yyyy

1,00 Gb Total Physical Memory | 0,00 Gb Available Physical Memory | 41,00% Memory free
2,00 Gb Paging File | 1,00 Gb Available in Paging File | 66,00% Paging File free
Paging file location(s): C:\pagefile.sys 700 700 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programas
Drive C: | 24,41 Gb Total Space | 10,33 Gb Free Space | 42,31% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 52,28 Gb Total Space | 16,93 Gb Free Space | 32,38% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
Drive G: | 1,90 Gb Total Space | 0,77 Gb Free Space | 40,77% Space Free | Partition Type: FAT32
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PC1
Current User Name: ezyx
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010-06-10 13:16:21 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\ezyx\Ambiente de trabalho\OTL.exe
PRC - [2010-05-16 18:42:45 | 000,910,296 | ---- | M] (Mozilla Corporation) -- E:\Programas\FirefoxPortable3\App\firefox\firefox.exe
PRC - [2010-03-01 21:42:48 | 000,835,952 | ---- | M] (Opera Software) -- C:\Programas\Opera\opera.exe
PRC - [2009-11-20 21:24:50 | 000,128,168 | ---- | M] (PortableApps.com) -- E:\Programas\MirandaCasa\Casa.exe
PRC - [2009-11-17 18:01:32 | 000,397,312 | ---- | M] ( ) -- E:\Programas\MirandaCasa\App\miranda\miranda32.exe
PRC - [2009-04-06 14:54:18 | 006,806,784 | ---- | M] (Foxit Software Company) -- E:\Programas\Foxit\Foxit Reader.exe
PRC - [2009-02-05 21:08:45 | 000,081,000 | ---- | M] (ALWIL Software) -- C:\Programas\Alwil Software\Avast4\ashDisp.exe
PRC - [2009-02-05 21:08:40 | 000,138,680 | ---- | M] (ALWIL Software) -- C:\Programas\Alwil Software\Avast4\ashServ.exe
PRC - [2009-02-05 21:08:26 | 000,254,040 | ---- | M] (ALWIL Software) -- C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009-02-05 21:06:04 | 000,352,920 | ---- | M] (ALWIL Software) -- C:\Programas\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009-02-05 21:01:25 | 000,018,752 | ---- | M] (ALWIL Software) -- C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2008-07-21 15:28:38 | 000,144,736 | ---- | M] (PortableApps.com) -- E:\Programas\FirefoxPortable3\FirefoxPortable.exe
PRC - [2008-01-16 12:14:38 | 030,220,288 | ---- | M] (sage) -- C:\Programas\GesPOS3\POS.exe
PRC - [2007-09-02 13:58:52 | 000,495,616 | ---- | M] () -- C:\Programas\RocketDock\RocketDock.exe
PRC - [2007-06-13 14:22:26 | 001,035,264 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005-03-07 20:33:28 | 000,053,248 | R--- | M] (S3 Graphics, Inc.) -- C:\WINDOWS\system32\VTTimer.exe
PRC - [2003-08-29 19:05:35 | 000,360,448 | ---- | M] () -- C:\Programas\SpywareGuard\sgmain.exe
PRC - [2003-08-29 11:14:56 | 000,233,472 | ---- | M] () -- C:\Programas\SpywareGuard\sgbhp.exe


========== Modules (SafeList) ==========

MOD - [2010-06-10 13:16:21 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\ezyx\Ambiente de trabalho\OTL.exe
MOD - [2007-09-02 13:57:36 | 000,069,632 | ---- | M] () -- C:\Programas\RocketDock\RocketDock.dll
MOD - [2007-04-18 17:14:21 | 002,854,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msi.dll
MOD - [2006-10-20 02:37:45 | 000,715,264 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\sxs.dll
MOD - [2006-08-25 16:46:41 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
MOD - [2004-08-04 13:00:00 | 000,102,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - [2009-02-05 21:08:40 | 000,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Programas\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009-02-05 21:08:26 | 000,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Programas\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009-02-05 21:06:04 | 000,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Programas\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009-02-05 21:01:25 | 000,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Programas\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2009-01-07 18:21:36 | 000,026,144 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\WINDOWS\system32\spupdsvc.exe -- (spupdsvc)
SRV - [2006-10-26 19:49:34 | 000,441,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programas\Ficheiros comuns\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2006-10-26 13:03:08 | 000,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Programas\Ficheiros comuns\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Driver Services (SafeList) ==========

DRV - [2009-04-12 01:21:59 | 000,717,296 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd)
DRV - [2009-02-05 21:08:10 | 000,094,032 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2009-02-05 21:07:23 | 000,114,768 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswSP.sys -- (aswSP)
DRV - [2009-02-05 21:07:12 | 000,020,560 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2009-02-05 21:06:20 | 000,051,376 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2009-02-05 21:06:10 | 000,023,152 | ---- | M] (ALWIL Software) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2009-02-05 21:05:11 | 000,026,944 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2005-11-26 13:25:44 | 000,043,136 | R--- | M] (Prolific Technology Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ser2pl.sys -- (Ser2pl)
DRV - [2005-11-04 13:39:02 | 000,245,504 | ---- | M] (Ralink Technology, Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\rt73.sys -- (RT73)
DRV - [2003-05-28 18:53:46 | 000,017,005 | ---- | M] (Adaptec) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ASPI32.SYS -- (Aspi32)
DRV - [2002-01-17 20:19:26 | 000,003,459 | ---- | M] (www.jspayne.com) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\ioocx.sys -- (ioocx)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: E:\Programas\FirefoxPortable3\App\firefox\components [2010-06-04 10:03:11 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: E:\Programas\FirefoxPortable3\App\firefox\plugins [2010-05-26 21:24:30 | 000,000,000 | ---D | M]

[2010-06-10 08:59:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\ezyx\Application Data\mozilla\Extensions

O1 HOSTS File: ([2004-08-04 13:00:00 | 000,000,808 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (FGCatchUrl) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Programas\FlashGet\jccatch.dll (www.flashget.com)
O2 - BHO: (SpywareGuardDLBLOCK.CBrowserHelper) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Programas\SpywareGuard\dlprotect.dll ()
O2 - BHO: (FlashGet GetFlash Class) - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Programas\FlashGet\getflash.dll (www.flashget.com)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {32099AAC-C132-4136-9E9A-4E364A424E17} - No CLSID value found.
O4 - HKLM..\Run: [avast!] C:\Programas\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [Cmaudio] File not found
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [VTTimer] C:\WINDOWS\System32\VTTimer.exe (S3 Graphics, Inc.)
O4 - HKCU..\Run: [RocketDock] C:\Programas\RocketDock\RocketDock.exe ()
O4 - Startup: C:\Documents and Settings\ezyx\Menu Iniciar\Programas\Arranque\Casa.lnk = E:\Programas\MirandaCasa\Casa.exe (PortableApps.com)
O4 - Startup: C:\Documents and Settings\ezyx\Menu Iniciar\Programas\Arranque\SpywareGuard.lnk = C:\Programas\SpywareGuard\sgmain.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 181
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMHelp = 01 00 00 00 [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 01 00 00 00 [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRecentDocsNetHood = 01 00 00 00 [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 01 00 00 00 [binary data]
O8 - Extra context menu item: &Download All with FlashGet - C:\Programas\FlashGet\JC_ALL.HTM ()
O8 - Extra context menu item: &Download with FlashGet - C:\Programas\FlashGet\JC_LINK.HTM ()
O8 - Extra context menu item: E&xportar para o Microsoft Excel - C:\Programas\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Programas\FlashGet\flashget.exe (FlashGet.com)
O9 - Extra 'Tools' menuitem : FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Programas\FlashGet\flashget.exe (FlashGet.com)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 192.168.0.1
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programas\Ficheiros comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programas\Ficheiros comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programas\Ficheiros comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programas\Ficheiros comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programas\Ficheiros comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Programas\Ficheiros comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Programas\Ficheiros comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programas\Ficheiros comuns\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Programas\MSN Messenger\msgrapp.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programas\Ficheiros comuns\Microsoft Shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (A minha home page actual) - About:Home
O24 - Desktop WallPaper: C:\Documents and Settings\ezyx\Definições locais\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\ezyx\Definições locais\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {81559C35-8464-49F7-BB0E-07A383BEF910} - C:\Programas\SpywareGuard\spywareguard.dll ()
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009-04-12 00:04:46 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010-06-10 13:16:18 | 000,572,416 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\ezyx\Ambiente de trabalho\OTL.exe
[2010-06-10 08:59:04 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ezyx\Application Data\Mozilla
[2010-06-06 23:54:03 | 000,053,248 | ---- | C] (http://www.beyondlogic.org) -- C:\WINDOWS\System32\Process.exe
[2010-06-06 23:54:03 | 000,016,384 | ---- | C] (WareSoft Software) -- C:\WINDOWS\System32\restart.exe
[2010-05-26 21:24:29 | 000,000,000 | ---D | C] -- C:\Programas\Microsoft Works
[2010-05-26 21:24:03 | 000,000,000 | ---D | C] -- C:\Programas\Ficheiros comuns\DESIGNER
[2010-05-26 21:23:34 | 000,000,000 | ---D | C] -- C:\Programas\Microsoft.NET
[2010-05-26 21:21:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\SHELLNEW
[2010-05-26 21:20:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ezyx\Definições locais\Application Data\Microsoft Help
[2010-05-26 21:20:42 | 000,000,000 | ---D | C] -- C:\Programas\Microsoft Office
[2010-05-26 21:20:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Microsoft Help
[2010-05-26 21:19:48 | 000,000,000 | RH-D | C] -- C:\MSOCache
[2010-05-23 08:57:09 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\ezyx\Recent
[2010-05-18 11:23:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ezyx\Application Data\Skype
[2010-05-18 11:23:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\ezyx\Application Data\SkypePM
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010-06-10 13:16:21 | 000,572,416 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\ezyx\Ambiente de trabalho\OTL.exe
[2010-06-10 08:53:49 | 000,002,297 | ---- | M] () -- C:\Documents and Settings\All Users\Ambiente de trabalho\Talão.lnk
[2010-06-10 08:52:20 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010-06-10 08:52:17 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010-06-10 00:10:17 | 005,767,168 | -H-- | M] () -- C:\Documents and Settings\ezyx\NTUSER.DAT
[2010-06-10 00:10:17 | 000,000,188 | -HS- | M] () -- C:\Documents and Settings\ezyx\ntuser.ini
[2010-06-05 14:26:16 | 000,016,896 | ---- | M] () -- C:\Documents and Settings\ezyx\Definições locais\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010-06-02 01:37:43 | 000,001,355 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010-05-27 08:45:40 | 000,048,904 | ---- | M] () -- C:\Documents and Settings\ezyx\Definições locais\Application Data\GDIPFONTCACHEV1.DAT
[2010-05-27 08:44:39 | 000,210,488 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010-06-06 23:54:03 | 000,175,616 | ---- | C] () -- C:\WINDOWS\System32\strings.exe
[2010-06-06 23:54:03 | 000,126,976 | ---- | C] () -- C:\WINDOWS\System32\zip.exe
[2010-06-06 23:54:03 | 000,039,184 | ---- | C] () -- C:\WINDOWS\System32\Ntrights.exe
[2010-06-06 23:54:03 | 000,011,254 | ---- | C] () -- C:\WINDOWS\System32\locate.com
[2010-06-02 01:36:34 | 000,001,355 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2010-05-23 18:31:19 | 000,061,163 | ---- | C] () -- C:\Documents and Settings\ezyx\Ambiente de trabalho\Na Rainha.jpg
[2010-03-14 13:07:02 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2010-03-14 13:07:01 | 000,084,480 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009-04-12 01:45:19 | 000,000,290 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2009-04-12 01:21:58 | 000,717,296 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2009-04-12 00:26:51 | 000,028,672 | R--- | C] () -- C:\WINDOWS\System32\cmirmdrv.dll
[2006-04-24 15:44:52 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\CalendarPTG.dll
[2006-04-24 15:44:52 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\CalendarESN.dll
[2006-04-06 17:22:26 | 000,015,360 | ---- | C] () -- C:\WINDOWS\System32\SuitePro.ResourcePt.dll
[2006-04-06 17:22:06 | 000,015,360 | ---- | C] () -- C:\WINDOWS\System32\SuitePro.ResourceEs.dll
[2000-10-25 19:15:00 | 000,017,920 | ---- | C] () -- C:\WINDOWS\System32\Implode.dll
[2000-09-11 08:25:58 | 000,006,144 | ---- | C] () -- C:\WINDOWS\System32\Speaker.dll
[1999-09-22 02:00:00 | 000,100,352 | ---- | C] () -- C:\WINDOWS\System32\pg32conv.dll
[1999-03-12 02:00:00 | 000,299,008 | ---- | C] () -- C:\WINDOWS\System32\Crutl14.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 141 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2AEBCB5B
@Alternate Data Stream - 131 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
< End of report >

thanks for your help.

regards

Edited by elise025, 10 June 2010 - 09:00 AM.
code tags and duplicate logs removed ~ Elise


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,313 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:31 AM

Posted 10 June 2010 - 09:02 AM

Hello, you posted 3 times the same log smile.gif

I also removed the code tags. Posting logs in code tags makes it hard to read them, so please do not use them.

Could you please post me extra.txt and gmer.log

If extra.txt didn't get created, rerun OTL, click the NONE button and then under "extra registry" tick Use Safelist. Click Run Scan.

If GMER gives you trouble, try to run it with only the sections option checked.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 bspirit

bspirit
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 10 June 2010 - 09:18 AM

Sorry, i didn't notice that.

Extras.txt

OTL Extras logfile created on: 10-06-2010 13:16:43 - Run 1
OTL by OldTimer - Version 3.2.6.0 Folder = C:\Documents and Settings\ezyx\Ambiente de trabalho
Windows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000816 | Country: Portugal | Language: PTG | Date Format: dd-MM-yyyy

1,00 Gb Total Physical Memory | 0,00 Gb Available Physical Memory | 41,00% Memory free
2,00 Gb Paging File | 1,00 Gb Available in Paging File | 66,00% Paging File free
Paging file location(s): C:\pagefile.sys 700 700 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Programas
Drive C: | 24,41 Gb Total Space | 10,33 Gb Free Space | 42,31% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 52,28 Gb Total Space | 16,93 Gb Free Space | 32,38% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
Drive G: | 1,90 Gb Total Space | 0,77 Gb Free Space | 40,77% Space Free | Partition Type: FAT32
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: PC1
Current User Name: ezyx
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = Opera.HTML] -- C:\Programas\Opera\opera.exe (Opera Software)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.txt [@ = txtfile] -- E:\Programas\PNotepad\pn.exe (Simon Steele (Echo Software))

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- Reg Error: Key error.
http [open] -- "C:\Programas\Opera\opera.exe" (Opera Software)
https [open] -- "C:\Programas\Opera\opera.exe" (Opera Software)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Programas\FlashGet\flashget.exe" = C:\Programas\FlashGet\flashget.exe:*:Enabled:Flashget -- (FlashGet.com)
"C:\Programas\uTorrent\uTorrent.exe" = C:\Programas\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Documents and Settings\ezyx\Definições locais\Temp\MirandaPortable\program\miranda32.exe" = C:\Documents and Settings\ezyx\Definições locais\Temp\MirandaPortable\program\miranda32.exe:*:Enabled:Miranda IM -- File not found
"E:\Programas\MirandaCasa\App\miranda\miranda32.exe" = E:\Programas\MirandaCasa\App\miranda\miranda32.exe:*:Enabled:Miranda IM -- ( )
"E:\Programas\Miranda\App\miranda\miranda32.exe" = E:\Programas\Miranda\App\miranda\miranda32.exe:*:Enabled:Miranda IM -- ( )
"E:\Programas\Cópia de MirandaCasa\App\miranda\miranda32.exe" = E:\Programas\Cópia de MirandaCasa\App\miranda\miranda32.exe:*:Enabled:miranda32.exe -- File not found
"E:\Programas\Messenger\App\miranda\miranda32.exe" = E:\Programas\Messenger\App\miranda\miranda32.exe:*:Enabled:Miranda IM -- ( )
"C:\Programas\Opera\opera.exe" = C:\Programas\Opera\opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software)
"E:\Programas\WinSCPPortable\App\winscp\winscp.exe" = E:\Programas\WinSCPPortable\App\winscp\winscp.exe:*:Enabled:SFTP, FTP and SCP client -- (Martin Prikryl)
"E:\Setups\utorrent.exe" = E:\Setups\utorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 13
"{2BD2FA21-B51D-4F01-94A7-AC16737B2163}" = Adobe Flash Player 10 ActiveX
"{332BCC03-A1B7-4BE7-8C8A-2B1333E22C33}" = Opera 10.50
"{350C9816-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{4B104899-59D6-4851-8DD9-E21E4F399190}" = Sistema Sage
"{4B72C9DB-FA3F-4392-A981-3FA88FE117D7}" = GesPOS 2007m1
"{86BADD9C-D2DE-4CBF-8A94-5F2C58087720}" = OpenOffice.org 3.0
"{90120000-0010-0816-0000-0000000FF1CE}" = Microsoft Software Update for Web Folders (Portuguese (Portugal)) 12
"{90120000-0015-0816-0000-0000000FF1CE}" = Microsoft Office Access MUI (Portuguese (Portugal)) 2007
"{90120000-0016-0816-0000-0000000FF1CE}" = Microsoft Office Excel MUI (Portuguese (Portugal)) 2007
"{90120000-0018-0816-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (Portuguese (Portugal)) 2007
"{90120000-0019-0816-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (Portuguese (Portugal)) 2007
"{90120000-001A-0816-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (Portuguese (Portugal)) 2007
"{90120000-001B-0816-0000-0000000FF1CE}" = Microsoft Office Word MUI (Portuguese (Portugal)) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0816-0000-0000000FF1CE}" = Microsoft Office Proof (Portuguese (Portugal)) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0816-0000-0000000FF1CE}" = Microsoft Office Proofing (Portuguese (Portugal)) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0816-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (Portuguese (Portugal)) 2007
"{90120000-006E-0816-0000-0000000FF1CE}" = Microsoft Office Shared MUI (Portuguese (Portugal)) 2007
"{90120000-00A1-0816-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (Portuguese (Portugal)) 2007
"{90120000-00BA-0816-0000-0000000FF1CE}" = Microsoft Office Groove MUI (Portuguese (Portugal)) 2007
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CEB3A11A-03EA-11DA-BFBD-00065BBDC0B5}" = MSN Messenger 7.5
"7-Zip" = 7-Zip 4.65
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"avast!" = avast! Antivirus
"Bullzip PDF Printer_is1" = Bullzip PDF Printer 7.1.0.1140
"CCleaner" = CCleaner (remove only)
"C-Media Audio Driver" = C-Media WDM Audio Driver
"Comical_is1" = Comical 0.8
"ENTERPRISE" = Microsoft Office Enterprise 2007
"ffdshow_is1" = ffdshow [rev 2844] [2009-03-30]
"FlashGet" = FlashGet 1.9.6.1073
"GPL Ghostscript Lite_is1" = GPL Ghostscript Lite 8.70
"ie8" = Windows Internet Explorer 8
"InfraRecorder" = InfraRecorder
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Modelo 3 v1.3.8" = Modelo 3 v1.3.8
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"MRU-Blaster_is1" = MRU-Blaster v1.5 (Database 3/28/2004)
"PChess" = PChess (remove only)
"RealAlt_is1" = Real Alternative 1.9.0 Lite
"RocketDock_is1" = RocketDock 1.3.5
"SpywareBlaster_is1" = SpywareBlaster 4.2
"SpywareGuard_is1" = SpywareGuard v2.2
"The KMPlayer" = The KMPlayer (remove only)
"Tweak UI 2.10" = Tweak UI
"Unlocker" = Unlocker 1.8.7

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Antivirus Events ]
Error - 07-11-2009 16:53:22 | Computer Name = PC1 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://clients1.google.com/complete/search...outube&cp=7
failed, 0000A413.

Error - 07-11-2009 17:26:07 | Computer Name = PC1 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://clients1.google.com/complete/search...wilif&cp=13
failed, 0000A413.

Error - 07-11-2009 19:46:44 | Computer Name = PC1 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://clients1.google.com/complete/search...brasi&cp=21
failed, 0000A413.

Error - 08-11-2009 11:15:20 | Computer Name = PC1 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://clients1.google.com/complete/search...lema.i&cp=6
failed, 0000A413.

Error - 10-11-2009 7:48:44 | Computer Name = PC1 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://clients1.google.com/complete/search...brasi&cp=21
failed, 0000A413.

Error - 10-11-2009 9:55:21 | Computer Name = PC1 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://clients1.google.pt/complete/search?...=culot&cp=5 failed, 0000A413.


Error - 10-11-2009 9:55:39 | Computer Name = PC1 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://clients1.google.pt/complete/search?...carva&cp=12
failed, 0000A413.

[ Application Events ]
Error - 23-05-2010 13:03:15 | Computer Name = PC1 | Source = PerfNet | ID = 2004
Description = Não foi possível abrir o serviço de servidor. Os dados de desempenho
de servidor não serão devolvidos. O código de erro devolvido encontra-se nos dados
DWORD 0.

Error - 29-05-2010 4:46:36 | Computer Name = PC1 | Source = PerfNet | ID = 2004
Description = Não foi possível abrir o serviço de servidor. Os dados de desempenho
de servidor não serão devolvidos. O código de erro devolvido encontra-se nos dados
DWORD 0.

Error - 29-05-2010 4:48:06 | Computer Name = PC1 | Source = PerfNet | ID = 2004
Description = Não foi possível abrir o serviço de servidor. Os dados de desempenho
de servidor não serão devolvidos. O código de erro devolvido encontra-se nos dados
DWORD 0.

Error - 29-05-2010 5:04:03 | Computer Name = PC1 | Source = PerfNet | ID = 2004
Description = Não foi possível abrir o serviço de servidor. Os dados de desempenho
de servidor não serão devolvidos. O código de erro devolvido encontra-se nos dados
DWORD 0.

Error - 30-05-2010 5:41:54 | Computer Name = PC1 | Source = PerfNet | ID = 2004
Description = Não foi possível abrir o serviço de servidor. Os dados de desempenho
de servidor não serão devolvidos. O código de erro devolvido encontra-se nos dados
DWORD 0.

Error - 31-05-2010 14:05:04 | Computer Name = PC1 | Source = Microsoft Office 12 | ID = 1000
Description = Faulting application winword.exe, version 12.0.4518.1014, stamp 45428028,
faulting module unknown, version 0.0.0.0, stamp 00000000, debug? 0, fault address
0x00000000.

Error - 31-05-2010 15:11:41 | Computer Name = PC1 | Source = Microsoft Office 12 | ID = 1000
Description = Faulting application winword.exe, version 12.0.4518.1014, stamp 45428028,
faulting module mso.dll, version 12.0.4518.1014, stamp 4542867b, debug? 0, fault
address 0x00048b1b.

Error - 03-06-2010 5:14:35 | Computer Name = PC1 | Source = PerfNet | ID = 2004
Description = Não foi possível abrir o serviço de servidor. Os dados de desempenho
de servidor não serão devolvidos. O código de erro devolvido encontra-se nos dados
DWORD 0.

Error - 04-06-2010 7:42:54 | Computer Name = PC1 | Source = PerfNet | ID = 2004
Description = Não foi possível abrir o serviço de servidor. Os dados de desempenho
de servidor não serão devolvidos. O código de erro devolvido encontra-se nos dados
DWORD 0.

Error - 09-06-2010 8:58:35 | Computer Name = PC1 | Source = PerfNet | ID = 2004
Description = Não foi possível abrir o serviço de servidor. Os dados de desempenho
de servidor não serão devolvidos. O código de erro devolvido encontra-se nos dados
DWORD 0.

[ OSession Events ]
Error - 31-05-2010 14:05:01 | Computer Name = PC1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 1650
seconds with 1140 seconds of active time. This session ended with a crash.

Error - 31-05-2010 15:11:40 | Computer Name = PC1 | Source = Microsoft Office 12 Sessions | ID = 7001
Description = ID: 0, Application Name: Microsoft Office Word, Application Version:
12.0.4518.1014, Microsoft Office Version: 12.0.4518.1014. This session lasted 3796
seconds with 2580 seconds of active time. This session ended with a crash.

[ System Events ]
Error - 10-06-2010 7:54:15 | Computer Name = PC1 | Source = Service Control Manager | ID = 7001
Description = O serviço Gestor de ligação de acesso remoto depende do serviço Dispositivos
telefónicos o qual falhou o arranque devido ao seguinte erro: %%1058

Error - 10-06-2010 7:54:15 | Computer Name = PC1 | Source = Service Control Manager | ID = 7001
Description = O serviço Gestor de ligação de acesso remoto depende do serviço Dispositivos
telefónicos o qual falhou o arranque devido ao seguinte erro: %%1058

Error - 10-06-2010 7:54:26 | Computer Name = PC1 | Source = Service Control Manager | ID = 7001
Description = O serviço Gestor de ligação de acesso remoto depende do serviço Dispositivos
telefónicos o qual falhou o arranque devido ao seguinte erro: %%1058

Error - 10-06-2010 7:54:26 | Computer Name = PC1 | Source = Service Control Manager | ID = 7001
Description = O serviço Gestor de ligação de acesso remoto depende do serviço Dispositivos
telefónicos o qual falhou o arranque devido ao seguinte erro: %%1058

Error - 10-06-2010 7:54:35 | Computer Name = PC1 | Source = Service Control Manager | ID = 7001
Description = O serviço Gestor de ligação de acesso remoto depende do serviço Dispositivos
telefónicos o qual falhou o arranque devido ao seguinte erro: %%1058

Error - 10-06-2010 7:54:35 | Computer Name = PC1 | Source = Service Control Manager | ID = 7001
Description = O serviço Gestor de ligação de acesso remoto depende do serviço Dispositivos
telefónicos o qual falhou o arranque devido ao seguinte erro: %%1058

Error - 10-06-2010 7:54:37 | Computer Name = PC1 | Source = Service Control Manager | ID = 7001
Description = O serviço Gestor de ligação de acesso remoto depende do serviço Dispositivos
telefónicos o qual falhou o arranque devido ao seguinte erro: %%1058

Error - 10-06-2010 7:55:41 | Computer Name = PC1 | Source = Service Control Manager | ID = 7001
Description = O serviço Gestor de ligação de acesso remoto depende do serviço Dispositivos
telefónicos o qual falhou o arranque devido ao seguinte erro: %%1058

Error - 10-06-2010 7:55:41 | Computer Name = PC1 | Source = Service Control Manager | ID = 7001
Description = O serviço Gestor de ligação de acesso remoto depende do serviço Dispositivos
telefónicos o qual falhou o arranque devido ao seguinte erro: %%1058

Error - 10-06-2010 7:55:41 | Computer Name = PC1 | Source = Service Control Manager | ID = 7001
Description = O serviço Gestor de ligação de acesso remoto depende do serviço Dispositivos
telefónicos o qual falhou o arranque devido ao seguinte erro: %%1058


< End of report >




Gmer.log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-10 14:19:46
Windows 5.1.2600 Service Pack 2
Running: 2q2v1y3s.exe; Driver: C:\DOCUME~1\ezyx\DEFINI~1\Temp\pgtdapog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB98DD6B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB98DD574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB98DDA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB98DD14C]
SSDT spft.sys ZwEnumerateKey [0xF78FFCA2]
SSDT spft.sys ZwEnumerateValueKey [0xF7900030]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB98DD64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB98DD08C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB98DD0F0]
SSDT spft.sys ZwQueryKey [0xF7900108]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB98DD76E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB98DD72E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB98DD8AE]

INT 0x62 ? 88FD6BF8
INT 0x63 ? 88FC7BF8
INT 0x63 ? 88FC7BF8
INT 0x63 ? 88FC7BF8
INT 0x63 ? 88FC7BF8
INT 0x63 ? 88FC7BF8
INT 0x63 ? 88FC7BF8
INT 0x82 ? 88FD6BF8
INT 0x83 ? 88FD6BF8

---- Kernel code sections - GMER 1.0.15 ----

? spft.sys O sistema não conseguiu localizar o ficheiro especificado. !
.text USBPORT.SYS!DllUnload BAE5162C 5 Bytes JMP 88FC71D8
.text aj6akis2.SYS BACF1386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text aj6akis2.SYS BACF13AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text aj6akis2.SYS BACF13C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text aj6akis2.SYS BACF13C9 1 Byte [2E]
.text aj6akis2.SYS BACF13C9 11 Bytes [2E, 00, 00, 00, 5C, 02, 00, ...] {ADD CS:[EAX], AL; ADD [EDX+EAX+0x0], BL; ADD [EAX], AL; ADD [EAX], AL}
.text ...

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 88FD82D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F7912C4C] spft.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7912CA0] spft.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F78E2040] spft.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F78E213C] spft.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F78E20BE] spft.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F78E27FC] spft.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F78E26D2] spft.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 88FC72D8
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F78F2048] spft.sys
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!RtlInitUnicodeString] 0975013E
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!swprintf] 1B42E853
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!KeSetEvent] C4830000
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!IoCreateSymbolicLink] B05E5F04
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!IoGetConfigurationInformation] E58B5B01
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!IoDeleteSymbolicLink] CCCCC35D
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!MmFreeMappingAddress] CCCCCCCC
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!IoFreeErrorLogEntry] 53EC8B55
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!IoDisconnectInterrupt] 08758B56
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!MmUnmapIoSpace] 0214BE83
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!ObReferenceObjectByPointer] 57000000
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!IofCompleteRequest] 45C60674
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!RtlCompareUnicodeString] 1EEB010B
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!IofCallDriver] 020C868B
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!MmAllocateMappingAddress] C0850000
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!IoAllocateErrorLogEntry] 808A1074
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!IoConnectInterrupt] 00000804
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!IoDetachDevice] A03CF024
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!KeWaitForSingleObject] 0B45950F
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!KeInitializeEvent] 45C604EB
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] 458A000B
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!RtlInitAnsiString] 88C0840B
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!IoBuildDeviceIoControlRequest] 840F0946
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!IoQueueWorkItem] 000000C1
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!MmMapIoSpace] 14B30E8B
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!IoInvalidateDeviceRelations] 1C8286C6
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!IoReportDetectedDevice] 88010000
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!IoReportResourceForDetection] 001C859E
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] A19E8800
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!NlsMbCodePageTag] C600001C
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!PoRequestPowerIrp] 001C8686
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!KeInsertByKeyDeviceQueue] 86C60100
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!PoRegisterDeviceForIdleDetection] 00001CA2
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!sprintf] 70518B01
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] 8D52006A
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!ObfDereferenceObject] 001C8886
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!IoGetAttachedDeviceReference] 55E85000
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!IoInvalidateDeviceState] 8B000023
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!ZwClose] 70518B0E
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!ObReferenceObjectByHandle] 8D52016A
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!ZwCreateDirectoryObject] 001CA486
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!IoBuildSynchronousFsdRequest] 41E85000
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!PoStartNextPowerIrp] 8B000023
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!PoCallDriver] 18C4830E
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!IoCreateDevice] 1C8D9E88
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!IoAllocateDriverObjectExtension] 9E880000
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!RtlQueryRegistryValues] 00001CA9
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!ZwOpenKey] 0E798366
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!RtlFreeUnicodeString] 74AAB000
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!IoStartTimer] 8186C636
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!KeInitializeTimer] 1A00001C
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!IoInitializeTimer] 1C8386C6
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!KeInitializeDpc] C6020000
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!KeInitializeSpinLock] 001C8E86
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!IoInitializeIrp] 86C60200
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!ZwCreateKey] 00001CAA
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!RtlAppendUnicodeStringToString] 959E8802
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!RtlIntegerToUnicodeString] 8800001C
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!ZwSetValueKey] 001CB19E
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!KeInsertQueueDpc] 96868800
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] 8800001C
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!IoStartPacket] 001CB286
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] C61AEB00
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!IoBuildAsynchronousFsdRequest] 001C8186
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!IoFreeMdl] 86C61200
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!MmUnlockPages] 00001C83
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!IoWriteErrorLogEntry] 8E868801
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!KeRemoveByKeyDeviceQueue] 8800001C
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!MmMapLockedPagesWithReservedMapping] 001CAA86
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!MmUnmapReservedMapping] 80968B00
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!KeSynchronizeExecution] 8900001C
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!IoStartNextPacket] 001C9C96
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!KeBugCheckEx] C6168B00
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!KeRemoveDeviceQueue] 001CB986
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!KeSetTimer] 428A0A00
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!KeCancelTimer] BA86880C
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!_allmul] 8B00001C
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!MmProbeAndLockPages] 24A48DFA
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!_except_handler3] 00000000
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!PoSetPowerState] 4B8BDF8B
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] 8D3F0304
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!RtlWriteRegistryValue] CB033043
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!_aulldiv] 0673C13B
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!strstr] C13B0003
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!_strupr] 8366FA72
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!KeQuerySystemTime] 75000E7B
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!IoWMIRegistrationControl] 0B7D80E3
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!KeTickCount] 307B8D00
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack] 00AA840F
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!IoDeleteDevice] 83660000
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] 6A000E7A
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!IoAllocateWorkItem] C6647400
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!IoAllocateIrp] 001CBB86
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!IoAllocateMdl] 4F8B0200
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] 968D5140
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!MmLockPagableDataSection] 00001C90
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!IoGetDriverObjectExtension] 2266E852
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!MmUnlockPagableImageSection] 478B0000
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!ExFreePoolWithTag] 50016A40
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!IoFreeIrp] 1CAC8E8D
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!IoFreeWorkItem] E8510000
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!InitSafeBootMode] 00002254
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!RtlCompareMemory] 6A18538B
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!RtlCopyUnicodeString] 868D5200
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!memmove] 00001C98
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[ntoskrnl.exe!MmHighestUserAddress] 2242E850
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[HAL.dll!KfAcquireSpinLock] 8A000002
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[HAL.dll!READ_PORT_UCHAR] 83880846
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[HAL.dll!KeGetCurrentIrql] 000001C0
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[HAL.dll!KfRaiseIrql] 2C4EB70F
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[HAL.dll!KfLowerIrql] 8303C183
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[HAL.dll!HalGetInterruptVector] D103FCE1
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[HAL.dll!HalTranslateBusAddress] 2E7E8366
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[HAL.dll!KeStallExecutionProcessor] 8D1C7400
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[HAL.dll!KfReleaseSpinLock] 83893204
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 00000218
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[HAL.dll!READ_PORT_USHORT] 2E4EB70F
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 021C8B89
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[HAL.dll!WRITE_PORT_UCHAR] B70F0000
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[WMILIB.SYS!WmiSystemControl] 03D00304
IAT \SystemRoot\System32\Drivers\aj6akis2.SYS[WMILIB.SYS!WmiCompleteRequest] 0CB389F2

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[824] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00370002
IAT C:\WINDOWS\system32\services.exe[824] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00370000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 88FD51F8

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Fastfat \FatCdrom 88B9B1F8

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\PCI_PNP0990 \Device\00000042 spft.sys
Device \Driver\PCI_PNP0990 \Device\00000042 spft.sys
Device \Driver\usbuhci \Device\USBPDO-0 88F1D1F8
Device \Driver\usbuhci \Device\USBPDO-1 88F1D1F8
Device \Driver\usbuhci \Device\USBPDO-2 88F1D1F8
Device \Driver\usbuhci \Device\USBPDO-3 88F1D1F8
Device \Driver\usbehci \Device\USBPDO-4 88FC31F8

AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Ftdisk \Device\HarddiskVolume1 88F6B1F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 88F6B1F8
Device \Driver\Cdrom \Device\CdRom0 88F1F1F8
Device \Driver\Cdrom \Device\CdRom1 88F1F1F8
Device \Driver\atapi \Device\Ide\IdePort0 88FD61F8
Device \Driver\atapi \Device\Ide\IdePort1 88FD61F8
Device \Driver\atapi \Device\Ide\IdePort2 88FD61F8
Device \Driver\atapi \Device\Ide\IdePort3 88FD61F8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-12 88FD61F8
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-7 88FD61F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 88CBE2B0
Device \Driver\NetBT \Device\NetBT_Tcpip_{B53CE021-1C69-4AAC-8CEA-CA005F58379F} 88CBE2B0
Device \Driver\NetBT \Device\NetbiosSmb 88CBE2B0

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\USBSTOR \Device\0000006c 88B0A1F8
Device \Driver\usbuhci \Device\USBFDO-0 88F1D1F8
Device \Driver\USBSTOR \Device\0000006d 88B0A1F8
Device \Driver\usbuhci \Device\USBFDO-1 88F1D1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 88D38458
Device \Driver\usbuhci \Device\USBFDO-2 88F1D1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 88D38458
Device \Driver\usbuhci \Device\USBFDO-3 88F1D1F8
Device \Driver\usbehci \Device\USBFDO-4 88FC31F8
Device \Driver\Ftdisk \Device\FtControl 88F6B1F8
Device \Driver\sptd \Device\3500482240 spft.sys
Device \Driver\aj6akis2 \Device\Scsi\aj6akis21Port4Path0Target0Lun0 88E551F8
Device \Driver\aj6akis2 \Device\Scsi\aj6akis21 88E551F8
Device \FileSystem\Fastfat \Fat 88B9B1F8

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \FileSystem\Cdfs \Cdfs 88B121F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programas\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xEB 0xF8 0x7F 0x2F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xFB 0xFB 0x6F 0x28 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xC8 0x39 0x31 0x2E ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programas\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xEB 0xF8 0x7F 0x2F ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xFB 0xFB 0x6F 0x28 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xC8 0x39 0x31 0x2E ...

---- EOF - GMER 1.0.15 ----

regards

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,313 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:31 AM

Posted 10 June 2010 - 09:55 AM

Hello again,


P2P WARNING
-------------------
Going over your logs I noticed that you have uTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
It is pretty much certain that if you continue to use P2P programs, you will get infected again.
I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.


COMBOFIX
---------------
Please download ComboFix from one of these locations:
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, or if you are running Vista, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 bspirit

bspirit
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 10 June 2010 - 12:21 PM

I already deleted utorrent, thanks, this is POS computer, so can't have anything illegal.

here is Combofix.txt

ComboFix 10-06-09.04 - ezyx 10-06-2010 18:10:28.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.351.2070.18.1215.696 [GMT 1:00]
Executando de: c:\documents and settings\ezyx\Ambiente de trabalho\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 100610-1] *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Process.exe
E:\mspaint.exe

.
(((((((((((((((( Arquivos/Ficheiros criados de 2010-05-10 to 2010-06-10 ))))))))))))))))))))))))))))
.

2010-06-06 22:54 . 2005-10-19 17:50 16384 ----a-w- c:\windows\system32\restart.exe
2010-06-06 22:54 . 2005-01-20 12:47 175616 ----a-w- c:\windows\system32\strings.exe
2010-06-06 22:54 . 2005-01-13 20:41 39184 ----a-w- c:\windows\system32\Ntrights.exe
2010-06-06 22:54 . 2005-01-13 20:41 11254 ----a-w- c:\windows\system32\locate.com
2010-05-26 20:24 . 2010-05-26 20:24 -------- d-----w- c:\programas\Microsoft Works
2010-05-26 20:23 . 2010-05-26 20:23 -------- d-----w- c:\programas\Microsoft.NET
2010-05-26 20:21 . 2010-05-26 20:21 -------- d-----w- c:\windows\SHELLNEW
2010-05-26 20:20 . 2010-05-26 20:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-26 20:19 . 2010-05-26 20:19 -------- d-----r- C:\MSOCache
2010-05-18 10:23 . 2010-05-18 10:23 -------- d-----w- c:\documents and settings\ezyx\Application Data\Skype
2010-05-18 10:23 . 2010-05-18 10:23 -------- d-----w- c:\documents and settings\ezyx\Application Data\SkypePM

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-10 16:58 . 2009-04-12 02:15 -------- d-----w- c:\programas\GesPOS3
2010-06-09 21:36 . 2009-09-13 18:31 1 ----a-w- c:\documents and settings\ezyx\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-05-26 20:15 . 2009-08-31 19:38 -------- d-----w- c:\documents and settings\ezyx\Application Data\DAEMON Tools Lite
2010-05-22 20:19 . 2009-08-31 19:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-22 19:27 . 2009-08-31 19:49 -------- d-----w- c:\programas\Unlocker
2010-05-22 19:01 . 2009-10-03 09:26 -------- d-----w- c:\documents and settings\ezyx\Application Data\uTorrent
2010-05-22 08:11 . 2009-08-31 19:48 -------- d-----w- c:\programas\SpywareBlaster
2010-05-22 08:07 . 2009-04-12 00:51 -------- d-----w- c:\documents and settings\All Users\Application Data\GesPOS
2010-05-08 23:36 . 2009-08-31 19:46 -------- d-----w- c:\programas\FlashGet
2010-03-28 08:03 . 2004-08-04 12:00 81346 ----a-w- c:\windows\system32\perfc016.dat
2010-03-28 08:03 . 2004-08-04 12:00 482710 ----a-w- c:\windows\system32\perfh016.dat
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RocketDock"="c:\programas\RocketDock\RocketDock.exe" [2007-09-02 495616]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-07 53248]
"SunJavaUpdateSched"="c:\programas\Java\jre6\bin\jusched.exe" [2009-08-31 148888]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]

c:\documents and settings\ezyx\Menu Iniciar\Programas\Arranque\
Casa.lnk - e:\programas\MirandaCasa\Casa.exe [2009-12-5 128168]
SpywareGuard.lnk - c:\programas\SpywareGuard\sgmain.exe [2003-8-29 360448]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoSMMyPictures"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2008-12-29 10:40 687560 ----a-w- c:\programas\DAEMON Tools Lite\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"GhostStartService"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Programas\\FlashGet\\flashget.exe"=
"c:\\Programas\\MSN Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"e:\\Programas\\MirandaCasa\\App\\miranda\\miranda32.exe"=
"e:\\Programas\\Miranda\\App\\miranda\\miranda32.exe"=
"e:\\Programas\\Messenger\\App\\miranda\\miranda32.exe"=
"c:\\Programas\\Opera\\opera.exe"=
"e:\\Programas\\WinSCPPortable\\App\\winscp\\winscp.exe"=
"e:\\Setups\\utorrent.exe"=
"c:\\Documents and Settings\\ezyx\\Ambiente de trabalho\\SkypePortable\\App\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [31-08-2009 21:03 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [31-08-2009 21:03 20560]
R2 ioocx;ioocx;c:\windows\system32\drivers\ioocx.sys [17-01-2002 20:19 3459]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12-04-2009 1:21 717296]
.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.google.pt/
IE: &Download All with FlashGet - c:\programas\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\programas\FlashGet\jc_link.htm
IE: E&xportar para o Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {35A4B5F5-3605-4977-A660-1BD15E249A4A} = 192.168.0.1
TCP: {78C92770-E06D-436C-BE27-4EA661405E95} = 192.168.0.1
TCP: {8A56EEBD-3A33-4F4C-AE5B-D6DAD83D2EA2} = 192.168.0.1
TCP: {9C3D93F1-E3AA-4075-857E-6BAF4683A3E4} = 192.168.0.1
.
- - - - ORFÃOS REMOVIDOS - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl
MSConfigStartUp-GhostStartTrayApp - c:\programas\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
AddRemove-uTorrent - c:\programas\uTorrent\uTorrent.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-10 18:14
Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************
.
Tempo para conclusão: 2010-06-10 18:16:16
ComboFix-quarantined-files.txt 2010-06-10 17:16

Pré-execução: 10.988.122.112 bytes livres
Pós execução: 11.220.246.528 bytes livres

WindowsXP-KB310994-SP2-Home-BootDisk-PTG.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 8F3825B933099F937A1D6DE8CBE6DD81


regards


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,313 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:31 AM

Posted 10 June 2010 - 02:37 PM

Hello again,
Please let me know how things are running after completing the steps below.

UPDATE JAVA
------------------
Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 20 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.



MALWAREBYTES ANTIMALWARE
-------------------------------------------
Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 bspirit

bspirit
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 11 June 2010 - 05:29 AM

Hello, here is the malwarebyte log.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Versão da base de dados: 4188

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

11-06-2010 11:26:42
mbam-log-2010-06-11 (11-26-42).txt

Tipo de pesquisa: Completa (C:\|E:\|)
Objectos verificados: 163151
Tempo decorrido: 43 minuto(s), 47 segundo(s)

Processos de memória infectados: 0
módulos de Memória infectados: 0
Chaves do Registo Infectadas: 0
Valores do Registo infectados: 0
Itens de dados do Registo Infectados: 0
Pastas Infectadas: 0
Ficheiros Infectados: 0

Processos de memória infectados:
(Nenhum item malicioso detectado)

módulos de Memória infectados:
(Nenhum item malicioso detectado)

Chaves do Registo Infectadas:
(Nenhum item malicioso detectado)

Valores do Registo infectados:
(Nenhum item malicioso detectado)

Itens de dados do Registo Infectados:
(Nenhum item malicioso detectado)

Pastas Infectadas:
(Nenhum item malicioso detectado)

Ficheiros Infectados:
(Nenhum item malicioso detectado)


regards

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,313 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:31 AM

Posted 11 June 2010 - 05:34 AM

Hi there, time for a last check and some updating.

ESET ONLINE SCANNER
----------------------------
I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    Note - when ESET doesn't find any threats, no report will be created.
  12. Push the button.
  13. Push

UPDATE XP
--------------
Your Microsoft Windows installation is out of date. Using unpatched Windows systems on the Internet is a security risk to everyone. When there are insecure computers connected to the Internet, malware spreads faster and more extensively, distributed denial-of-service attacks are easier to launch, and spammers have more platforms from which to send e-mail. Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your computer. Keeping up-to-date with all these security patches will help prevent malware from reinfecting your machine. If you are not sure how to do this, see How to use Microsoft Update.

For additional information, be sure to read "Windows Xp Service Pack 3 (sp3) Information".

Then go here to check for & install updates to Microsoft applications.
Note: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control that it wants to install.

Please reboot and repeat the update process until there are no more updates to install.[/color]

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 bspirit

bspirit
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 12 June 2010 - 07:25 AM

Hello.

there is the eset log.

E:\Setups\unlocker1.8.7.exe a variant of Win32/Adware.ADON application deleted - quarantined


regards

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,313 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:31 AM

Posted 12 June 2010 - 07:26 AM

Well done! Unless you have any problems left, you are good to go!

ALL CLEAN
--------------
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it clean smile.gif

Please do the following to remove the remaining programs from your PC:
  • Delete the tools used during the disinfection:
    • Click start > run and type combofix /uninstall, press enter. This will remove Combofix from your computer.
    • Delete DDS, GMER (this is a random named file) and OTL.
Please read these advices, in order to prevent reinfecting your PC:
  1. Install and update the following programs regularly:
    • an outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here.
    • an AntiVirus Software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats.
    • an Anti-Spyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
      SUPERAntiSpyware is another good scanner with high detection and removal rates.
      Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    • Spyware Blaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    • MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  2. Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.
    Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!
  3. Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.
  4. Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing.
Some more links you might find of interest:

Please reply to this topic if you have read the above information. If your computer is working fine, this topic will be closed afterwards.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 bspirit

bspirit
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:31 AM

Posted 12 June 2010 - 02:13 PM

Hi, thanks for your help and patience, you may close the thread.

regards

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,313 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:31 AM

Posted 12 June 2010 - 02:28 PM

You are welcome smile.gif

This topic will now be closed. If you need it reopened, please send me a PM.

Everyone else, please start a new topic.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users