Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Kraken Cryptor Ransomware Connecting to BleepingComputer During Encryption

Featured Deal: Get The Pay What You Want: AWS Cloud Development Bundle Deal

Infected with mgking0.dll in winsis32

Started by kikamor , Nov 18 2010 01:23 PM

This topic is locked

22 replies to this topic

#1 kikamor

Members
11 posts
OFFLINE

Gender:Male
Location:Ilha Grande-Rio de Janeiro-Brazil
Local time:06:53 PM

Posted 18 November 2010 - 01:23 PM

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 16:14:20, on 18/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\ARQUIV~1\ALWILS~1\Avast5\avastUI.exe
C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe
C:\Arquivos de programas\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\vVX1000.exe
C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\Arquivos de programas\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\IObit\Advanced SystemCare 3\AWC.exe
C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Arquivos de programas\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
C:\Arquivos de programas\Skype\Phone\Skype.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe
C:\Arquivos de programas\Orbitdownloader\orbitdm.exe
C:\Arquivos de programas\REALTEK\11n USB Wireless LAN Utility\RtWLan.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe
C:\Arquivos de programas\Skype\Plugin Manager\skypePM.exe
C:\Arquivos de programas\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Arquivos de programas\HP\Digital Imaging\bin\hpqbam08.exe
C:\Arquivos de programas\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Arquivos de programas\Orbitdownloader\orbitnet.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\dllhost.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://br.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.orbitdownloader.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Arquivos de programas\Orbitdownloader\orbitcth.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Arquivos de programas\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\ARQUIV~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Arquivos de programas\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Arquivos de programas\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [avast5] C:\ARQUIV~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Arquivos de programas\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Arquivos de programas\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [filecroc] "C:\Arquivos de programas\FileCroc\FileCroc.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Arquivos de programas\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKCU\..\Run: [Skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [king_mg] C:\WINDOWS\system32\mgking.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Orbit.lnk = C:\Arquivos de programas\Orbitdownloader\orbitdm.exe
O4 - Global Startup: REALTEK 11n USB Wireless LAN Utility.lnk = C:\Arquivos de programas\REALTEK\11n USB Wireless LAN Utility\RtWLan.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Exibir ou ocultar HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Arquivos de programas\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1289871753484
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\ARQUIV~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software - C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
O23 - Service: Sony Ericsson OMSI download service (OMSI download service) - Unknown owner - C:\Arquivos de programas\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe

--
End of file - 12284 bytes

Attached Files

hijackthis.log 11.45KB 0 downloads

BC AdBot (Login to Remove)

BleepingComputer.com
Register to remove ads

#2 miekiemoes

Malware Killer Dog

Malware Response Team
19,420 posts
OFFLINE

Gender:Female
Location:Belgium
Local time:11:53 PM

Posted 19 November 2010 - 02:28 AM

Hi,

* Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 kikamor

Topic Starter

Members
11 posts
OFFLINE

Gender:Male
Location:Ilha Grande-Rio de Janeiro-Brazil
Local time:06:53 PM

Posted 20 November 2010 - 08:26 AM

Thank you so much miekiemoes!!!

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:21:30, on 20/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\ARQUIV~1\ALWILS~1\Avast5\avastUI.exe
C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe
C:\Arquivos de programas\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\vVX1000.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Arquivos de programas\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\IObit\Advanced SystemCare 3\AWC.exe
C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Arquivos de programas\Skype\Phone\Skype.exe
C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe
C:\Arquivos de programas\Orbitdownloader\orbitdm.exe
C:\Arquivos de programas\REALTEK\11n USB Wireless LAN Utility\RtWLan.exe
C:\Arquivos de programas\Orbitdownloader\orbitnet.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe
C:\Arquivos de programas\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Arquivos de programas\HP\Digital Imaging\bin\hpqbam08.exe
C:\Arquivos de programas\Skype\Plugin Manager\skypePM.exe
C:\Arquivos de programas\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://br.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.orbitdownloader.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Arquivos de programas\Orbitdownloader\orbitcth.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Arquivos de programas\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\ARQUIV~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Arquivos de programas\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Arquivos de programas\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [avast5] C:\ARQUIV~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Arquivos de programas\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Arquivos de programas\Arquivos comuns\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Advanced SystemCare 3] "C:\Arquivos de programas\IObit\Advanced SystemCare 3\AWC.exe" /startup
O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [filecroc] "C:\Arquivos de programas\FileCroc\FileCroc.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Arquivos de programas\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKCU\..\Run: [Skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Orbit.lnk = C:\Arquivos de programas\Orbitdownloader\orbitdm.exe
O4 - Global Startup: REALTEK 11n USB Wireless LAN Utility.lnk = C:\Arquivos de programas\REALTEK\11n USB Wireless LAN Utility\RtWLan.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Exibir ou ocultar HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Arquivos de programas\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1289871753484
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\ARQUIV~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software - C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
O23 - Service: Sony Ericsson OMSI download service (OMSI download service) - Unknown owner - C:\Arquivos de programas\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe

--
End of file - 12182 bytes

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5156

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

20/11/2010 11:11:39
mbam-log-2010-11-20 (11-11-39).txt

Scan type: Quick scan
Objects scanned: 144990
Time elapsed: 10 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\king_mg (Spyware.OnlineGames) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 miekiemoes

Malware Killer Dog

Malware Response Team
19,420 posts
OFFLINE

Gender:Female
Location:Belgium
Local time:11:53 PM

Posted 20 November 2010 - 08:30 AM

Hi,

Looks like this fixed the leftovers, however, I see malwarebytes didn't delete its related files - unless they were already deleted previously.
So to make sure, please do the following..

Please download DDS and save it to your desktop.

Disable any script blocking protection
Double click dds.scr to run the tool.
When done, DDS.txt will open.
Click Yes at the next prompt for Optional Scan.
Save both reports to your desktop.

---------------------------------------------------

Copy and paste the contents of DDS.txt in your next reply. Do not copy and paste the contents of Attach.txt, but attach it to your reply instead.

#5 kikamor

Topic Starter

Members
11 posts
OFFLINE

Gender:Male
Location:Ilha Grande-Rio de Janeiro-Brazil
Local time:06:53 PM

Posted 20 November 2010 - 08:44 AM

I have already a free version of Avast anti viruses in my pc before the scanings

#6 miekiemoes

Malware Killer Dog

Malware Response Team
19,420 posts
OFFLINE

Gender:Female
Location:Belgium
Local time:11:53 PM

Posted 20 November 2010 - 08:49 AM

Yes, I know. I just want to verify with the DDS log if it's really gone.

#7 kikamor

Topic Starter

Members
11 posts
OFFLINE

Gender:Male
Location:Ilha Grande-Rio de Janeiro-Brazil
Local time:06:53 PM

Posted 20 November 2010 - 09:34 AM

DDS (Ver_10-11-10.01) - NTFSx86
Run by Administrador at 12:30:17,01 on s b 20/11/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.1519.484 [GMT -2:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\Arquivos de programas\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\ARQUIV~1\ALWILS~1\Avast5\avastUI.exe
C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe
C:\Arquivos de programas\Java\jre6\bin\jusched.exe
C:\Arquivos de programas\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\vVX1000.exe
C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Arquivos de programas\IObit\Advanced SystemCare 3\AWC.exe
C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Arquivos de programas\Skype\Phone\Skype.exe
C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe
C:\Arquivos de programas\Orbitdownloader\orbitdm.exe
C:\Arquivos de programas\REALTEK\11n USB Wireless LAN Utility\RtWLan.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe
C:\Arquivos de programas\Orbitdownloader\orbitnet.exe
C:\Arquivos de programas\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Arquivos de programas\HP\Digital Imaging\bin\hpqbam08.exe
C:\Arquivos de programas\Skype\Plugin Manager\skypePM.exe
C:\Arquivos de programas\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Arquivos de programas\Windows Live\Contacts\wlcomm.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Arquivos de programas\DreaMule\emule.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Arquivos de programas\Microsoft Office\Office12\WINWORD.EXE
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Source Engine\OSE.EXE
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.orbitdownloader.com
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\arquivos de programas\orbitdownloader\orbitcth.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\arquivos de programas\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\arquivos de programas\arquivos comuns\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\arquiv~1\micros~4\office12\GRA8E1~1.DLL
BHO: Auxiliar de Conexão do Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\arquivos de programas\arquivos comuns\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\arquivos de programas\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\arquivos de programas\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\arquivos de programas\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\arquivos de programas\orbitdownloader\GrabPro.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\arquivos de programas\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Advanced SystemCare 3] "c:\arquivos de programas\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [msnmsgr] "c:\arquivos de programas\windows live\messenger\msnmsgr.exe" /background
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\arquivos de programas\arquivos comuns\ahead\lib\NMBgMonitor.exe"
uRun: [Google Update] "c:\documents and settings\administrador\configurações locais\dados de aplicativos\google\update\GoogleUpdate.exe" /c
uRun: [filecroc] "c:\arquivos de programas\filecroc\FileCroc.exe" -h
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Sony Ericsson PC Suite] "c:\arquivos de programas\sony ericsson\sony ericsson pc suite\SEPCSuite.exe" /systray /nologon
uRun: [Skype] "c:\arquivos de programas\skype\phone\Skype.exe" /nosplash /minimized
mRun: [avast5] c:\arquiv~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [GrooveMonitor] "c:\arquivos de programas\microsoft office\office12\GrooveMonitor.exe"
mRun: [NeroFilterCheck] c:\arquivos de programas\arquivos comuns\ahead\lib\NeroCheck.exe
mRun: [SunJavaUpdateSched] "c:\arquivos de programas\java\jre6\bin\jusched.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [LifeCam] "c:\arquivos de programas\microsoft lifecam\LifeExp.exe"
mRun: [VX1000] c:\windows\vVX1000.exe
mRun: [HP Software Update] c:\arquivos de programas\hp\hp software update\HPWuSchd2.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Adobe Reader Speed Launcher] "c:\arquivos de programas\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\arquivos de programas\arquivos comuns\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\arquivos de programas\quicktime\QTTask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse

#8 miekiemoes

Malware Killer Dog

Malware Response Team
19,420 posts
OFFLINE

Gender:Female
Location:Belgium
Local time:11:53 PM

Posted 20 November 2010 - 09:36 AM

Hi,

Can you rescan and attach the log instead? Because the log is incomplete.

#9 kikamor

Topic Starter

Members
11 posts
OFFLINE

Gender:Male
Location:Ilha Grande-Rio de Janeiro-Brazil
Local time:06:53 PM

Posted 20 November 2010 - 09:45 AM

DDS (Ver_10-11-10.01) - NTFSx86
Run by Administrador at 12:43:25,62 on s b 20/11/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.1519.456 [GMT -2:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\Arquivos de programas\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\ARQUIV~1\ALWILS~1\Avast5\avastUI.exe
C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe
C:\Arquivos de programas\Java\jre6\bin\jusched.exe
C:\Arquivos de programas\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\vVX1000.exe
C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Arquivos de programas\IObit\Advanced SystemCare 3\AWC.exe
C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Arquivos de programas\Skype\Phone\Skype.exe
C:\Arquivos de programas\HP\Digital Imaging\bin\hpqtra08.exe
C:\Arquivos de programas\Orbitdownloader\orbitdm.exe
C:\Arquivos de programas\REALTEK\11n USB Wireless LAN Utility\RtWLan.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe
C:\Arquivos de programas\Orbitdownloader\orbitnet.exe
C:\Arquivos de programas\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Arquivos de programas\HP\Digital Imaging\bin\hpqbam08.exe
C:\Arquivos de programas\Skype\Plugin Manager\skypePM.exe
C:\Arquivos de programas\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Arquivos de programas\Windows Live\Contacts\wlcomm.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Arquivos de programas\DreaMule\emule.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Arquivos de programas\Microsoft Office\Office12\WINWORD.EXE
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Source Engine\OSE.EXE
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.orbitdownloader.com
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\arquivos de programas\orbitdownloader\orbitcth.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\arquivos de programas\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\arquivos de programas\arquivos comuns\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\arquiv~1\micros~4\office12\GRA8E1~1.DLL
BHO: Auxiliar de Conexão do Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\arquivos de programas\arquivos comuns\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\arquivos de programas\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\arquivos de programas\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\arquivos de programas\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\arquivos de programas\orbitdownloader\GrabPro.dll
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - c:\arquivos de programas\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [Advanced SystemCare 3] "c:\arquivos de programas\iobit\advanced systemcare 3\AWC.exe" /startup
uRun: [msnmsgr] "c:\arquivos de programas\windows live\messenger\msnmsgr.exe" /background
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\arquivos de programas\arquivos comuns\ahead\lib\NMBgMonitor.exe"
uRun: [Google Update] "c:\documents and settings\administrador\configurações locais\dados de aplicativos\google\update\GoogleUpdate.exe" /c
uRun: [filecroc] "c:\arquivos de programas\filecroc\FileCroc.exe" -h
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Sony Ericsson PC Suite] "c:\arquivos de programas\sony ericsson\sony ericsson pc suite\SEPCSuite.exe" /systray /nologon
uRun: [Skype] "c:\arquivos de programas\skype\phone\Skype.exe" /nosplash /minimized
mRun: [avast5] c:\arquiv~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [GrooveMonitor] "c:\arquivos de programas\microsoft office\office12\GrooveMonitor.exe"
mRun: [NeroFilterCheck] c:\arquivos de programas\arquivos comuns\ahead\lib\NeroCheck.exe
mRun: [SunJavaUpdateSched] "c:\arquivos de programas\java\jre6\bin\jusched.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [LifeCam] "c:\arquivos de programas\microsoft lifecam\LifeExp.exe"
mRun: [VX1000] c:\windows\vVX1000.exe
mRun: [HP Software Update] c:\arquivos de programas\hp\hp software update\HPWuSchd2.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Adobe Reader Speed Launcher] "c:\arquivos de programas\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\arquivos de programas\arquivos comuns\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\arquivos de programas\quicktime\QTTask.exe" -atboottime
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menuin~1\progra~1\inicia~1\hpdigi~1.lnk - c:\arquivos de programas\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\menuin~1\progra~1\inicia~1\orbit.lnk - c:\arquivos de programas\orbitdownloader\orbitdm.exe
StartupFolder: c:\docume~1\alluse~1\menuin~1\progra~1\inicia~1\realte~1.lnk - c:\arquivos de programas\realtek\11n usb wireless lan utility\RtWLan.exe
IE: &Download by Orbit - c:\arquivos de programas\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\arquivos de programas\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\arquivos de programas\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\arquivos de programas\orbitdownloader\orbitmxt.dll/202
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\micros~4\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\arquivos de programas\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\arquiv~1\micros~4\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\arquiv~1\micros~4\office12\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\arquivos de programas\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1289871753484
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\arquiv~1\micros~4\office12\GR99D3~1.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\arquiv~1\arquiv~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\arquiv~1\micros~4\office12\GRA8E1~1.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\dadosd~1\mozilla\firefox\profiles\9c1aqhw3.default\
FF - component: c:\arquivos de programas\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBook.dll
FF - component: c:\arquivos de programas\hp\digital imaging\smart web printing\mozillaaddon3\components\hpClipBookDB.dll
FF - component: c:\arquivos de programas\hp\digital imaging\smart web printing\mozillaaddon3\components\hpNeoLogger.dll
FF - component: c:\arquivos de programas\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSaturn.dll
FF - component: c:\arquivos de programas\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSeymour.dll
FF - component: c:\arquivos de programas\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartSelect.dll
FF - component: c:\arquivos de programas\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSmartWebPrinting.dll
FF - component: c:\arquivos de programas\hp\digital imaging\smart web printing\mozillaaddon3\components\hpSWPOperation.dll
FF - component: c:\arquivos de programas\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPLogging.dll
FF - component: c:\arquivos de programas\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTC.dll
FF - component: c:\arquivos de programas\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXPMTL.dll
FF - component: c:\arquivos de programas\hp\digital imaging\smart web printing\mozillaaddon3\components\hpXREStub.dll
FF - plugin: c:\arquivos de programas\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\arquivos de programas\hp\digital imaging\smart web printing\mozillaaddon3\plugins\nphpclipbook.dll
FF - plugin: c:\arquivos de programas\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\arquivos de programas\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\documents and settings\administrador\configuraã§ãµes locais\dados de aplicativos\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\arquivos de programas\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\arquivos de programas\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\arquivos de programas\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\arquivos de programas\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\arquivos de programas\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-11-9 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-11-9 17744]
R2 avast! Antivirus;avast! Antivirus;c:\arquivos de programas\alwil software\avast5\AvastSvc.exe [2010-11-9 40384]
R2 OMSI download service;Sony Ericsson OMSI download service;c:\arquivos de programas\sony ericsson\sony ericsson pc suite\SupServ.exe [2010-11-14 90112]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\arquivos de programas\alwil software\avast5\AvastSvc.exe [2010-11-9 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\arquivos de programas\alwil software\avast5\AvastSvc.exe [2010-11-9 40384]
R3 RTL8192su;Realtek RTL8192SU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8192su.sys [2010-11-10 594048]
R3 seehcri;Sony Ericsson seehcri Device Driver;c:\windows\system32\drivers\seehcri.sys [2010-11-14 27632]
S2 gupdate;Google Update Service (gupdate);c:\arquivos de programas\google\update\GoogleUpdate.exe [2010-11-9 136176]
S3 FXDrv32;FXDrv32;\??\d:\fxdrv32.sys --> d:\FXDrv32.sys [?]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);c:\windows\system32\drivers\s1018bus.sys [2010-11-14 86696]
S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;c:\windows\system32\drivers\s1018mdfl.sys [2010-11-14 15016]
S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;c:\windows\system32\drivers\s1018mdm.sys [2010-11-14 114472]
S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s1018mgmt.sys [2010-11-14 108200]
S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);c:\windows\system32\drivers\s1018nd5.sys [2010-11-14 26024]
S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;c:\windows\system32\drivers\s1018obex.sys [2010-11-14 104616]
S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);c:\windows\system32\drivers\s1018unic.sys [2010-11-14 109736]

=============== Created Last 30 ================

2010-11-20 12:52:27 -------- d-----w- c:\arquivos de programas\Malwarebytes' Anti-Malware
2010-11-20 12:37:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-20 12:37:35 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-18 16:13:44 -------- d-----w- c:\windows\system32\NtmsData
2010-11-18 15:51:46 -------- d-----w- c:\docume~1\alluse~1\dadosd~1\Malwarebytes
2010-11-18 15:51:46 -------- d-----w- c:\docume~1\admini~1\dadosd~1\Malwarebytes
2010-11-17 21:03:03 -------- d-----w- c:\docume~1\admini~1\dadosd~1\FastStone
2010-11-17 21:02:51 -------- d-----w- c:\arquivos de programas\FastStone Image Viewer
2010-11-17 19:47:12 -------- d-----w- c:\windows\system32\XPSViewer
2010-11-17 19:46:48 89088 ------w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2010-11-17 19:46:33 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2010-11-17 19:46:33 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2010-11-17 19:46:33 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2010-11-17 19:46:33 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2010-11-17 19:46:33 575488 ------w- c:\windows\system32\xpsshhdr.dll
2010-11-17 19:46:33 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2010-11-17 19:46:33 1676288 ------w- c:\windows\system32\xpssvcs.dll
2010-11-17 19:46:33 117760 ------w- c:\windows\system32\prntvpt.dll
2010-11-17 19:46:33 -------- d-----w- C:\7161e4d131699770c08c
2010-11-17 17:38:02 599040 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-11-17 17:38:01 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-11-17 17:38:01 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-11-17 17:37:59 1986560 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-11-17 17:37:59 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-11-17 17:37:58 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-11-17 15:06:20 -------- d-----w- c:\windows\ie8updates
2010-11-17 15:05:42 -------- d-----w- c:\arquivos de programas\MSXML 4.0
2010-11-17 03:29:24 -------- d-----w- c:\docume~1\admini~1\dadosd~1\ProgSense
2010-11-17 02:16:41 -------- d-----r- c:\arquivos de programas\Skype
2010-11-17 01:06:12 -------- d-----w- c:\windows\system32\appmgmt
2010-11-16 14:29:08 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-11-16 14:00:19 2194176 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-11-16 14:00:19 2150400 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-11-16 14:00:18 2071040 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-11-16 14:00:18 2028544 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-11-16 13:42:31 272384 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-11-16 13:42:31 272384 ------w- c:\windows\system32\drivers\bthport.sys
2010-11-16 11:47:10 -------- d-----w- c:\windows\system32\PreInstall
2010-11-16 11:47:08 -------- d--h--w- c:\windows\$hf_mig$
2010-11-16 06:40:35 -------- d-----w- c:\windows\system32\SoftwareDistribution
2010-11-15 21:16:21 -------- d-----w- c:\arquivos de programas\PluginLetras
2010-11-14 23:29:22 27632 ------w- c:\windows\system32\drivers\seehcri.sys
2010-11-14 23:29:19 148736 ------w- c:\docume~1\alluse~1\dadosd~1\hpeEE.dll
2010-11-14 22:56:56 -------- d-----w- c:\docume~1\admini~1\config~1\dadosd~1\Sony Ericsson
2010-11-14 22:54:35 -------- d-----w- c:\docume~1\alluse~1\dadosd~1\Sony Ericsson
2010-11-14 15:16:37 2887680 ------w- c:\windows\system32\VagalumePluginWMP.dll
2010-11-14 01:23:12 -------- d-----w- c:\arquivos de programas\Musicmatch
2010-11-13 02:38:54 -------- d-----w- c:\docume~1\admini~1\config~1\dadosd~1\Sony
2010-11-13 02:37:55 -------- d-----w- c:\arquivos de programas\arquivos comuns\Sony Shared
2010-11-13 02:37:32 -------- d-----w- c:\arquivos de programas\Sony
2010-11-13 02:37:30 -------- d-----w- c:\arquivos de programas\Sony Ericsson
2010-11-13 02:29:03 -------- d-----w- c:\docume~1\admini~1\config~1\dadosd~1\Apple Computer
2010-11-11 17:06:08 -------- d-----w- c:\docume~1\admini~1\config~1\dadosd~1\FileCroc
2010-11-11 15:05:24 -------- d-----w- c:\docume~1\admini~1\config~1\dadosd~1\Ares
2010-11-11 14:46:04 -------- d-----w- c:\docume~1\admini~1\config~1\dadosd~1\eMule
2010-11-11 14:46:00 -------- d-----w- c:\arquivos de programas\DreaMule
2010-11-11 03:09:36 -------- d-----w- c:\docume~1\admini~1\config~1\dadosd~1\Adobe
2010-11-10 23:38:52 -------- d-----w- c:\arquivos de programas\Microsoft
2010-11-10 23:38:11 4927864 ------w- c:\arquivos de programas\arquivos comuns\windows live\.cache\55e9f3801cb8130\Silverlight.2.0.exe
2010-11-10 13:27:56 21361 ------w- c:\windows\system32\drivers\AegisP.sys
2010-11-10 13:25:42 614400 ------r- c:\windows\Rtlihvs.dll
2010-11-10 13:25:42 594048 ------r- c:\windows\system32\drivers\rtl8192su.sys
2010-11-10 13:25:42 380928 ------r- c:\windows\RtlUI2.exe
2010-11-10 13:25:42 188416 ------r- c:\windows\RTLExtUI.dll
2010-11-10 13:25:42 -------- d-----w- c:\windows\OPTIONS
2010-11-10 13:25:41 614400 ------r- c:\windows\system32\Rtlihvs.dll
2010-11-10 13:25:41 380928 ------r- c:\windows\system32\RtlUI2.exe
2010-11-10 13:25:40 188416 ------r- c:\windows\system32\RTLExtUI.dll
2010-11-10 13:25:34 451072 ------w- c:\windows\system32\ISSRemoveSP.exe
2010-11-10 13:25:34 -------- d-----w- c:\windows\system32\RtlGina
2010-11-10 13:25:34 -------- d-----w- c:\arquivos de programas\REALTEK
2010-11-10 11:15:57 601088 ------w- c:\windows\system32\arusb_xp.sys
2010-11-10 11:12:07 -------- d-----w- c:\docume~1\alluse~1\dadosd~1\Atheros
2010-11-10 01:33:39 5632 ------w- c:\windows\system32\ptpusb.dll
2010-11-10 01:33:38 159232 ------w- c:\windows\system32\ptpusd.dll
2010-11-10 01:33:37 15104 -c----w- c:\windows\system32\dllcache\usbscan.sys
2010-11-10 01:33:37 15104 ----a-w- c:\windows\system32\drivers\usbscan.sys
2010-11-10 00:23:37 -------- d-----w- c:\docume~1\alluse~1\dadosd~1\WEBREG
2010-11-10 00:02:14 -------- d-----w- c:\arquivos de programas\arquivos comuns\HP
2010-11-09 23:59:40 -------- d-----w- c:\arquivos de programas\arquivos comuns\Hewlett-Packard
2010-11-09 23:50:55 -------- d-----w- c:\arquivos de programas\HP
2010-11-09 23:48:36 16496 ------r- c:\windows\system32\drivers\HPZipr12.sys
2010-11-09 23:48:34 49920 ------r- c:\windows\system32\drivers\HPZid412.sys
2010-11-09 23:47:58 312832 ------w- c:\windows\system32\spool\prtprocs\w32x86\hpfpp70v.dll
2010-11-09 23:47:58 126976 ------w- c:\windows\system32\hpfll70v.dll
2010-11-09 23:47:57 452408 ------r- c:\windows\system32\hpzids01.dll
2010-11-09 23:47:30 372736 ------r- c:\windows\system32\hppldcoi.dll
2010-11-09 23:47:30 309760 ------r- c:\windows\system32\difxapi.dll
2010-11-09 23:47:30 21568 ------r- c:\windows\system32\drivers\HPZius12.sys
2010-11-09 23:46:12 25856 -c----w- c:\windows\system32\dllcache\usbprint.sys
2010-11-09 23:46:12 25856 ----a-w- c:\windows\system32\drivers\usbprint.sys
2010-11-09 23:31:51 -------- d-----w- c:\arquivos de programas\Microsoft LifeCam
2010-11-09 23:09:03 -------- d-----w- c:\docume~1\admini~1\config~1\dadosd~1\Temp
2010-11-09 23:03:04 -------- d-----w- c:\arquivos de programas\VGA_32bit_V614104396
2010-11-09 22:30:38 -------- d-----w- c:\arquivos de programas\UIU
2010-11-09 22:29:48 16128 -c----w- c:\windows\system32\dllcache\modemcsa.sys
2010-11-09 22:29:48 16128 ----a-w- c:\windows\system32\drivers\MODEMCSA.sys
2010-11-09 22:29:28 172032 ------r- c:\windows\system32\Uci32114.dll
2010-11-09 22:29:27 94208 ------r- c:\windows\system32\mdmxsdk.dll
2010-11-09 22:29:27 12672 ------r- c:\windows\system32\drivers\mdmxsdk.sys
2010-11-09 22:29:27 -------- d-----w- c:\arquivos de programas\CONEXANT
2010-11-09 22:29:26 989696 ------r- c:\windows\system32\drivers\HSF_DPV.sys
2010-11-09 22:29:25 730112 ------r- c:\windows\system32\drivers\HSF_CNXT.sys
2010-11-09 22:29:25 257408 ------r- c:\windows\system32\drivers\HSFHWBS2.sys
2010-11-09 21:43:46 60032 -c----w- c:\windows\system32\dllcache\usbaudio.sys
2010-11-09 21:43:46 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2010-11-09 21:43:12 32128 -c----w- c:\windows\system32\dllcache\usbccgp.sys
2010-11-09 21:43:12 32128 ------w- c:\windows\system32\drivers\usbccgp.sys
2010-11-09 17:21:52 -------- d-----w- c:\docume~1\admini~1\config~1\dadosd~1\Ahead
2010-11-09 17:21:47 143360 ------w- c:\windows\system32\igfxres.dll
2010-11-09 16:58:22 -------- d-----w- c:\docume~1\admini~1\dadosd~1\Blitware
2010-11-09 16:58:16 -------- d-----w- c:\arquivos de programas\Driver Robot
2010-11-09 16:57:46 -------- d-----w- c:\docume~1\admini~1\config~1\dadosd~1\Mozilla
2010-11-09 16:43:43 -------- d-----w- c:\windows\system32\ReinstallBackups
2010-11-09 16:43:15 43880 ------r- c:\windows\system32\e100bmsg.dll
2010-11-09 16:43:15 35704 ------r- c:\windows\system32\NicInst.dll
2010-11-09 16:43:15 28536 ------r- c:\windows\system32\NicCo.dll
2010-11-09 16:43:15 165760 -c----w- c:\windows\system32\dllcache\e100b325.sys
2010-11-09 16:43:15 165760 ------r- c:\windows\system32\drivers\e100b325.sys
2010-11-09 16:43:15 154496 ------r- c:\windows\system32\Prounstl.exe
2010-11-09 16:43:01 6272 -c----w- c:\windows\system32\dllcache\splitter.sys
2010-11-09 16:43:01 6272 ------w- c:\windows\system32\drivers\splitter.sys
2010-11-09 16:41:46 -------- d-----w- C:\Intel
2010-11-09 16:39:14 221184 ------w- c:\windows\system32\wmpns.dll
2010-11-09 16:39:07 -------- d-----w- c:\arquivos de programas\Windows Media Connect 2
2010-11-09 16:35:28 73728 ------w- c:\windows\system32\javacpl.cpl
2010-11-09 16:35:28 410984 ------w- c:\windows\system32\deploytk.dll
2010-11-09 16:35:28 410984 ------w- c:\arquivos de programas\mozilla firefox\plugins\npdeploytk.dll
2010-11-09 16:31:46 -------- d-sh--w- c:\documents and settings\administrador\IECompatCache
2010-11-09 16:31:41 -------- d-----w- c:\docume~1\alluse~1\dadosd~1\Nero
2010-11-09 16:31:41 -------- d-----w- c:\arquivos de programas\Nero
2010-11-09 16:31:41 -------- d-----w- c:\arquivos de programas\arquivos comuns\Ahead
2010-11-09 16:31:18 -------- d-sh--w- c:\documents and settings\administrador\PrivacIE
2010-11-09 16:27:12 33104 ------w- c:\windows\system32\spool\prtprocs\w32x86\msonpppr.dll
2010-11-09 16:27:12 32592 ------w- c:\windows\system32\msonpmon.dll
2010-11-09 16:22:32 -------- d-----w- c:\windows\SHELLNEW
2010-11-09 16:22:12 -------- d-----w- c:\docume~1\admini~1\config~1\dadosd~1\Microsoft Help
2010-11-09 16:18:37 -------- d-----w- C:\downloads
2010-11-09 16:18:37 -------- d-----w- c:\docume~1\admini~1\dadosd~1\GrabPro
2010-11-09 16:18:32 -------- d-----w- c:\arquivos de programas\Orbitdownloader
2010-11-09 16:13:39 -------- d-sh--w- c:\documents and settings\administrador\IETldCache
2010-11-09 16:12:19 -------- d-----w- c:\documents and settings\administrador\Tracing
2010-11-09 16:09:18 -------- d-----w- c:\arquivos de programas\Windows Live SkyDrive
2010-11-09 16:08:01 -------- dc-h--w- c:\windows\ie8
2010-11-09 16:07:21 136698728 ------w- c:\arquivos de programas\arquivos comuns\windows live\.cache\wlc100.tmp
2010-11-09 16:07:15 -------- d--h--w- c:\windows\msdownld.tmp
2010-11-09 16:05:18 -------- d-----w- c:\arquivos de programas\arquivos comuns\Windows Live
2010-11-09 16:04:05 -------- d-----w- c:\docume~1\admini~1\config~1\dadosd~1\Google
2010-11-09 16:03:52 38848 ------w- c:\windows\avastSS.scr
2010-11-09 16:01:57 -------- d-----w- c:\arquivos de programas\DVD Shrink
2010-11-09 16:01:08 -------- d-----w- c:\docume~1\alluse~1\dadosd~1\Alwil Software
2010-11-09 16:00:28 -------- d-----w- c:\windows\system32\LogFiles
2010-11-09 16:00:22 26144 ------w- c:\windows\system32\spupdsvc.exe
2010-11-09 15:59:12 -------- d-----w- c:\docume~1\admini~1\dadosd~1\IObit
2010-11-09 15:59:12 -------- d-----w- c:\arquivos de programas\IObit
2010-11-09 15:56:35 26368 -c----w- c:\windows\system32\dllcache\usbstor.sys
2010-11-09 15:00:52 41600 -c----w- c:\windows\system32\dllcache\weitekp9.dll

==================== Find3M ====================

2010-09-18 14:23:20 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:19 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:19 954368 ------w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:19 953856 ------w- c:\windows\system32\mfc40u.dll
2010-09-01 11:52:23 285824 ------w- c:\windows\system32\atmfd.dll
2010-09-01 07:57:19 1852928 ------w- c:\windows\system32\win32k.sys
2010-08-27 08:03:07 119808 ------w- c:\windows\system32\t2embed.dll
2010-08-23 16:12:00 617472 ------w- c:\windows\system32\comctl32.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: SAMSUNG_HD080HJ/P rev.ZH100-41 -> Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T0L0-f

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys intelide.sys PCIIDEX.SYS
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk1\DR1[0x89A66AB8]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\00000060[0x89AAE9E8]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Ide\IdeDeviceP1T1L0-17[0x89A72D98]
kernel: MBR read successfully
_asm { CLI ; MOV AX, 0x1000; MOV SS, AX; MOV SP, 0xb000; MOV AX, 0x0; MOV DS, AX; MOV ES, AX; STI ; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; REP MOVSB ; JMP FAR 0x0:0x621; }
user != kernel MBR !!!

============= FINISH: 12:43:53,23 ===============

#10 miekiemoes

Malware Killer Dog

Malware Response Team
19,420 posts
OFFLINE

Gender:Female
Location:Belgium
Local time:11:53 PM

Posted 20 November 2010 - 09:50 AM

Hi,

This looks OK.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

#11 kikamor

Topic Starter

Members
11 posts
OFFLINE

Gender:Male
Location:Ilha Grande-Rio de Janeiro-Brazil
Local time:06:53 PM

Posted 20 November 2010 - 10:24 AM

do you speak french, miekiemoes? I see that you come from Belgium. Cause I can to sapeak a good french and I have a very poor english...

#12 miekiemoes

Malware Killer Dog

Malware Response Team
19,420 posts
OFFLINE

Gender:Female
Location:Belgium
Local time:11:53 PM

Posted 20 November 2010 - 10:30 AM

Hi,

No, I speak Dutch, not french.
I do understand your english pretty well though...

#13 kikamor

Topic Starter

Members
11 posts
OFFLINE

Gender:Male
Location:Ilha Grande-Rio de Janeiro-Brazil
Local time:06:53 PM

Posted 22 November 2010 - 07:37 AM

Please, I have some problems:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:35:02, on 22/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\Arquivos de programas\Google\Update\1.2.183.39\GoogleCrashHandler.exe
C:\Arquivos de programas\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\ARQUIV~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Orbitdownloader\orbitdm.exe
C:\Arquivos de programas\REALTEK\11n USB Wireless LAN Utility\RtWLan.exe
C:\Arquivos de programas\Orbitdownloader\orbitnet.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Configurações locais\Dados de aplicativos\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Administrador\Desktop\Icones de Programas\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://br.msn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.google.com/mail/?shva=1#inbox
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Arquivos de programas\Orbitdownloader\orbitcth.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Arquivos de programas\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\ARQUIV~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Arquivos de programas\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Arquivos de programas\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [avast5] C:\ARQUIV~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-1960408961-2000478354-1417001333-500\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Orbit.lnk
O4 - Global Startup: REALTEK 11n USB Wireless LAN Utility.lnk
O8 - Extra context menu item: &Download by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\ARQUIV~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Exibir ou ocultar HP Smart Web Printing - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Arquivos de programas\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1289871753484
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\ARQUIV~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software - C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Arquivos de programas\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
O23 - Service: Sony Ericsson OMSI download service (OMSI download service) - Unknown owner - C:\Arquivos de programas\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe

--
End of file - 9408 bytes

#14 miekiemoes

Malware Killer Dog

Malware Response Team
19,420 posts
OFFLINE

Gender:Female
Location:Belgium
Local time:11:53 PM

Posted 22 November 2010 - 07:38 AM

Can you explain what problems you are still having?
Also, please do the following..

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.