Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hjt Log...some Spy In My Pc :s


  • This topic is locked This topic is locked
19 replies to this topic

#1 hijacked

hijacked

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 07 March 2006 - 02:47 PM

I think i have some spy...can anybody help me please??
Thanx!!


Here goes the hjt log...


Logfile of HijackThis v1.99.1
Scan saved at 16:47:25, on 7/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
C:\Arquivos de programas\Norton AntiVirus\navapsvc.exe
C:\Arquivos de programas\Norton AntiVirus\IWP\NPFMntor.exe
C:\Arquivos de programas\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Slave.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\ARQUIV~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\Arquivos de programas\iPod\bin\iPodService.exe
C:\Arquivos de programas\eMule Plus\eMule.exe
C:\ARQUIV~1\DVDREG~1\DVDRegionFree.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\ARQUIV~1\WINZIP\winzip32.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.findin.org/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.findin.org/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.findin.org/
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Arquivos de programas\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\pt-br\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Arquivos de programas\Norton AntiVirus\NavShExt.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\gbieh.dll
O2 - BHO: G-Buster Browser Defense Real - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\WINDOWS\Downloaded Program Files\gbiehabn.dll
O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\WINDOWS\Downloaded Program Files\gbiehuni.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\pt-br\msntb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Arquivos de programas\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Mario Forever Toolbar - {463DF6D5-BEC1-4d67-B217-59DB692DFC53} - C:\Arquivos de programas\Mario Forever Toolbar\v2.0.0.4\Mario_Forever_Toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\ARQUIV~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Micr Update] soundblaster.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Arquivos de programas\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Arquivos de programas\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugi...GbPluginABN.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) - https://clickbanking.unibanco.com.br/GbPlug...GbPluginUni.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{85352415-5B32-442C-BDA7-4C4779B676E3}: NameServer = 200.149.55.142 200.165.132.155
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Arquivos de programas\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitoring Support (Netmon) - Unknown owner - C:\WINDOWS\System32\Netwmon.exe (file missing)
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Arquivos de programas\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Arquivos de programas\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Arquivos de programas\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARQUIV~1\ARQUIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Microsoft (Slave) - TWD Industries SAS - C:\WINDOWS\Slave.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\ARQUIV~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Arquivos de programas\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe

BC AdBot (Login to Remove)

 


#2 hijacked

hijacked
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 09 March 2006 - 02:56 PM

I asked for help about some malware in my pc some days ago...but there was no reply... :thumbsup:
So, I ran the a² scanner...and it deleted 99 malware files...
Now, I ran the hijack this again and it found this (Is it ok??):

Ps: There are some "Hijacked Internet access by New.Net"...what does that mean??
Thanks


Logfile of HijackThis v1.99.1
Scan saved at 16:38:20, on 9/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
C:\Arquivos de programas\Norton AntiVirus\navapsvc.exe
C:\Arquivos de programas\Norton AntiVirus\IWP\NPFMntor.exe
C:\Arquivos de programas\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\ARQUIV~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\HJT\HijackThis.exe
C:\Arquivos de programas\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.findin.org/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.findin.org/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.findin.org/
O2 - BHO: Mario Forever Toolbar Helper - {8036D4D7-AAD3-4793-AB49-329E437155A8} - C:\Arquivos de programas\Mario Forever Toolbar\v2.0.0.4\Mario_Forever_Toolbar.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Arquivos de programas\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\pt-br\msntb.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Arquivos de programas\Norton AntiVirus\NavShExt.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\gbieh.dll
O2 - BHO: G-Buster Browser Defense Real - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\WINDOWS\Downloaded Program Files\gbiehabn.dll
O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\WINDOWS\Downloaded Program Files\gbiehuni.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\pt-br\msntb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Arquivos de programas\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Mario Forever Toolbar - {463DF6D5-BEC1-4d67-B217-59DB692DFC53} - C:\Arquivos de programas\Mario Forever Toolbar\v2.0.0.4\Mario_Forever_Toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\ARQUIV~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Micr Update] soundblaster.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Arquivos de programas\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Arquivos de programas\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugi...GbPluginABN.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) - https://clickbanking.unibanco.com.br/GbPlug...GbPluginUni.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{85352415-5B32-442C-BDA7-4C4779B676E3}: NameServer = 200.149.55.142 200.165.132.155
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Arquivos de programas\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitoring Support (Netmon) - Unknown owner - C:\WINDOWS\System32\Netwmon.exe (file missing)
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Arquivos de programas\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Arquivos de programas\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Arquivos de programas\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARQUIV~1\ARQUIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Microsoft (Slave) - Unknown owner - C:\WINDOWS\Slave.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\ARQUIV~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Arquivos de programas\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe

#3 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 09 March 2006 - 04:24 PM

Hello and welcome to the forum. If you still need help, you do have several bad trojans. I suggest you stay offline as much as possible to deny these hackers access until you are clean. Here is some information:

C:\WINDOWS\Slave.exe
http://www.avp.ch/avpve/trojan/backdoor/ra.stm

O4 - HKCU\..\Run: [Micr Update] soundblaster.exe
http://no.trendmicro-europe.com/enterprise...e=WORM_SDBOT.NP

C:\WINDOWS\System32\Netwmon.exe
http://www.symantec.com/avcenter/venc/data...pybot.worm.html

But first we must remove the New.Net hijacker. This one looks like this: O10 - Hijacked Internet access by New.Net. If you downloaded this junk on purpose, please stop and let me know. These are your instructions for removing it:
http://www.newdotnet.com/removal.html Please follow those instruction and when that item is gone from your HJT post, post a new log and we will go after the other bad stuff. This link I am posting now is an emergency tool. I have not had to use it, but if for some reason you could not get online after removing New.Net, this tool would fix that. Do not use it otherwise.
http://www.snapfiles.com/get/winsockxpfix.html

Thanks...pskelley
BleepingComputer
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#4 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 11 March 2006 - 08:38 AM

I posted instructions at the first thread you opened. Please return to that thread and do not start new topics, just adds to the confusion, thanks. This is your topic:
http://www.bleepingcomputer.com/forums/ind...55&#entry248555
I posted at this time: Mar 9 2006, 04:24 PM Make sure you are subscribed to the topic and that other users in the house do not delete your notifications.

Thanks...Phil :thumbsup:

I am combining the two threads to keep things organized.
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#5 hijacked

hijacked
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 11 March 2006 - 12:37 PM

Thank you phil!!...the hijacked connections dissapeared!!
And I ran ad-aware, a squared and i think another program too...now my pc is better
But, can you check for me if there are still malwares??
Thanks again

Logfile of HijackThis v1.99.1
Scan saved at 14:37:52, on 11/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
C:\Arquivos de programas\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\ARQUIV~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.findin.org/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.publipt.com/scripts/runner.php?...97e4felipepubli
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.findin.org/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.findin.org/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Mario Forever Toolbar Helper - {8036D4D7-AAD3-4793-AB49-329E437155A8} - C:\Arquivos de programas\Mario Forever Toolbar\v2.0.0.4\Mario_Forever_Toolbar.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Arquivos de programas\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\pt-br\msntb.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\gbieh.dll
O2 - BHO: G-Buster Browser Defense Real - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\WINDOWS\Downloaded Program Files\gbiehabn.dll
O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\WINDOWS\Downloaded Program Files\gbiehuni.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\pt-br\msntb.dll
O3 - Toolbar: Mario Forever Toolbar - {463DF6D5-BEC1-4d67-B217-59DB692DFC53} - C:\Arquivos de programas\Mario Forever Toolbar\v2.0.0.4\Mario_Forever_Toolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Micr Update] soundblaster.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Arquivos de programas\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Arquivos de programas\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugi...GbPluginABN.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) - https://clickbanking.unibanco.com.br/GbPlug...GbPluginUni.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{85352415-5B32-442C-BDA7-4C4779B676E3}: NameServer = 200.149.55.142 200.165.132.155
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Network Monitoring Support (Netmon) - Unknown owner - C:\WINDOWS\System32\Netwmon.exe (file missing)
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Unknown owner - C:\Arquivos de programas\Norton AntiVirus\IWP\NPFMntor.exe (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Arquivos de programas\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARQUIV~1\ARQUIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Microsoft (Slave) - Unknown owner - C:\WINDOWS\Slave.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\ARQUIV~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Arquivos de programas\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe

#6 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 11 March 2006 - 01:21 PM

Well, the New.Net hijacker is gone, but you still have some nasty trojans. Let's get rid of them like this:

1) This one: soundblaster.exe you will have to search for so you will know where it is when it comes time to delete it, enable hidden files and folders or search will not find it:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

2) ewido scan:
Please download Ewido Security Suite it is a trial version of the program.
  • Install ewido security suite
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.**
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")


3) We must get rid of the two bad services. Follow these instructions for A and B

A ) Disable the offending Service
Click Start < Run and type services.msc
Scroll down to Network Monitoring Support and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.

Delete the offending Service
Open HijackThis and click Config -> Misc Tools -> Delete an NT service.
In the Delete window, type Netmon and press OK.
OK any prompts, close HijackThis, and restart your computer.

B ) Disable the offending Service
Click Start < Run and type services.msc
Scroll down to Microsoft (Slave) and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.

Delete the offending Service
Open HijackThis and click Config -> Misc Tools -> Delete an NT service.
In the Delete window, type Slave and press OK.
OK any prompts, close HijackThis, and restart your computer.

The above two items may be gone below when you look for them just do not miss them.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.findin.org/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.findin.org/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.findin.org/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Mario Forever Toolbar Helper - {8036D4D7-AAD3-4793-AB49-329E437155A8} - C:\Arquivos de programas\Mario Forever Toolbar\v2.0.0.4\Mario_Forever_Toolbar.dll
see this >>> http://castlecops.com/clsid-29459.html
O3 - Toolbar: Mario Forever Toolbar - {463DF6D5-BEC1-4d67-B217-59DB692DFC53} - C:\Arquivos de programas\Mario Forever Toolbar\v2.0.0.4\Mario_Forever_Toolbar.dll
O4 - HKCU\..\Run: [Micr Update] soundblaster.exe
(next two should be gone)
O23 - Service: Network Monitoring Support (Netmon) - Unknown owner - C:\WINDOWS\System32\Netwmon.exe (file missing)
O23 - Service: Microsoft (Slave) - Unknown owner - C:\WINDOWS\Slave.exe (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

soundblaster.exe >>> file (the one you search for, go there and delete it. This is a very bad trojan)

C:\WINDOWS\System32\Netwmon.exe >>> file (if it is there)

C:\WINDOWS\Slave.exe >>> file (if it is there)

C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_...refetch-XP.html

If you don't have a good cleaner, use this one with these instuctions:
Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

Restart the computer and post the ewido scan results, a new HJT log and any comments you think will help. Let me know how the computer is running.

Thanks...Phil

Edited by pskelley, 11 March 2006 - 01:22 PM.

MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#7 hijacked

hijacked
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 12 March 2006 - 11:06 PM

Thaks phil!...i think we found a lot of bleep in my pc

I couldn't find soundblaster.exe even following the instructions, and i've tried to find it before too but couldn't find...but i think it disappeared from hjthis log...

Do you know why does this file exists?...it´s in my pc and has a lot of trojans, malware,...in zip files??...was it downloaded?? :
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR00.547\windows

The ewido scan results are in portuguese, i hope you can understand it

Thanks for everything till now!!

Logfile of HijackThis v1.99.1
Scan saved at 01:08:21, on 13/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\Arquivos de programas\ewido anti-malware\ewidoctrl.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\Arquivos de programas\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\ARQUIV~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.publipt.com/scripts/runner.php?...97e4felipepubli
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Arquivos de programas\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\pt-br\msntb.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\CONFLICT.1\gbieh.dll
O2 - BHO: G-Buster Browser Defense Real - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\WINDOWS\Downloaded Program Files\gbiehabn.dll
O2 - BHO: G-Buster Browser Defense Unibanco - {C41A1C0E-EA6C-11D4-B1B8-444553540008} - C:\WINDOWS\Downloaded Program Files\gbiehuni.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Arquivos de programas\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\pt-br\msntb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Arquivos de programas\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Arquivos de programas\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugi...GbPluginABN.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399008} (GbPluginObj Class) - https://clickbanking.unibanco.com.br/GbPlug...GbPluginUni.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{85352415-5B32-442C-BDA7-4C4779B676E3}: NameServer = 200.149.55.142 200.165.132.155
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Arquivos de programas\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Unknown owner - C:\Arquivos de programas\Norton AntiVirus\IWP\NPFMntor.exe (file missing)
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Arquivos de programas\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\ARQUIV~1\ARQUIV~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\ARQUIV~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Arquivos de programas\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe






---------------------------------------------------------
ewido anti-malware - Relatório de verificação
---------------------------------------------------------

+ Criado em: 00:22:59, 13/3/2006
+ Relatório-Checksum: EEB1DE87

+ Resultado da verificação:

C:\Coisas\Hacker\funcionando\revel_senhas.zip/Revelation.exe -> Not-A-Virus.PSWTool.Win32.SnadBoy.11 : Ignorado
C:\Coisas\Sacanagens\downloads\NNuninstall.exe -> Adware.NewDotNet : Ignorado
C:\WINDOWS\SYSTEM32\cryptdbe.dll -> Adware.Agent : Limpo com backup
:mozilla.23:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\hug8u2i0.default\cookies.txt -> TrackingCookie.Questionmarket : Limpo com backup
:mozilla.34:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\hug8u2i0.default\cookies.txt -> TrackingCookie.Yieldmanager : Limpo com backup
:mozilla.38:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\hug8u2i0.default\cookies.txt -> TrackingCookie.Yieldmanager : Limpo com backup
:mozilla.39:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\hug8u2i0.default\cookies.txt -> TrackingCookie.Yieldmanager : Limpo com backup
:mozilla.41:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\hug8u2i0.default\cookies.txt -> TrackingCookie.Yieldmanager : Limpo com backup
:mozilla.76:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\hug8u2i0.default\cookies.txt -> TrackingCookie.Revenue : Limpo com backup
:mozilla.79:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\hug8u2i0.default\cookies.txt -> TrackingCookie.Hitbox : Limpo com backup
:mozilla.95:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\hug8u2i0.default\cookies.txt -> TrackingCookie.Yadro : Limpo com backup
:mozilla.116:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\hug8u2i0.default\cookies.txt -> TrackingCookie.Googleadservices : Limpo com backup
:mozilla.117:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\hug8u2i0.default\cookies.txt -> TrackingCookie.Addynamix : Limpo com backup
:mozilla.118:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\hug8u2i0.default\cookies.txt -> TrackingCookie.Weborama : Limpo com backup
:mozilla.126:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\hug8u2i0.default\cookies.txt -> TrackingCookie.Falkag : Limpo com backup
:mozilla.131:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\hug8u2i0.default\cookies.txt -> TrackingCookie.Falkag : Limpo com backup
:mozilla.136:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\hug8u2i0.default\cookies.txt -> TrackingCookie.Hitbox : Limpo com backup
:mozilla.137:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\hug8u2i0.default\cookies.txt -> TrackingCookie.Hitbox : Limpo com backup
:mozilla.160:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\hug8u2i0.default\cookies.txt -> TrackingCookie.Falkag : Limpo com backup
:mozilla.161:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\hug8u2i0.default\cookies.txt -> TrackingCookie.Tacoda : Limpo com backup
:mozilla.162:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\hug8u2i0.default\cookies.txt -> TrackingCookie.Tacoda : Limpo com backup
:mozilla.170:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\hug8u2i0.default\cookies.txt -> TrackingCookie.Falkag : Limpo com backup
:mozilla.188:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\hug8u2i0.default\cookies.txt -> TrackingCookie.Hitbox : Limpo com backup
:mozilla.216:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\hug8u2i0.default\cookies.txt -> TrackingCookie.Liveperson : Limpo com backup
:mozilla.217:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\hug8u2i0.default\cookies.txt -> TrackingCookie.Liveperson : Limpo com backup
:mozilla.256:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\hug8u2i0.default\cookies.txt -> TrackingCookie.Yieldmanager : Limpo com backup
:mozilla.257:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\hug8u2i0.default\cookies.txt -> TrackingCookie.Webtrendslive : Limpo com backup
:mozilla.264:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\hug8u2i0.default\cookies.txt -> TrackingCookie.Ivwbox : Limpo com backup
:mozilla.295:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\hug8u2i0.default\cookies.txt -> TrackingCookie.Serving-sys : Limpo com backup
:mozilla.296:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\hug8u2i0.default\cookies.txt -> TrackingCookie.Serving-sys : Limpo com backup
:mozilla.297:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\hug8u2i0.default\cookies.txt -> TrackingCookie.Serving-sys : Limpo com backup
:mozilla.298:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\hug8u2i0.default\cookies.txt -> TrackingCookie.Serving-sys : Limpo com backup
:mozilla.308:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\hug8u2i0.default\cookies.txt -> TrackingCookie.Googleadservices : Limpo com backup
:mozilla.388:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\hug8u2i0.default\cookies.txt -> TrackingCookie.Liveperson : Limpo com backup
:mozilla.393:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\hug8u2i0.default\cookies.txt -> TrackingCookie.Liveperson : Limpo com backup
:mozilla.408:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\hug8u2i0.default\cookies.txt -> TrackingCookie.Com : Limpo com backup
:mozilla.467:C:\WINDOWS\Application Data\Mozilla\Firefox\Profiles\hug8u2i0.default\cookies.txt -> TrackingCookie.Atdmt : Limpo com backup
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR00.547\aix\scanners\vulnerability\cgiscan\cgis4.zip/cgis4.exe -> Not-A-Virus.NetTool.Win32.CGIScan.40 : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR00.547\linux\scanners\vulnerability\nsfcheck_pl\nsfcheck_pl.pl -> Not-A-Virus.Exploit.Perl.Urlencoded.a : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR00.547\windows\brute_force\uns12exe\uns12exe.zip/UHANFO.EXE -> Trojan.ControlDuSockets.a : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR00.547\windows\dos\Wincrash\wincrash.zip/crasher/ssping -> Not-A-Virus.Flooder.Linux.Small.k : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR00.547\windows\exploits\iiswebexplt.pl -> Not-A-Virus.Exploit.Perl.Urlencoded.a : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR00.547\windows\password_crackers\cisco_password_cracker\getpass!.zip/GetPass!.exe -> Not-A-Virus.PSWTool.Win32.GetPass.e : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR00.547\windows\password_crackers\john_the_ripper\john-16w.zip/john-16/run/john.exe -> Not-A-Virus.HackTool.Win32.John : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR00.547\windows\password_crackers\pwddump2\pwdump2.zip/pwdump2/pwdump2.exe -> Not-A-Virus.PSWTool.Win32.PWDump2 : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR00.547\windows\password_crackers\pwddump2\pwdump2.zip/pwdump2/samdump.dll -> Not-A-Virus.PSWTool.Win32.PWDump2 : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR00.547\windows\scanners\network\7sph\7thportscan.zip/portscan.exe -> Not-A-Virus.NetTool.Win32.Scan.11 : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR00.547\windows\scanners\network\grinder_url\grinder11.zip/grinder.EXE -> Not-A-Virus.NetTool.Win32.Grinder.11 : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR00.547\windows\util\hypertunnelNT.zip/hts.exe -> Not-A-Virus.NetTool.Win32.HTTPTunnel.a : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR00.547\windows\util\hypertunnelNT.zip/htc.exe -> Not-A-Virus.NetTool.Win32.HTTPTunnel.a : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR00.547\windows\util\exe2vbs\exe2vbs.zip/exe2vbs/lev2-example.vbs -> Dropper.Inor.ak : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR00.547\windows\util\exe2vbs\exe2vbs.zip/exe2vbs/lev1-example.vbs -> Dropper.Inor.ak : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR28.703\aix\scanners\vulnerability\cgiscan\cgis4.zip/cgis4.exe -> Not-A-Virus.NetTool.Win32.CGIScan.40 : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR28.703\linux\scanners\vulnerability\nsfcheck_pl\nsfcheck_pl.pl -> Not-A-Virus.Exploit.Perl.Urlencoded.a : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR28.703\windows\brute_force\uns12exe\uns12exe.zip/UHANFO.EXE -> Trojan.ControlDuSockets.a : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR28.703\windows\dos\Wincrash\wincrash.zip/crasher/ssping -> Not-A-Virus.Flooder.Linux.Small.k : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR28.703\windows\exploits\iiswebexplt.pl -> Not-A-Virus.Exploit.Perl.Urlencoded.a : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR28.703\windows\password_crackers\cisco_password_cracker\getpass!.zip/GetPass!.exe -> Not-A-Virus.PSWTool.Win32.GetPass.e : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR28.703\windows\password_crackers\john_the_ripper\john-16w.zip/john-16/run/john.exe -> Not-A-Virus.HackTool.Win32.John : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR28.703\windows\password_crackers\pwddump2\pwdump2.zip/pwdump2/pwdump2.exe -> Not-A-Virus.PSWTool.Win32.PWDump2 : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR28.703\windows\password_crackers\pwddump2\pwdump2.zip/pwdump2/samdump.dll -> Not-A-Virus.PSWTool.Win32.PWDump2 : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR28.703\windows\scanners\network\7sph\7thportscan.zip/portscan.exe -> Not-A-Virus.NetTool.Win32.Scan.11 : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR28.703\windows\scanners\network\grinder_url\grinder11.zip/grinder.EXE -> Not-A-Virus.NetTool.Win32.Grinder.11 : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR28.703\windows\util\hypertunnelNT.zip/hts.exe -> Not-A-Virus.NetTool.Win32.HTTPTunnel.a : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR28.703\windows\util\hypertunnelNT.zip/htc.exe -> Not-A-Virus.NetTool.Win32.HTTPTunnel.a : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR28.703\windows\util\exe2vbs\exe2vbs.zip/exe2vbs/lev2-example.vbs -> Dropper.Inor.ak : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR28.703\windows\util\exe2vbs\exe2vbs.zip/exe2vbs/lev1-example.vbs -> Dropper.Inor.ak : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR00.938\aix\scanners\vulnerability\cgiscan\cgis4.zip/cgis4.exe -> Not-A-Virus.NetTool.Win32.CGIScan.40 : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR00.938\linux\scanners\vulnerability\nsfcheck_pl\nsfcheck_pl.pl -> Not-A-Virus.Exploit.Perl.Urlencoded.a : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR00.938\windows\brute_force\uns12exe\uns12exe.zip/UHANFO.EXE -> Trojan.ControlDuSockets.a : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR00.938\windows\dos\Wincrash\wincrash.zip/crasher/ssping -> Not-A-Virus.Flooder.Linux.Small.k : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR00.938\windows\exploits\iiswebexplt.pl -> Not-A-Virus.Exploit.Perl.Urlencoded.a : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR00.938\windows\password_crackers\cisco_password_cracker\getpass!.zip/GetPass!.exe -> Not-A-Virus.PSWTool.Win32.GetPass.e : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR00.938\windows\password_crackers\john_the_ripper\john-16w.zip/john-16/run/john.exe -> Not-A-Virus.HackTool.Win32.John : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR00.938\windows\password_crackers\pwddump2\pwdump2.zip/pwdump2/pwdump2.exe -> Not-A-Virus.PSWTool.Win32.PWDump2 : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR00.938\windows\password_crackers\pwddump2\pwdump2.zip/pwdump2/samdump.dll -> Not-A-Virus.PSWTool.Win32.PWDump2 : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR00.938\windows\scanners\network\7sph\7thportscan.zip/portscan.exe -> Not-A-Virus.NetTool.Win32.Scan.11 : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR00.938\windows\scanners\network\grinder_url\grinder11.zip/grinder.EXE -> Not-A-Virus.NetTool.Win32.Grinder.11 : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR00.938\windows\util\hypertunnelNT.zip/hts.exe -> Not-A-Virus.NetTool.Win32.HTTPTunnel.a : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR00.938\windows\util\hypertunnelNT.zip/htc.exe -> Not-A-Virus.NetTool.Win32.HTTPTunnel.a : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR00.938\windows\util\exe2vbs\exe2vbs.zip/exe2vbs/lev2-example.vbs -> Dropper.Inor.ak : Limpo com backup
C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR00.938\windows\util\exe2vbs\exe2vbs.zip/exe2vbs/lev1-example.vbs -> Dropper.Inor.ak : Limpo com backup
C:\Documents and Settings\Felipe\Cookies\felipe@ivwbox[2].txt -> TrackingCookie.Ivwbox : Limpo com backup
C:\Documents and Settings\Felipe\Cookies\felipe@ads.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Limpo com backup
C:\Documents and Settings\Felipe\Cookies\felipe@yadro[1].txt -> TrackingCookie.Yadro : Limpo com backup
C:\Documents and Settings\Felipe\Cookies\felipe@ads.realcastmedia[2].txt -> TrackingCookie.Realcastmedia : Limpo com backup
C:\Documents and Settings\Felipe\Cookies\felipe@tacoda[1].txt -> TrackingCookie.Tacoda : Limpo com backup
C:\Documents and Settings\Felipe\Cookies\felipe@atdmt[2].txt -> TrackingCookie.Atdmt : Limpo com backup
C:\Documents and Settings\Felipe\Cookies\felipe@paypopup[1].txt -> TrackingCookie.Paypopup : Limpo com backup
C:\Documents and Settings\Felipe\Cookies\felipe@com[1].txt -> TrackingCookie.Com : Limpo com backup
C:\Documents and Settings\Felipe\Cookies\felipe@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Limpo com backup
C:\Documents and Settings\Felipe\Cookies\felipe@doubleclick[1].txt -> TrackingCookie.Doubleclick : Limpo com backup
C:\Documents and Settings\Felipe\Cookies\felipe@ivwbox[1].txt -> TrackingCookie.Ivwbox : Limpo com backup
C:\Documents and Settings\Felipe\Cookies\felipe@spylog[2].txt -> TrackingCookie.Spylog : Limpo com backup
C:\Documents and Settings\Felipe\Cookies\felipe@serving-sys[2].txt -> TrackingCookie.Serving-sys : Limpo com backup
C:\Documents and Settings\Felipe\Cookies\felipe@as1.falkag[2].txt -> TrackingCookie.Falkag : Limpo com backup
C:\Documents and Settings\Felipe\Cookies\felipe@weborama[2].txt -> TrackingCookie.Weborama : Limpo com backup
C:\Documents and Settings\Felipe\Cookies\felipe@yadro[2].txt -> TrackingCookie.Yadro : Limpo com backup
C:\Documents and Settings\Felipe\Cookies\felipe@tacoda[3].txt -> TrackingCookie.Tacoda : Limpo com backup
C:\Documents and Settings\Felipe\Cookies\felipe@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Limpo com backup
C:\Documents and Settings\Felipe\Cookies\felipe@hitbox[2].txt -> TrackingCookie.Hitbox : Limpo com backup
C:\Documents and Settings\Felipe\Cookies\felipe@ehg.hitbox[2].txt -> TrackingCookie.Hitbox : Limpo com backup
C:\Documents and Settings\Felipe\Cookies\felipe@ads1.revenue[2].txt -> TrackingCookie.Revenue : Limpo com backup
C:\Documents and Settings\Felipe\Cookies\felipe@b.casalemedia[1].txt -> TrackingCookie.Casalemedia : Limpo com backup
C:\Documents and Settings\Felipe\Cookies\felipe@ad.yieldmanager[3].txt -> TrackingCookie.Yieldmanager : Limpo com backup
C:\Documents and Settings\Felipe\Cookies\felipe@questionmarket[1].txt -> TrackingCookie.Questionmarket : Limpo com backup
C:\Documents and Settings\Felipe\Cookies\felipe@paypopup[2].txt -> TrackingCookie.Paypopup : Limpo com backup
C:\Documents and Settings\Felipe\Cookies\felipe@hotlog[2].txt -> TrackingCookie.Hotlog : Limpo com backup
C:\System Volume Information\_restore{DAE2F2AC-A0F4-4DAA-BA21-1398E30F73CE}\RP196\A0096303.exe -> Adware.NewDotNet : Limpo com backup
C:\System Volume Information\_restore{DAE2F2AC-A0F4-4DAA-BA21-1398E30F73CE}\RP196\A0096304.exe -> Adware.NewDotNet : Limpo com backup
C:\System Volume Information\_restore{DAE2F2AC-A0F4-4DAA-BA21-1398E30F73CE}\RP196\A0096306.dll -> Adware.NewDotNet : Limpo com backup
C:\System Volume Information\_restore{DAE2F2AC-A0F4-4DAA-BA21-1398E30F73CE}\RP196\A0096461.dll -> Adware.Gator : Limpo com backup
C:\System Volume Information\_restore{DAE2F2AC-A0F4-4DAA-BA21-1398E30F73CE}\RP196\A0096462.dll -> Adware.Gator : Limpo com backup
C:\System Volume Information\_restore{DAE2F2AC-A0F4-4DAA-BA21-1398E30F73CE}\RP196\A0096464.exe -> Adware.NewDotNet : Limpo com backup


::Fim do Relatório

#8 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 13 March 2006 - 09:25 AM

Hola, are you Felipe? Me also :thumbsup: Let's look over your logs to see how we did then I will answer questions.

First thing we must fix, you are running three antivirus programs at the same time:

C:\Arquivos de programas\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Arquivos de programas\Alwil Software\Avast4\
C:\ARQUIV~1\Grisoft\AVGFRE~1\

This is not a good thing, they will conflict and you will be less protected than if you ran one good program and maintained it properly. Choose one and uninstall the others, then update the one you keep and run a complete system scan, allow it to remove anything it locates. If there are item/items it can not delete or quarantine, I need you to post for me the full name and pathway of it.

You are also running: C:\Arquivos de programas\Webroot\Spy Sweeper\ did you purchase this program or is it a trial version?

Next I want you to run ewido again, do not Ignorado anything ewido locates, Limpo com backup all it finds.

Once this is done, post a new HJT log and the ewido scan results (edit out all items like this: C:\System Volume Information\_restore) before you post the log, we will clean those later)

Thanks...filippe

Do you know why does this file exists?...it´s in my pc and has a lot of trojans, malware,...in zip files??...was it downloaded?? :

C:\Documents and Settings\Felipe\Configurações locais\Temp\Rar$DR00.547\windows
This is where things are downloaded for you so you can view them. Please understand they are temporary and the file I am highliting in red should be cleaned along with your regular maintenance with temporary internat files and cookies. I will give you a little tool to do this before we finish.
For now that file in red should be cleaned out, thanks.
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#9 hijacked

hijacked
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 13 March 2006 - 10:21 PM

I'm felipe... :thumbsup:

1 - I tried to erase norton antivirus, but i don't know why, there was a big error...now i can't erase it completely or reinstal it...it doesn't work...do you know how to proceed to erase completely norton antivirus??...but not the system works...

I don't know which is better...avast or avg...but i think it´s avast...what do you think??

2 - Spy sweeper was a trial...it's expired...

3 - sorry, but i didn't understand:

a - "edit out all items like this: C:\System Volume Information\_restore"...what should i do?

b - clean out the C:\Documents and Settings\Felipe\Configurações locais\Temp\ folder...should i erase all or what?

Thanks!!

Edited by hijacked, 13 March 2006 - 10:22 PM.


#10 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 14 March 2006 - 06:44 AM

Let's see if I can come up with answers for you.

1) I do not use Norton, but since they sold it to you they should be able to tell you how to remove it:
http://www.symantec.com/techsupp/support_options.html
http://www.symantec.com/techsupp/
http://www.google.com/search?sourceid=navc...ninstall+norton

Both Avast and AVG are good free products, I usually suggest AVG when asked for a free one.

2) Leave Spysweeper for now in case we want to view a sweep. Once we are finished, uninstall it, just using your resources and of no benefit I can see.

3) These items: C:\Coisas\Hacker\funcionando\revel_senhas.zip/Revelation.exe -> Not-A-Virus.PSWTool.Win32.SnadBoy.11 : Ignorado
C:\Coisas\Sacanagens\downloads\NNuninstall.exe -> Adware.NewDotNet : IgnoradoYou ignored them instead of deleting them, they need to go. Either run ewido again and delete them this time or delete them manually.

4) Before you copy and paste the ewido log here. remove the System Retore stuff you can see in the first scan above by highliting and deleting it. I saw it once and know it is there, just do no use System Restore or that stuff will get back on your computer.

5) You should open the file I have highlited in red:

clean out the C:\Documents and Settings\Felipe\Configurações locais\Temp\ folder...should i erase all or what?

Then right click and choose EDIT, then Select all. Once all the temp files are highlite, hit the delete key on your keyboard.

Once this is done, post a new HJT log and the ewido scan results (edit out all items like this: C:\System Volume Information\_restore) before you post the log, we will clean those later)


Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#11 hijacked

hijacked
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 16 March 2006 - 10:43 PM

Hi phil...thanks for the progress made!
But before going on I have some questions...

1 - I'm waiting for symantec answer for trying to erase completely norton antivirus...

2 - Spysweeper isn't even starting...It says I must buy...and closes

3 - This files: revelation...it's just a zip file, and it´s a good program when i forget some password that's recorded in my pc...
NNuninstall...it's just the uninstaller...in case of it comes back to my pc...

4 - Isn't there any problem on just erasing all this info?...isn't there anything really important?

Thanks!!

Hi phil...thanks for the progress made!
But before going on I have some questions...

1 - I'm waiting for symantec answer for trying to erase completely norton antivirus...

2 - Spysweeper isn't even starting...It says I must buy...and closes

3 - This files: - revelation...it's just a zip file, and it´s a good program when i forget some password that's recorded in my pc...
- NNuninstall...it's just the uninstaller...in case of it comes back to my pc...

4 - Isn't there any problem on just erasing all this info?...isn't there anything really important?

Thanks!!

#12 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 17 March 2006 - 07:06 AM

Hola' felipe, Let me see if I can help with questions first:

1) Symantec is a lot more helpful when you are installing their product, post the version I may be able to find something. In the meantime, turn it off in services, look at these items: O23 - Service: Symantec as there are several running, you can see them in the HJT log. I believe you should remove Spysweeper also, look for it in Add Remove programs, you may also need to disable it in services to remove it.
http://www.mvps.org/winhelp2002/services.htm
http://www.ss64.com/ntsyntax/services.html

2) Spysweeper covered in one. It is just using your resouces, unless you inteand to purchase it, get rid of it.

3) That is fine, ewido does once in a while identify something that is not bad, that is why we give the warning. If you want to check to be positive no infection is in those files, use this: http://virusscan.jotti.org/

4) Don't comprehend what you are asking me there?

If you are going to leave those two items ignored in ewido, no need to run it again, post a HJT log for a last look and I will get you on your way.

Thanks...Phil
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#13 hijacked

hijacked
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 18 March 2006 - 02:41 PM

Hi Phil!

1 - I have also the norton system works installed in my pc...and i think this one i woludn't like to erase...so, when i see all this symantec in the hjt log i never know if some of them are from norton systemworks, so, i don't know which ones to stop...

2 - Done erasing spy sweeper...

3 - the files are ok...

4 - I asked you if there is no problem on erasing all the files from the C:\Documents and Settings\Felipe\Configurações locais\Temp\ folder , if nothing there is vital for my pc...i mean...everything is trash/eraseble???

Two more things: 1 - can you explain to me why did you send me these links?...for what can i use this info?...i didn't understand...

http://www.mvps.org/winhelp2002/services.htm
http://www.ss64.com/ntsyntax/services.html

2 - My pc, sometimes is freezing after the reboot...normally when the desktop appears...do you know some reason for that?...if it's because of softwares or hardwares (maybe the power source...) problems...


Thanks for all the help!!!

#14 pskelley

pskelley

  • Staff Emeritus
  • 1,487 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 18 March 2006 - 03:00 PM

1 - I have also the norton system works installed in my pc...and i think this one i woludn't like to erase...so, when i see all this symantec in the hjt log i never know if some of them are from norton systemworks, so, i don't know which ones to stop...

Having these multiple antivirus systems working at the same time could very wlll be causing the computer to freeze. There is no way to tell if that is it until you have fixed that issue. This is a hard thing to troubleshoot, I ask Google the question: computer is freezing and it gives me 14,000,000 possible answers.
http://www.google.com/search?hl=en&q=compu...G=Google+Search +

4 - I asked you if there is no problem on erasing all the files from the C:\Documents and Settings\Felipe\Configurações locais\Temp\ folder , if nothing there is vital for my pc...i mean...everything is trash/eraseble???

No..all temporary and temporary internet files are just that: TEMPORARY and meant to be deleted:
http://www.google.com/search?hl=en&lr=&q=h...les&btnG=Search
http://www.google.com/search?hl=en&lr=&q=h...ile&btnG=Search

Those two links were to help you with disabling programs running in services so you could remove them.

Have you contacted Symantec/Norton about removing what you no longer need?

Post a new HJT log so I can see what you have done.

Thanks
MS-MVP Windows Security 2007-08
Proud Member ASAP
UNITE Member 2006

#15 hijacked

hijacked
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:02:12 AM

Posted 20 March 2006 - 03:02 PM

Hi phil!

I have the norton systemworks...it´s not the antivirus...this one has some programs to help to clean and organize the pc...and i don´t know which of the running services are from the antivirus and which are from systemworks...understood??

I solved the problem with my pc freezing and booting by itself...it was some bios problem...i just erased the bios settings and it´s ok again

One more question...do i have to erase ALL the files, folders and dll's on the C:\Documents and Settings\Felipe\Configurações locais\Temp\ folder or just the .tmp??... i swear that´s the last question about this thing! :thumbsup:

Thanks!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users