Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

The Red Exclamation


  • This topic is locked This topic is locked
19 replies to this topic

#1 TenderBranson

TenderBranson

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 08 November 2006 - 12:21 PM

Hello people,

For the last two days, I got this really annoying bug in my taskbar, the red exclamation, and I can get rid of it, could you guys give it a try?

Heres the log:

Logfile of HijackThis v1.99.1
Scan saved at 17:12:58, on 08-11-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
C:\Programas\Microsoft IntelliType Pro\type32.exe
C:\Programas\Microsoft IntelliPoint\point32.exe
C:\Programas\Java\jre1.5.0_06\bin\jusched.exe
C:\Programas\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programas\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
F:\Nomad\Programs\utorrent.exe
F:\Nomad\Programs\FirefoxPortable\App\firefox\firefox.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\Source Engine\OSE.EXE
C:\Programas\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.parishiltonrecord.com/quicktime/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [type32] "C:\Programas\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programas\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programas\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programas\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NI.UWFX5Z_0001_N660117] "C:\Documents and Settings\Fernando Faria\Definições locais\Temporary Internet Files\Content.IE5\14TEP12D\WinFixer2005FreeInstall_pt[1].exe" -nag
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programas\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvkuw.dll,startup
O4 - HKLM\..\Run: [zvbomsg.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\zvbomsg.dll,xlpoqje
O4 - HKLM\..\Run: [kis] "C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Add to Kaspersky Anti-Banner - C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{89348F70-2917-43E3-B3EA-23BB9B285258}: NameServer = 195.23.129.126,194.79.69.222
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Thank you!!!

BC AdBot (Login to Remove)

 


m

#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:41 AM

Posted 08 November 2006 - 01:10 PM

Go to this folder where Hijackthis is kept and rename the hijackthis application to "showme".
This can be done by right clicking on the program and clicking "rename".
Press enter, then open "showme.exe" by double clicking.
Post a new Hijackthis log from the newly named application.

#3 TenderBranson

TenderBranson
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 09 November 2006 - 04:59 AM

Hi, and thanks for helping me.

Since yesterday (because I'm not the only user of this computer, we have two accounts....is that a problem?), the winanti-virus pro (more dangerous garbage), was installed in my computer.....

anyway, have rename the file and here's the log now:

Logfile of HijackThis v1.99.1
Scan saved at 9:47:45, on 09-11-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
C:\Programas\Microsoft IntelliType Pro\type32.exe
C:\Programas\Microsoft IntelliPoint\point32.exe
C:\Programas\Java\jre1.5.0_06\bin\jusched.exe
C:\Programas\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programas\Ficheiros comuns\dc6_startupmon.exe
C:\Programas\Ficheiros comuns\ers_startupmon.exe
C:\Programas\Ficheiros comuns\dc6_startupmon.exe
C:\Programas\Ficheiros comuns\ers_startupmon.exe
C:\Programas\Messenger\msmsgs.exe
F:\Nomad\PStart.exe
F:\Nomad\Programs\FirefoxPortable\App\firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Programas\Hijackthis\showme.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.parishiltonrecord.com/quicktime/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CIEIntegrator Object - {2178F3FB-2560-458F-BDEE-631E2FE0DFE4} - C:\Programas\WinAntiVirus Pro 2006\winpgi.dll (file missing)
O2 - BHO: (no name) - {257FDC75-EC94-BB80-8CB6-087D34D5B329} - C:\WINDOWS\system32\jabtwxi.dll
O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - C:\WINDOWS\system32\ixt2.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {8D6E5989-C2DC-4C9C-BBB1-D20FB828FBD2} - C:\WINDOWS\system32\jkhhg.dll
O2 - BHO: IEFW Object - {B5141620-C2B2-4D95-9F0F-134D99C87AB0} - C:\Programas\WinAntiVirus Pro 2006\IEFWBHO.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\dhwqxlec.dll (file missing)
O2 - BHO: (no name) - {F232A706-040E-42BA-BDB5-540B0820862E} - C:\WINDOWS\system32\jkhhg.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [type32] "C:\Programas\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programas\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programas\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programas\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NI.UWFX5Z_0001_N660117] "C:\Documents and Settings\Fernando Faria\Definições locais\Temporary Internet Files\Content.IE5\14TEP12D\WinFixer2005FreeInstall_pt[1].exe" -nag
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programas\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [zvbomsg.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\zvbomsg.dll,xlpoqje
O4 - HKLM\..\Run: [kis] "C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [DC6] "C:\Programas\Ficheiros comuns\dc6_startupmon.exe" /min
O4 - HKLM\..\Run: [ERS] "C:\Programas\Ficheiros comuns\ers_startupmon.exe" /min
O4 - HKLM\..\Run: [DC6_check] "C:\Programas\Ficheiros comuns\dc6_startupmon.exe"
O4 - HKLM\..\Run: [ERS_check] "C:\Programas\Ficheiros comuns\ers_startupmon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Add to Kaspersky Anti-Banner - C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{89348F70-2917-43E3-B3EA-23BB9B285258}: NameServer = 195.23.129.126,194.79.69.222
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: jkhhg - C:\WINDOWS\system32\jkhhg.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: winowl32 - winowl32.dll (file missing)
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: Firewall service (FWSvc) - WinSoftware, Ltd. - C:\Programas\WinAntiVirus Pro 2006\FWSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

And again, thanks!

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:41 AM

Posted 09 November 2006 - 01:43 PM

Please download VundoFix.exe to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove.
VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

#5 TenderBranson

TenderBranson
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 09 November 2006 - 02:38 PM

Hi!

Ok, done that.

Here are the logs:



VundoFix V6.2.8

Checking Java version...

Sun Java not detected
Scan started at 19:15:44 09-11-2006

Listing files found while scanning....

C:\WINDOWS\system32\jabtwxi.dll
C:\WINDOWS\system32\zvbomsg.dll
C:\WINDOWS\system32\jkhhg.dll
C:\WINDOWS\system32\jkhhg.dll
C:\WINDOWS\system32\ghhkj.ini
C:\WINDOWS\system32\ghhkj.bak1
C:\WINDOWS\system32\ghhkj.bak2
C:\WINDOWS\system32\ghhkj.ini2
C:\WINDOWS\system32\ghhkj.tmp
C:\WINDOWS\system32\ghhkj.ini
C:\WINDOWS\system32\ghhkj.bak1
C:\WINDOWS\system32\ghhkj.bak2
C:\WINDOWS\system32\ghhkj.ini2
C:\WINDOWS\system32\ghhkj.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jabtwxi.dll
C:\WINDOWS\system32\jabtwxi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\zvbomsg.dll
C:\WINDOWS\system32\zvbomsg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkhhg.dll
C:\WINDOWS\system32\jkhhg.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\jkhhg.dll
C:\WINDOWS\system32\jkhhg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ghhkj.ini
C:\WINDOWS\system32\ghhkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ghhkj.bak1
C:\WINDOWS\system32\ghhkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ghhkj.bak2
C:\WINDOWS\system32\ghhkj.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ghhkj.ini2
C:\WINDOWS\system32\ghhkj.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ghhkj.tmp
C:\WINDOWS\system32\ghhkj.tmp Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.2.8

Checking Java version...

Sun Java not detected
Scan started at 19:24:31 09-11-2006

Listing files found while scanning....

No infected files were found.


Beginning removal...


-----------and---------


Logfile of HijackThis v1.99.1
Scan saved at 19:30:24, on 09-11-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
C:\Programas\Microsoft IntelliType Pro\type32.exe
C:\Programas\Microsoft IntelliPoint\point32.exe
C:\Programas\Java\jre1.5.0_06\bin\jusched.exe
C:\Programas\HP\HP Software Update\HPWuSchd2.exe
C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programas\Ficheiros comuns\dc6_startupmon.exe
C:\Programas\Ficheiros comuns\ers_startupmon.exe
C:\Programas\Ficheiros comuns\dc6_startupmon.exe
C:\Programas\Ficheiros comuns\ers_startupmon.exe
C:\Programas\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
F:\Nomad\PStart.exe
F:\Nomad\Programs\FirefoxPortable\App\firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programas\Hijackthis\showme.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.parishiltonrecord.com/quicktime/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1019C857-CEC7-4536-B05D-85E575A7B9D1} - C:\WINDOWS\system32\jkhhg.dll (file missing)
O2 - BHO: CIEIntegrator Object - {2178F3FB-2560-458F-BDEE-631E2FE0DFE4} - C:\Programas\WinAntiVirus Pro 2006\winpgi.dll (file missing)
O2 - BHO: (no name) - {257FDC75-EC94-BB80-8CB6-087D34D5B329} - C:\WINDOWS\system32\jabtwxi.dll (file missing)
O2 - BHO: (no name) - {39f25b12-74ff-4079-a51f-1d70f5b08b84} - C:\WINDOWS\system32\ixt2.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {832C2E8D-0D0E-43A2-A825-547C96DF43E4} - C:\WINDOWS\system32\jkhhg.dll (file missing)
O2 - BHO: IEFW Object - {B5141620-C2B2-4D95-9F0F-134D99C87AB0} - C:\Programas\WinAntiVirus Pro 2006\IEFWBHO.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\dhwqxlec.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [type32] "C:\Programas\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programas\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programas\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programas\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NI.UWFX5Z_0001_N660117] "C:\Documents and Settings\Fernando Faria\Definições locais\Temporary Internet Files\Content.IE5\14TEP12D\WinFixer2005FreeInstall_pt[1].exe" -nag
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programas\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [zvbomsg.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\zvbomsg.dll,xlpoqje
O4 - HKLM\..\Run: [kis] "C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [DC6] "C:\Programas\Ficheiros comuns\dc6_startupmon.exe" /min
O4 - HKLM\..\Run: [ERS] "C:\Programas\Ficheiros comuns\ers_startupmon.exe" /min
O4 - HKLM\..\Run: [DC6_check] "C:\Programas\Ficheiros comuns\dc6_startupmon.exe"
O4 - HKLM\..\Run: [ERS_check] "C:\Programas\Ficheiros comuns\ers_startupmon.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Add to Kaspersky Anti-Banner - C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{89348F70-2917-43E3-B3EA-23BB9B285258}: NameServer = 195.23.129.126,194.79.69.222
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: winowl32 - winowl32.dll (file missing)
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: Firewall service (FWSvc) - WinSoftware, Ltd. - C:\Programas\WinAntiVirus Pro 2006\FWSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe


Thanks again for your help.

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:41 AM

Posted 09 November 2006 - 02:42 PM

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1, and press Enter.
A text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

#7 TenderBranson

TenderBranson
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 09 November 2006 - 02:46 PM

Here it is:

SmitFraudFix v2.120

Scan done at 19:42:14,65, 09-11-2006
Run from C:\Documents and Settings\Alexandre Correia\Ambiente de trabalho\SmitfraudFix
OS: Microsoft Windows XP [VersÆo 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Alexandre Correia


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Alexandre Correia\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\MENUIN~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\MENUIN~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ALEXAN~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Programas


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="A minha home page actual"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\PROGRA~1\\KASPER~1\\KASPER~1.0\\adialhk.dll"


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:41 AM

Posted 09 November 2006 - 03:34 PM

Ok good work, let's continue....

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Please download SmitfraudFix (by S!Ri)
Extract the contents (a folder named SmitfraudFix) to your Desktop.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Once in Safe Mode, open the SmitfraudFix folder again.
Double-click smitfraudfix.cmd.
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Warning : running option #2 on a non infected computer will remove your Desktop background.
Also post a new Hijackthis log.

David

#9 TenderBranson

TenderBranson
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 09 November 2006 - 04:10 PM

Hi.

Ok, done that....but when the question: "Do you want to clean the registry ?" pops up and after I answered "Yes", the windows Disk Cleanup starts and the SmitfraudFix goes to is initial menu.

...the second question: "..replace the infected file..." never shows up.

anyaway, here are the logs, as requested:

SmitFraudFix v2.120

Scan done at 20:45:08,04, 09-11-2006
Run from C:\Documents and Settings\Alexandre Correia\Ambiente de trabalho\SmitfraudFix
OS: Microsoft Windows XP [VersÆo 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


----------and-----------

Logfile of HijackThis v1.99.1
Scan saved at 21:06:37, on 09-11-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
C:\Programas\Microsoft IntelliType Pro\type32.exe
C:\Programas\Microsoft IntelliPoint\point32.exe
C:\Programas\Java\jre1.5.0_06\bin\jusched.exe
C:\Programas\HP\HP Software Update\HPWuSchd2.exe
C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programas\Ficheiros comuns\dc6_startupmon.exe
C:\Programas\Ficheiros comuns\ers_startupmon.exe
C:\Programas\Ficheiros comuns\dc6_startupmon.exe
C:\Programas\Ficheiros comuns\ers_startupmon.exe
C:\Programas\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Programas\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
F:\Nomad\Programs\FirefoxPortable\App\firefox\firefox.exe
C:\Programas\Hijackthis\showme.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.parishiltonrecord.com/quicktime/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1019C857-CEC7-4536-B05D-85E575A7B9D1} - C:\WINDOWS\system32\jkhhg.dll (file missing)
O2 - BHO: CIEIntegrator Object - {2178F3FB-2560-458F-BDEE-631E2FE0DFE4} - C:\Programas\WinAntiVirus Pro 2006\winpgi.dll (file missing)
O2 - BHO: (no name) - {257FDC75-EC94-BB80-8CB6-087D34D5B329} - C:\WINDOWS\system32\jabtwxi.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {832C2E8D-0D0E-43A2-A825-547C96DF43E4} - C:\WINDOWS\system32\jkhhg.dll (file missing)
O2 - BHO: IEFW Object - {B5141620-C2B2-4D95-9F0F-134D99C87AB0} - C:\Programas\WinAntiVirus Pro 2006\IEFWBHO.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\dhwqxlec.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [type32] "C:\Programas\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programas\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programas\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programas\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NI.UWFX5Z_0001_N660117] "C:\Documents and Settings\Fernando Faria\Definições locais\Temporary Internet Files\Content.IE5\14TEP12D\WinFixer2005FreeInstall_pt[1].exe" -nag
O4 - HKLM\..\Run: [CloneCDTray] "C:\Programas\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [zvbomsg.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\zvbomsg.dll,xlpoqje
O4 - HKLM\..\Run: [kis] "C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [DC6] "C:\Programas\Ficheiros comuns\dc6_startupmon.exe" /min
O4 - HKLM\..\Run: [ERS] "C:\Programas\Ficheiros comuns\ers_startupmon.exe" /min
O4 - HKLM\..\Run: [DC6_check] "C:\Programas\Ficheiros comuns\dc6_startupmon.exe"
O4 - HKLM\..\Run: [ERS_check] "C:\Programas\Ficheiros comuns\ers_startupmon.exe"
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Programas\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Add to Kaspersky Anti-Banner - C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{89348F70-2917-43E3-B3EA-23BB9B285258}: NameServer = 195.23.129.126,194.79.69.222
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: winowl32 - winowl32.dll (file missing)
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: Firewall service (FWSvc) - WinSoftware, Ltd. - C:\Programas\WinAntiVirus Pro 2006\FWSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe



...and....thanks again for your time :thumbsup:

#10 TenderBranson

TenderBranson
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 10 November 2006 - 02:13 PM

Hi!

My internet connection, has been a little weird today. Could it be related with the Trojan?

I have just done what you requested, again, in your last post.

Here are the logs:


SmitFraudFix v2.120

Scan done at 18:59:32,90, 10-11-2006
Run from C:\Documents and Settings\Alexandre Correia\Ambiente de trabalho\SmitfraudFix
OS: Microsoft Windows XP [VersÆo 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

--------------and------------

Logfile of HijackThis v1.99.1
Scan saved at 19:08:33, on 10-11-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
C:\Programas\Microsoft IntelliType Pro\type32.exe
C:\Programas\Microsoft IntelliPoint\point32.exe
C:\Programas\Java\jre1.5.0_06\bin\jusched.exe
C:\Programas\HP\HP Software Update\HPWuSchd2.exe
C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programas\Ficheiros comuns\dc6_startupmon.exe
C:\Programas\Ficheiros comuns\ers_startupmon.exe
C:\Programas\Ficheiros comuns\dc6_startupmon.exe
C:\Programas\Ficheiros comuns\ers_startupmon.exe
C:\Programas\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Programas\Messenger\msmsgs.exe
C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\System32\svchost.exe
F:\Nomad\PStart.exe
F:\Nomad\Programs\FirefoxPortable\App\firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programas\Hijackthis\showme.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.parishiltonrecord.com/quicktime/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1019C857-CEC7-4536-B05D-85E575A7B9D1} - C:\WINDOWS\system32\jkhhg.dll (file missing)
O2 - BHO: CIEIntegrator Object - {2178F3FB-2560-458F-BDEE-631E2FE0DFE4} - C:\Programas\WinAntiVirus Pro 2006\winpgi.dll (file missing)
O2 - BHO: (no name) - {257FDC75-EC94-BB80-8CB6-087D34D5B329} - C:\WINDOWS\system32\jabtwxi.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {832C2E8D-0D0E-43A2-A825-547C96DF43E4} - C:\WINDOWS\system32\jkhhg.dll (file missing)
O2 - BHO: IEFW Object - {B5141620-C2B2-4D95-9F0F-134D99C87AB0} - C:\Programas\WinAntiVirus Pro 2006\IEFWBHO.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\dhwqxlec.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [type32] "C:\Programas\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programas\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programas\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programas\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NI.UWFX5Z_0001_N660117] "C:\Documents and Settings\Fernando Faria\Definições locais\Temporary Internet Files\Content.IE5\14TEP12D\WinFixer2005FreeInstall_pt[1].exe" -nag
O4 - HKLM\..\Run: [zvbomsg.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\zvbomsg.dll,xlpoqje
O4 - HKLM\..\Run: [kis] "C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [DC6] "C:\Programas\Ficheiros comuns\dc6_startupmon.exe" /min
O4 - HKLM\..\Run: [ERS] "C:\Programas\Ficheiros comuns\ers_startupmon.exe" /min
O4 - HKLM\..\Run: [DC6_check] "C:\Programas\Ficheiros comuns\dc6_startupmon.exe"
O4 - HKLM\..\Run: [ERS_check] "C:\Programas\Ficheiros comuns\ers_startupmon.exe"
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Programas\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Add to Kaspersky Anti-Banner - C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{89348F70-2917-43E3-B3EA-23BB9B285258}: NameServer = 195.23.129.126,194.79.69.222
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: winowl32 - winowl32.dll (file missing)
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: Firewall service (FWSvc) - WinSoftware, Ltd. - C:\Programas\WinAntiVirus Pro 2006\FWSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Thanks!

#11 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:41 AM

Posted 12 November 2006 - 03:56 PM

Hello there,

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Please download Ad-Aware SE Personal and install it.
If you already have Ad-Aware SE, please configure it as indicated below.
If you have a previous version of Ad-Aware, please uninstall your current version and install the newest version SE 1.06.

Run Ad-Aware, and click Check for updates now.
Select Configurations (click the Gear wheel at the top) as follows:
General Button > Safety & Settings > Check (Green) all three.
Tweak Button > Cleaning Engine > uncheck "Always try to unload modules before deletion".
Click Proceed.

To start the scan, Click > "Scan Now" at left.
Select "Search for low-risk threats".
Select "Perform full system scan".
Click "Next".

When the scan has completed, select Next.
In the Scanning Results window, select the "Critical Objects" tab.
Right-click on the screen and choose "Select all objects".
Click Next to remove the infections found, and click OK to the prompt.
Restart the computer.

Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

David

#12 TenderBranson

TenderBranson
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 13 November 2006 - 06:05 AM

Hi there!

Done it. Here are the logs:

Alexandre Correia - 06-11-13 10:57:36,89 Service Pack 2
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\Alexandre Correia\Ambiente de trabalho"

((((((((((((((((((((((((((((((( Files Created from 2006-10-13 to 2006-11-13 ))))))))))))))))))))))))))))))))))


2006-11-10 13:52 56 -r------- C:\RAYMAN.BAT
2006-11-09 19:42 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-11-09 19:42 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-11-09 19:42 4,402 --a------ C:\WINDOWS\system32\tmp.reg
2006-11-09 19:42 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-11-09 19:42 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-11-08 23:48 8,704 --a------ C:\WINDOWS\system32\SpOrder.dll
2006-11-08 23:48 6,144 --a------ C:\WINDOWS\system32\stera.exe
2006-11-06 20:42 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-05 20:04 40,973 ---hs---- C:\WINDOWS\system32\tuvvspm.dll
2006-11-02 16:41 611,064 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2006-10-28 09:21 744,960 --a------ C:\WINDOWS\system32\IR41_32.DLL
2006-10-20 18:41 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-13 10:57 -------- d-------- C:\Documents and Settings\Alexandre Correia\Application Data\uTorrent
2006-11-13 10:49 -------- d-a------ C:\Programas\Ficheiros comuns
2006-11-12 23:07 -------- d-------- C:\Programas\Mozilla Firefox
2006-11-10 19:08 -------- d-------- C:\Programas\Hijackthis
2006-11-10 12:12 -------- d-------- C:\Programas\Elaborate Bytes
2006-11-10 12:10 -------- d-------- C:\Programas\SlySoft
2006-11-08 23:50 -------- d-------- C:\Programas\Common Files
2006-11-08 23:48 0 --a------ C:\Programas\Ficheiros comuns\err.log
2006-11-08 17:24 -------- d-------- C:\Programas\Kaspersky Lab
2006-11-08 16:28 -------- d-------- C:\Programas\CCleaner
2006-11-06 20:42 -------- d-------- C:\Programas\Grisoft
2006-11-06 19:52 -------- d-------- C:\Programas\Ficheiros comuns\Adobe
2006-11-06 19:52 -------- d-------- C:\Programas\AudioCrusher
2006-11-06 18:36 -------- d-------- C:\Programas\SpywareBlaster
2006-11-06 17:20 -------- d-------- C:\Programas\Roguescanfix
2006-11-06 16:23 -------- d-------- C:\Programas\Lavasoft
2006-11-06 16:23 -------- d-------- C:\Documents and Settings\Alexandre Correia\Application Data\Lavasoft
2006-11-06 15:18 61072 --a------ C:\WINDOWS\system32\drivers\klick.sys
2006-11-06 15:18 59536 --a------ C:\WINDOWS\system32\drivers\klin.sys
2006-11-06 14:43 -------- d-------- C:\Programas\VSAdd-in
2006-11-06 11:22 -------- d-------- C:\Programas\McAfee.com
2006-11-03 22:30 -------- d-------- C:\Programas\EA GAMES
2006-11-02 16:50 -------- d-------- C:\Programas\Astonsoft
2006-10-28 09:21 199168 --a------ C:\WINDOWS\system32\ir32_32.dll
2006-10-28 09:08 12288 --a------ C:\WINDOWS\impborl.dll
2006-10-22 14:44 -------- d-------- C:\Programas\Ficheiros comuns\Wizards of the Coast
2006-10-20 18:54 -------- d-------- C:\Documents and Settings\Alexandre Correia\Application Data\Vso
2006-10-20 18:41 81920 --a------ C:\Documents and Settings\Alexandre Correia\Application Data\ezpinst.exe
2006-10-20 18:41 7176 --a------ C:\Documents and Settings\Alexandre Correia\Application Data\pcouffin.cat
2006-10-20 18:41 47360 --a------ C:\Documents and Settings\Alexandre Correia\Application Data\pcouffin.sys
2006-10-20 18:41 34 --a------ C:\Documents and Settings\Alexandre Correia\Application Data\pcouffin.log
2006-10-20 18:41 1144 --a------ C:\Documents and Settings\Alexandre Correia\Application Data\pcouffin.inf
2006-10-20 18:41 -------- d-------- C:\Programas\DVDFab Platinum 3
2006-10-19 12:11 -------- d-------- C:\Programas\FLVPlayer
2006-10-13 18:35 -------- d-------- C:\Programas\MediaMonkey
2006-10-12 14:12 -------- d-------- C:\Programas\ESRI
2006-10-12 13:31 -------- d-------- C:\Programas\MultiwatershedDelineation
2006-10-11 16:12 -------- d-------- C:\Documents and Settings\Alexandre Correia\Application Data\DeepBurner
2006-10-11 00:27 -------- d-------- C:\Programas\PowerISO
2006-10-09 01:48 -------- d-------- C:\Programas\Real Alternative
2006-10-09 01:48 -------- d-------- C:\Documents and Settings\Alexandre Correia\Application Data\Real
2006-10-07 02:14 -------- d-------- C:\Programas\ArcGIS
2006-10-07 02:05 -------- d-------- C:\Documents and Settings\Alexandre Correia\Application Data\Help
2006-10-04 18:37 -------- d---s---- C:\Documents and Settings\Alexandre Correia\Application Data\Microsoft
2006-10-02 18:21 -------- d-------- C:\Programas\CDisplay
2006-09-21 00:02 -------- d--h----- C:\Programas\InstallShield Installation Information
2006-09-21 00:01 -------- d-------- C:\Programas\QuickTime
2006-09-20 23:28 -------- d-------- C:\Documents and Settings\Alexandre Correia\Application Data\Apple Computer
2006-09-20 18:03 -------- d-------- C:\Documents and Settings\Alexandre Correia\Application Data\Sun
2006-09-19 10:27 -------- d-------- C:\Documents and Settings\Alexandre Correia\Application Data\Google
2006-09-18 15:25 -------- d-------- C:\Documents and Settings\Alexandre Correia\Application Data\ESRI
2006-09-18 14:49 -------- d-------- C:\Programas\Taudem
2006-09-18 14:49 -------- d-------- C:\Programas\Mapwindow
2006-09-18 14:00 -------- d-------- C:\Programas\Ficheiros comuns\ESRI
2006-09-18 13:59 -------- d-------- C:\Programas\Microsoft Office
2006-09-18 13:59 -------- d-------- C:\Programas\Ficheiros comuns\Microsoft Shared
2006-09-18 13:59 -------- d-------- C:\Programas\Ficheiros comuns\DESIGNER
2006-09-18 13:52 -------- d-------- C:\Programas\Rainbow Technologies
2006-09-17 10:57 -------- d-------- C:\Documents and Settings\Alexandre Correia\Application Data\Adobe
2006-09-17 10:24 -------- d-------- C:\Documents and Settings\Alexandre Correia\Application Data\Media Player Classic
2006-09-16 08:34 -------- d-------- C:\Documents and Settings\Alexandre Correia\Application Data\AdobeUM
2006-09-16 00:12 -------- d-------- C:\Documents and Settings\Alexandre Correia\Application Data\Macromedia
2006-09-16 00:06 -------- d-------- C:\Programas\Picasa2
2006-09-15 23:46 -------- d-------- C:\Programas\WinAce
2006-09-15 18:59 -------- d-------- C:\Documents and Settings\Alexandre Correia\Application Data\Mozilla
2006-09-15 18:08 -------- d-------- C:\Programas\DivX
2006-09-15 17:44 -------- d-------- C:\Documents and Settings\Alexandre Correia\Application Data\McAfee.com Personal Firewall
2006-09-15 17:44 -------- d-------- C:\Documents and Settings\Alexandre Correia\Application Data\Identities
2006-09-13 14:01 -------- d-------- C:\Programas\Visualization
2006-09-13 05:03 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 15:46 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 12:27 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 09:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 11:59 100352 --a------ C:\WINDOWS\system32\6to4svc.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Programas\\Messenger\\msmsgs.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"RTHDCPL"="RTHDCPL.EXE"
"Alcmtr"="ALCMTR.EXE"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"SW20"="C:\\WINDOWS\\system32\\sw20.exe"
"SW24"="C:\\WINDOWS\\system32\\sw24.exe"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"RemoteControl"="C:\\Programas\\CyberLink\\PowerDVD\\PDVDServ.exe"
"type32"="\"C:\\Programas\\Microsoft IntelliType Pro\\type32.exe\""
"IntelliPoint"="\"C:\\Programas\\Microsoft IntelliPoint\\point32.exe\""
"SunJavaUpdateSched"="C:\\Programas\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"HP Software Update"="\"C:\\Programas\\HP\\HP Software Update\\HPWuSchd2.exe\""
"NI.UWFX5Z_0001_N660117"="\"C:\\Documents and Settings\\Fernando Faria\\Definições locais\\Temporary Internet Files\\Content.IE5\\14TEP12D\\WinFixer2005FreeInstall_pt[1].exe\" -nag "
"zvbomsg.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\zvbomsg.dll,xlpoqje"
"kis"="\"C:\\Programas\\Kaspersky Lab\\Kaspersky Internet Security 6.0\\avp.exe\""
@=""
"!AVG Anti-Spyware"="\"C:\\Programas\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"DC6"="\"C:\\Programas\\Ficheiros comuns\\dc6_startupmon.exe\" /min"
"DC6_check"="\"C:\\Programas\\Ficheiros comuns\\dc6_startupmon.exe\""
"VirtualCloneDrive"="\"C:\\Programas\\Elaborate Bytes\\VirtualCloneDrive\\VCDDaemon.exe\" /s"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Pré-carregador Browseui"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Daemon da cache de categorias dos componentes"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winowl32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\HPpromotions journeysoftware.job

Completion time: 06-11-13 10:59:02.75
C:\ComboFix.txt ... 06-11-13 10:59
C:\ComboFix2.txt ... 06-11-06 20:35

-----------------------and-----------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:01:15, on 13-11-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
C:\Programas\Microsoft IntelliType Pro\type32.exe
C:\Programas\Microsoft IntelliPoint\point32.exe
C:\Programas\Java\jre1.5.0_06\bin\jusched.exe
C:\Programas\HP\HP Software Update\HPWuSchd2.exe
C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programas\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Programas\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
F:\Nomad\PStart.exe
F:\Nomad\Programs\FirefoxPortable\App\firefox\firefox.exe
C:\Programas\Hijackthis\showme.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.parishiltonrecord.com/quicktime/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1019C857-CEC7-4536-B05D-85E575A7B9D1} - C:\WINDOWS\system32\jkhhg.dll (file missing)
O2 - BHO: (no name) - {257FDC75-EC94-BB80-8CB6-087D34D5B329} - C:\WINDOWS\system32\jabtwxi.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {832C2E8D-0D0E-43A2-A825-547C96DF43E4} - C:\WINDOWS\system32\jkhhg.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\dhwqxlec.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [type32] "C:\Programas\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programas\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programas\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programas\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [NI.UWFX5Z_0001_N660117] "C:\Documents and Settings\Fernando Faria\Definições locais\Temporary Internet Files\Content.IE5\14TEP12D\WinFixer2005FreeInstall_pt[1].exe" -nag
O4 - HKLM\..\Run: [zvbomsg.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\zvbomsg.dll,xlpoqje
O4 - HKLM\..\Run: [kis] "C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [DC6] "C:\Programas\Ficheiros comuns\dc6_startupmon.exe" /min
O4 - HKLM\..\Run: [DC6_check] "C:\Programas\Ficheiros comuns\dc6_startupmon.exe"
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Programas\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Add to Kaspersky Anti-Banner - C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{89348F70-2917-43E3-B3EA-23BB9B285258}: NameServer = 195.23.129.126,194.79.69.222
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: winowl32 - winowl32.dll (file missing)
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: Firewall service (FWSvc) - Unknown owner - C:\Programas\WinAntiVirus Pro 2006\FWSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe



....Thanks

#13 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:41 AM

Posted 13 November 2006 - 11:54 AM

Hello there,

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O2 - BHO: (no name) - {1019C857-CEC7-4536-B05D-85E575A7B9D1} - C:\WINDOWS\system32\jkhhg.dll (file missing)
O2 - BHO: (no name) - {257FDC75-EC94-BB80-8CB6-087D34D5B329} - C:\WINDOWS\system32\jabtwxi.dll (file missing)
O2 - BHO: (no name) - {832C2E8D-0D0E-43A2-A825-547C96DF43E4} - C:\WINDOWS\system32\jkhhg.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\dhwqxlec.dll (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [NI.UWFX5Z_0001_N660117] "C:\Documents and Settings\Fernando Faria\Definições locais\Temporary Internet Files\Content.IE5\14TEP12D\WinFixer2005FreeInstall_pt[1].exe" -nag
O4 - HKLM\..\Run: [zvbomsg.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\zvbomsg.dll,xlpoqje
O4 - HKLM\..\Run: [DC6] "C:\Programas\Ficheiros comuns\dc6_startupmon.exe" /min
O4 - HKLM\..\Run: [DC6_check] "C:\Programas\Ficheiros comuns\dc6_startupmon.exe"
O20 - Winlogon Notify: winowl32 - winowl32.dll (file missing)


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\system32\zvbomsg.dll
C:\WINDOWS\system32\stera.exe
C:\WINDOWS\system32\tuvvspm.dll
C:\WINDOWS\impborl.dll
C:\Programas\Ficheiros comuns\dc6_startupmon.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

I want you to clean your cache and cookies from your internet explorer.
There are a few infected files which need to be removed from your system.

° Close all instances of Internet Explorer .
° Go to your control panel and open "Internet Options".
° Click on the "General" tab.
° Click the "Delete Cookies" button, then the "Delete Files" button.
° When prompted, place a tick in the "Delete all offline content" box and click OK.

Also, please clean other Temporary files and Empty the Recycle Bin

° Go to start and click on the "run" button.
° Type the following in the fox --> cleanmgr and click ok.
° Let it scan your system for files to remove.
° Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
° Press OK to remove them.

Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NI.UWFX5Z_0001_N660117"=-

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Please perform this online scan: Kaspersky Webscan
1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. When the download is complete it will say ready, click "Next"
6. Select a target to scan: Click on "My Computer"
7. When the scan is complete choose to save the results as "Save as Text"
8. Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.

David

Edited by D-Trojanator, 13 November 2006 - 11:54 AM.


#14 TenderBranson

TenderBranson
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:12:41 AM

Posted 14 November 2006 - 08:37 AM

Hi!

Here are the reports:


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, November 14, 2006 1:30:23 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 14/11/2006
Kaspersky Anti-Virus database records: 227516
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 120854
Number of viruses found: 1
Number of infected objects: 1 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:28:59

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Alexandre Correia\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Alexandre Correia\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Alexandre Correia\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Alexandre Correia\Definições locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Alexandre Correia\Definições locais\Temp\lmgrd9.log Object is locked skipped
C:\Documents and Settings\Alexandre Correia\Definições locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Alexandre Correia\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Alexandre Correia\NtUser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\0545_fw_eventlog_apps.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\0549_AdBlocker_eventcritlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\0549_AdBlocker_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\0551_File_Monitoring_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\0557_Web_Monitoring_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\detected.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\detected.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP6\Report\report.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\Fernando Faria\Definições locais\Temp\mst3B.tmp Infected: not-virus:Hoax.Win32.Renos.ge skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Definições locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Definições locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\flexlm\ARCGIS Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\temp\cch~b5c4ed3eb1a.htp Object is locked skipped
C:\WINDOWS\temp\cch~b5c4ee92e66.htp Object is locked skipped
C:\WINDOWS\temp\cch~b7091795f8b.htp Object is locked skipped
C:\WINDOWS\temp\cch~b7091893a55.htp Object is locked skipped
C:\WINDOWS\temp\cch~b948698367c.htp Object is locked skipped
C:\WINDOWS\temp\cch~b9486a8d725.htp Object is locked skipped
C:\WINDOWS\temp\cch~b964e1e4f1b.htp Object is locked skipped
C:\WINDOWS\temp\cch~b964e4362ae.htp Object is locked skipped
C:\WINDOWS\temp\cch~b964efd23f6.htp Object is locked skipped
C:\WINDOWS\temp\cch~b964f1000b3.htp Object is locked skipped
C:\WINDOWS\temp\cch~b964f638d53.htp Object is locked skipped
C:\WINDOWS\temp\cch~b964f73158e.htp Object is locked skipped
C:\WINDOWS\temp\cch~b9653d9dd01.htp Object is locked skipped
C:\WINDOWS\temp\cch~b9653ea65e0.htp Object is locked skipped
C:\WINDOWS\temp\cch~bf1575ac8e9.htp Object is locked skipped
C:\WINDOWS\temp\cch~bf1576b5383.htp Object is locked skipped
C:\WINDOWS\temp\cch~bf2e89d186b.htp Object is locked skipped
C:\WINDOWS\temp\cch~bf2e8adf361.htp Object is locked skipped
C:\WINDOWS\temp\cch~bf2e97facf3.htp Object is locked skipped
C:\WINDOWS\temp\cch~bf2e9924f6b.htp Object is locked skipped
C:\WINDOWS\temp\cch~bf2ecb3e91d.htp Object is locked skipped
C:\WINDOWS\temp\cch~bf2ecc849d5.htp Object is locked skipped
C:\WINDOWS\temp\cch~bf2ecd9be6d.htp Object is locked skipped
C:\WINDOWS\temp\cch~bf2ecdb084f.htp Object is locked skipped
C:\WINDOWS\temp\cch~bf2eceeda71.htp Object is locked skipped
C:\WINDOWS\temp\cch~bf2ed07eca7.htp Object is locked skipped
C:\WINDOWS\temp\cch~bf2f4d7e3ba.htp Object is locked skipped
C:\WINDOWS\temp\cch~bf2f4e79ae4.htp Object is locked skipped
C:\WINDOWS\temp\cch~bf388350f34.htp Object is locked skipped
C:\WINDOWS\temp\cch~bf38844c997.htp Object is locked skipped
C:\WINDOWS\temp\~DFF3A1.tmp Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\Nomad\Programs\FirefoxPortable\Data\profile\cert8.db Object is locked skipped
F:\Nomad\Programs\FirefoxPortable\Data\profile\history.dat Object is locked skipped
F:\Nomad\Programs\FirefoxPortable\Data\profile\key3.db Object is locked skipped
F:\Nomad\Programs\FirefoxPortable\Data\profile\parent.lock Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

-----------and---------


Logfile of HijackThis v1.99.1
Scan saved at 13:33:28, on 14-11-2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\PROGRA~1\ESRI\License\arcgis9x\ARCGIS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ALCMTR.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
C:\Programas\Microsoft IntelliType Pro\type32.exe
C:\Programas\Microsoft IntelliPoint\point32.exe
C:\Programas\Java\jre1.5.0_06\bin\jusched.exe
C:\Programas\HP\HP Software Update\HPWuSchd2.exe
C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programas\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Programas\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
F:\Nomad\PStart.exe
F:\Nomad\Programs\FirefoxPortable\App\firefox\firefox.exe
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Hijackthis\showme.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [type32] "C:\Programas\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Programas\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programas\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programas\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [kis] "C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Programas\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Add to Kaspersky Anti-Banner - C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\\ie_banner_deny.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\scieplugin.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{89348F70-2917-43E3-B3EA-23BB9B285258}: NameServer = 195.23.129.126,194.79.69.222
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O23 - Service: ArcGIS License Manager - Unknown owner - C:\PROGRA~1\ESRI\License\arcgis9x\lmgrd.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Internet Security 6.0 (AVP) - Unknown owner - C:\Programas\Kaspersky Lab\Kaspersky Internet Security 6.0\avp.exe" -r (file missing)
O23 - Service: Firewall service (FWSvc) - Unknown owner - C:\Programas\WinAntiVirus Pro 2006\FWSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

....thanks

#15 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:12:41 AM

Posted 14 November 2006 - 11:24 AM

Hey there,

I want you to clean your cache and cookies from your internet explorer.
There are a few infected files which need to be removed from your system.

° Close all instances of Internet Explorer .
° Go to your control panel and open "Internet Options".
° Click on the "General" tab.
° Click the "Delete Cookies" button, then the "Delete Files" button.
° When prompted, place a tick in the "Delete all offline content" box and click OK.

Also, please clean other Temporary files and Empty the Recycle Bin

° Go to start and click on the "run" button.
° Type the following in the fox --> cleanmgr and click ok.
° Let it scan your system for files to remove.
° Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
° Press OK to remove them.

I see a clean log now, how is the PC running?
David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users