Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smitfraud-c.toolbar888 And Malicius Antivirus Pages


  • This topic is locked This topic is locked
10 replies to this topic

#1 Nunosan

Nunosan

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 08 January 2007 - 06:06 AM

If anybody can help me I would appreciate. 3 days ago I was infested with this terrible plague. Every time I opened the I.E, I had an advertisement of Problems in the security of my computer, and redirected to a page to download an antivirus. I tried spyboot and it kept showing the smitfraud-c.toolbar888. It cleaned but it always came back. I tried others, who found different names and cleaned different virus but the problem persisted. Finally, I installed Spywaredoctor 4. It helped a lot, but the problem is not yet fixed. Often, i get the intrusion of that page. I also have running, and had before, The Norton Internet Security2007 who can't find anything. Every time I log in, when the norton starts, it says that it blocks a Trojan vundu. I don't know what else I can do! If you could help me in anyway I would very much appreciate.

Logfile of HijackThis v1.99.1
Scan saved at 2:13:28, on 08-01-2007
Platform: Windows SAP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccSvcHst.exe
C:\Programas\Ficheiros comuns\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programas\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Ahead\InCD\InCD.exe
C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programas\Java\jre1.5.0_09\bin\jusched.exe
C:\Programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Programas\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Programas\MessengerPlus! 3\MsgPlus.exe
C:\Programas\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Programas\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
C:\Programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Programas\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\Programas\PC Connectivity Solution\ServiceLayer.exe
C:\Programas\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Programas\Netropa\Onscreen Display\OSD.exe
C:\Programas\MSN Messenger\msnmsgr.exe
C:\Programas\Spyware Doctor\swdoctor.exe
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe
C:\DOCUME~1\Cliente\DEFINI~1\Temp\Adobelm_Cleanup.0001
C:\Programas\Ficheiros comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\Cliente\DEFINI~1\Temp\Adobelm_Cleanup.0001
C:\Programas\Ficheiros comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Programas\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programas\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Programas\Ficheiros comuns\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programas\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Programas\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programas\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programas\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [PCTVRemote] C:\Programas\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Programas\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\deoegvpq.dll",setvm
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Programas\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [swg] C:\Programas\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [CyberDefender Early Detection Center] "C:\Programas\CyberDefender\AntiSpyware\cdas17c.exe" /minimize
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programas\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [msnmsgr] "C:\Programas\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\programas\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programas\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programas\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programas\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programas\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programas\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programas\Ficheiros comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Programas\Ficheiros comuns\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Programas\Ficheiros comuns\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Programas\Ficheiros comuns\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programas\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Programas\Ahead\InCD\InCDsrv.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Programas\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Programas\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Programas\Spyware Doctor\sdhelp.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programas\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\AppCore\AppSvc32.exe

BC AdBot (Login to Remove)

 


#2 YounGun

YounGun

    The malware-fighting kid


  • Members
  • 244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania, Bucharest
  • Local time:05:49 AM

Posted 08 January 2007 - 07:13 AM

Heya :thumbsup:

I'm Victor and I'll help you get rid of your problem.

If you havs installed messengerplus3 with the sponsor program option checked, please uninstall it and install messengerplus3 without the sponsor program installed.

Please download
VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files,
    click YES
  • Once you click yes, your desktop will go blank as it starts removing
    Vundo.
  • When completed, it will prompt that it will shutdown your computer,
    click OK.
  • Turn your computer back on.
Note: It is possible that VundoFix encountered a file it could not
remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Open hijackthis and check the following line :

O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\deoegvpq.dll",setvm


Press Fix checked

REBOOT

Updating Java:
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
    It should have next icon next to it: Posted Image
    Select it and click Remove.
  • Then Download and install the newest version from here:http://www.java.com/en/download/manual.jsp
Please run a free online scan with Kaspersky AntiVirus (works only with MS Internet Explorer 5.0 or higher).
Go to http://www.kaspersky.com/virusscanner and click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").
  • In the new window that opens, click the "Accept" button to accept the user agreement, install the ActiveX control, and download the program.
  • When you get the Windows dialog asking if you want to install this software, click the "Install" button.
  • When the "Update progress" line changes to "Ready" and the "NEXT ->" button lights up with a green arrow, click it.
  • Click on the "Scan Settings" button, and in the next window select the "extended" database, and click Ok.
  • Under "Please select a target to scan:", click My Computer to start the scan.
When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window, and post the text in kavscan.txt in your next reply.

Please post all the logs generated : C:\vundofix.txt the kaspersky scan and a new hijackthis log.

#3 Nunosan

Nunosan
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 08 January 2007 - 10:33 AM

Hi :flowers: Victor!
Thank you so much for your disponibity. I did everything as suggested.
VundoFix.exe and vundo~Remove. Several files here deleted.
At reboot VundoFix did not show as you suggested it could happen. Unfortunately, I forgot to save the text from vundo fix. I think I had to select and copy to the note book?
With the HijackThis i fixed
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\deoegvpq.dll",setvm
Reboot. JAva was removed and installed int he newest version and I runed the "Kaspersky Online Scanner".
When I opened the page of "Kaspersky" i got, again, the famous "popup" from WinAntispyware2006. so anoing. But the system improved, and i guess the message of blocking the vundo at log in, from norton disappeared. But, as you will see, the scan show, still some infections. Please let's keep trying. I depend on you. Than kyou :thumbsup:

The HijacThis log bevore vundoRemove

Logfile of HijackThis v1.99.1
Scan saved at 13:24:14, on 08-01-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccSvcHst.exe
C:\Programas\Ficheiros comuns\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Ahead\InCD\InCD.exe
C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programas\Java\jre1.5.0_09\bin\jusched.exe
C:\Programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Programas\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Programas\MessengerPlus! 3\MsgPlus.exe
C:\Programas\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Programas\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
C:\Programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Programas\Spyware Doctor\swdoctor.exe
C:\Programas\MSN Messenger\msnmsgr.exe
C:\Programas\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programas\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\Programas\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Programas\Netropa\Onscreen Display\OSD.exe
C:\Programas\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programas\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programas\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programas\hijackthis\AnalyseThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Programas\Ficheiros comuns\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\byhdnalg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programas\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B4A062B6-F310-475C-9483-FABA4F8300BF} - C:\WINDOWS\system32\vtuvttt.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {CFF3B7AF-AA53-42C0-A22C-BE9B0D786C01} - C:\WINDOWS\system32\mljgf.dll (file missing)
O2 - BHO: (no name) - {EA36C43C-24C1-48D3-94CD-9E4C2C34D42E} - C:\WINDOWS\system32\mljgf.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programas\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Programas\Ficheiros comuns\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programas\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Programas\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programas\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programas\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [PCTVRemote] C:\Programas\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Programas\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\deoegvpq.dll",setvm
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Programas\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [swg] C:\Programas\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [CyberDefender Early Detection Center] "C:\Programas\CyberDefender\AntiSpyware\cdas17c.exe" /minimize
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programas\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [msnmsgr] "C:\Programas\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\programas\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programas\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programas\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programas\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programas\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programas\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: vtuvttt - C:\WINDOWS\SYSTEM32\vtuvttt.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programas\Ficheiros comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Programas\Ficheiros comuns\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Programas\Ficheiros comuns\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Programas\Ficheiros comuns\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programas\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Programas\Ahead\InCD\InCDsrv.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Programas\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Programas\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Programas\Spyware Doctor\sdhelp.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programas\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\AppCore\AppSvc32.exe

The Kaspersky online sacanner Text.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, January 08, 2007 2:53:10 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 8/01/2007
Kaspersky Anti-Virus database records: 242388
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
G:\

Scan Statistics:
Total number of scanned objects: 60741
Number of viruses found: 3
Number of infected objects: 6 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:50:31

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\9D97300A.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\Cliente\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Cliente\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Cliente\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Cliente\Definições locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Cliente\Definições locais\Temp\mst36.tmp Infected: Packed.Win32.Klone.t skipped
C:\Documents and Settings\Cliente\Definições locais\Temp\Perflib_Perfdata_7b0.dat Object is locked skipped
C:\Documents and Settings\Cliente\Definições locais\Temp\win3A.tmp.exe Infected: Trojan-Downloader.Win32.Agent.bdr skipped
C:\Documents and Settings\Cliente\Definições locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Cliente\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Cliente\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SNDCON.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SNDFW.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Programas\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Programas\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Programas\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{19363D70-01E9-42EA-96EA-48A30DDC804B}\RP588\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{3FDC05E8-2883-41D4-B4A0-5B67C84E609F}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Definições locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Definições locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\jivlgsdh.dll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\pqujuqif.dll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\win144.tmp.exe Infected: Trojan-Downloader.Win32.Agent.bdr skipped
C:\WINDOWS\Temp\win20.tmp.exe Infected: Trojan-Downloader.Win32.Agent.bdr skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

The last Hijackthis log.

Logfile of HijackThis v1.99.1
Scan saved at 14:57:18, on 08-01-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccSvcHst.exe
C:\Programas\Ficheiros comuns\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Ahead\InCD\InCD.exe
C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Programas\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Programas\MessengerPlus! 3\MsgPlus.exe
C:\Programas\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Programas\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
C:\Programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Programas\Spyware Doctor\swdoctor.exe
C:\Programas\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\Programas\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Programas\Netropa\Onscreen Display\OSD.exe
C:\Programas\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Programas\MSN Messenger\msnmsgr.exe
C:\Programas\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programas\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\System32\alg.exe
C:\Programas\hijackthis\AnalyseThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Programas\Ficheiros comuns\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\byhdnalg.dll
O2 - BHO: (no name) - {83A1156D-C203-42AD-945D-BB09162A611D} - C:\WINDOWS\system32\geeba.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programas\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {CFF3B7AF-AA53-42C0-A22C-BE9B0D786C01} - C:\WINDOWS\system32\mljgf.dll (file missing)
O2 - BHO: (no name) - {EA36C43C-24C1-48D3-94CD-9E4C2C34D42E} - C:\WINDOWS\system32\mljgf.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programas\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Programas\Ficheiros comuns\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programas\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Programas\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programas\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programas\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [PCTVRemote] C:\Programas\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Programas\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Programas\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [swg] C:\Programas\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [CyberDefender Early Detection Center] "C:\Programas\CyberDefender\AntiSpyware\cdas17c.exe" /minimize
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programas\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [msnmsgr] "C:\Programas\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\programas\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programas\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programas\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programas\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programas\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programas\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: geeba - C:\WINDOWS\system32\geeba.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programas\Ficheiros comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Programas\Ficheiros comuns\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Programas\Ficheiros comuns\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Programas\Ficheiros comuns\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programas\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Programas\Ahead\InCD\InCDsrv.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Programas\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Programas\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Programas\Spyware Doctor\sdhelp.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programas\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\AppCore\AppSvc32.exe

Thank so much. Let try another aproach.

#4 Nunosan

Nunosan
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 09 January 2007 - 02:56 PM

Hi Victor.
Sorry to bother you, but i'm a little desperate. I guess you are used to this. Please be patient with me.
I wasn't sure everything was done in the right way, because I got the intrusion of the same nasty page advertising the antispywarepro2006 and so on... I also, was worried why I couldn't get the log from the vunduFix. You mencioned about a C:\vundufix.text and in fact I discovered addmorefiles.txt in the VunduFix backups file. So, today, when repeating the process I paid attention to the name of the files shown and found them in this file that will also be posted. Today I post this, the last hijackThis at the end of vundufix and also the new report from the "Kaspersky" scan of today. It mencions the same trojans as yestarday. Wich, I think, means that the machine is still infected. Please tell me, if possible, what i should do next to clean it. Also, want you to know, that I have installed and running the norton internet security 2007 and Spydoctor. Is that okay, during the process of cleaning? Yesterday i runned a scan with the norton and it didn't find any virus , while the "Kaspersky" indicates the opposite. Thank you again for all the help, and time that you will be spending with my problem. Nuno

Vundufixfiles log
C:\WINDOWS\system32\geeba.dll
C:\WINDOWS\system32\abeeg.bak1
C:\WINDOWS\system32\abeeg.bak2
C:\WINDOWS\system32\abeeg.ini2
C:\WINDOWS\system32\abeeg.tmp

Logfile of HijackThis v1.99.1
Scan saved at 16:08:16, on 09-01-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccSvcHst.exe
C:\Programas\Ficheiros comuns\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Ahead\InCD\InCD.exe
C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Programas\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Programas\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Programas\MessengerPlus! 3\MsgPlus.exe
C:\Programas\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Programas\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
C:\Programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
C:\Programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Programas\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Programas\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programas\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\Programas\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Programas\Netropa\Onscreen Display\OSD.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programas\MSN Messenger\msnmsgr.exe
C:\Programas\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programas\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programas\Spyware Doctor\swdoctor.exe
C:\Programas\hijackthis\AnalyseThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Programas\Ficheiros comuns\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\byhdnalg.dll
O2 - BHO: (no name) - {83A1156D-C203-42AD-945D-BB09162A611D} - C:\WINDOWS\system32\geeba.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programas\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {CFF3B7AF-AA53-42C0-A22C-BE9B0D786C01} - C:\WINDOWS\system32\mljgf.dll (file missing)
O2 - BHO: (no name) - {EA36C43C-24C1-48D3-94CD-9E4C2C34D42E} - C:\WINDOWS\system32\mljgf.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programas\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Programas\Ficheiros comuns\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programas\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Programas\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programas\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programas\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [PCTVRemote] C:\Programas\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Programas\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Programas\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [swg] C:\Programas\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [CyberDefender Early Detection Center] "C:\Programas\CyberDefender\AntiSpyware\cdas17c.exe" /minimize
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programas\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [msnmsgr] "C:\Programas\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\programas\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programas\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programas\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programas\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programas\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programas\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programas\Ficheiros comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Programas\Ficheiros comuns\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Programas\Ficheiros comuns\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Programas\Ficheiros comuns\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programas\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Programas\Ahead\InCD\InCDsrv.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Programas\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Programas\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Programas\Spyware Doctor\sdhelp.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programas\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\AppCore\AppSvc32.exe

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, January 09, 2007 5:44:02 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 9/01/2007
Kaspersky Anti-Virus database records: 242622
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
G:\

Scan Statistics:
Total number of scanned objects: 62186
Number of viruses found: 3
Number of infected objects: 6 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:48:50

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-01-09_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\5409003E.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\Cliente\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Cliente\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Cliente\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Cliente\Definições locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Cliente\Definições locais\Histórico\History.IE5\MSHist012007010920070110\index.dat Object is locked skipped
C:\Documents and Settings\Cliente\Definições locais\Temp\mst36.tmp Infected: Packed.Win32.Klone.t skipped
C:\Documents and Settings\Cliente\Definições locais\Temp\Perflib_Perfdata_8bc.dat Object is locked skipped
C:\Documents and Settings\Cliente\Definições locais\Temp\win3A.tmp.exe Infected: Trojan-Downloader.Win32.Agent.bdr skipped
C:\Documents and Settings\Cliente\Definições locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Cliente\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Cliente\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Cliente\UserData\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SNDCON.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SNDFW.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Programas\Ficheiros comuns\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Programas\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Programas\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Programas\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{19363D70-01E9-42EA-96EA-48A30DDC804B}\RP589\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\jivlgsdh.dll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\pqujuqif.dll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\win144.tmp.exe Infected: Trojan-Downloader.Win32.Agent.bdr skipped
C:\WINDOWS\Temp\win20.tmp.exe Infected: Trojan-Downloader.Win32.Agent.bdr skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

I'll be waiting for your next instructions. :thumbsup:

Edited by Nunosan, 09 January 2007 - 02:59 PM.


#5 YounGun

YounGun

    The malware-fighting kid


  • Members
  • 244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania, Bucharest
  • Local time:05:49 AM

Posted 09 January 2007 - 04:03 PM

Okie :thumbsup:

Please download Process Explorer by Systernals from HERE

Also download KillBox by Option^Explicit from HERE


Then boot up in SAFE MODE

the rest of this fix must be done in safe mode.


Unzip Process Explorer and double click on procexp.exe

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of byhdnalg.dll once and then click the kill button.

After you have killed all of the byhdnalg.dll's under winlogon click OK.

also look for any .ini or bak files or other dll's with either the same name or the file name in reverse & kill them as well

Next double click on explorer.exe and again click once on each instance of byhdnalg.dll then click the kill button.

also look for any .ini or bak files or reverse named dll's with either the same name or the file name in reverse & kill them as well.

Repeat the above process also for the file: geeba.dll and mljgf.dll

Click on the Threads tab at the top.

Once you have done that click OK again.

Next run HijackThis and place a check beside each of the following.



O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\byhdnalg.dll
O2 - BHO: (no name) - {83A1156D-C203-42AD-945D-BB09162A611D} - C:\WINDOWS\system32\geeba.dll (file missing)
O2 - BHO: (no name) - {CFF3B7AF-AA53-42C0-A22C-BE9B0D786C01} - C:\WINDOWS\system32\mljgf.dll (file missing)
O2 - BHO: (no name) - {EA36C43C-24C1-48D3-94CD-9E4C2C34D42E} - C:\WINDOWS\system32\mljgf.dll (file missing)


Now click fix checked and close HijackThis.

Please copy the text in BOLD below, and paste it into a blank notepad window.
Save it as vundo.reg and in the save as type box choose all files.

Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7DA39570-5FD2-4f18-94B4-20730CB3F727}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{83A1156D-C203-42AD-945D-BB09162A611D}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CFF3B7AF-AA53-42C0-A22C-BE9B0D786C01}

[-HKEY_CLASSES_ROOT\CLSID\{7DA39570-5FD2-4f18-94B4-20730CB3F727}]

[-HKEY_CLASSES_ROOT\CLSID\{83A1156D-C203-42AD-945D-BB09162A611D}]

[-HKEY_CLASSES_ROOT\CLSID\{CFF3B7AF-AA53-42C0-A22C-BE9B0D786C01}]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1]


now run killbox and paste The FIRST ONE of the below file paths into the box, select delete on reboot then press the red X button,say yes to the prompt but no to reboot now

then continue to paste the lines in in turn and follow the above procedure every time, If it says file is missing, or if it says unable to delete then make a note of the file name and let us know when you reply

C:\WINDOWS\system32\byhdnalg.dll
C:\WINDOWS\system32\geeba.dll
C:\WINDOWS\system32\mljgf.dll


then repeat by typing in the full name of of any of the reverse named .bak or .ini or other files that you discovered in step 1 if there were any.

REBOOT

After your computer has rebooted please run Hijackthis again and post a new HijackThis log.

#6 Nunosan

Nunosan
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 09 January 2007 - 08:16 PM

:thumbsup: I guess the smile means how I feel know!!
I did everything as you told me. i had a great doubt. I didn't know if I should click the vundo.reg before doing anything else or following exactly the sequence as you wrote. so I followed the sequence exactly and only double clicked after using procexp.exe, than run HijackThis and fixed the lines you told. So only then I double clicked the vundo.reg. i hope i did it right????
Afterwards I run the Killbox and couldn't reboot automatically. I include the log as well.
When using the in the first step the procexp.exe i couldn't find any of the files mencioned. Any of them. So i didn't kill any at that stage.
When finally i rebooted, the machine seems another one. I had a problem with the I.E, downloading .pdf from safe sights but the error message, from microsoft, redirected me to Symantec sight and, automatically a tool was generated to fix the problem. Apparently we may have, or the "virus" must have damage something. But after that everything runs fine, fast and I'm happy again. I have so much work pending that I was nuts...
Please tell me if everything is fine now, or if there is additional cleaning, fixing or whatever to do. As I don't know if the double clicked the vundo.reg was in the right or wrong moment...
Hope to ear from you soon.

Pocket Killbox version 2.0.0.881
Running on Windows XP as Cliente(Administrator)
was started @ quarta-feira, Janeiro 10, 2007, 12:04 AM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\byhdnalg.dll


# 2 [Delete on Reboot]
Path = C\WINDOWS\system32\geeba.dll


# 3 [Delete on Reboot]
Path = C:\WINDOWS\system32\mljgf.dll


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 12:09:42 AM
# 4 [Delete on Reboot]
Path = C:\WINDOWS\system32\mljgf.dll


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 12:10:21 AM
Killbox Closed(Exit) @ 12:10:24 AM
__________________________________________________


Logfile of HijackThis v1.99.1
Scan saved at 0:16:48, on 10-01-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccSvcHst.exe
C:\Programas\Ficheiros comuns\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Ahead\InCD\InCD.exe
C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Programas\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Programas\MessengerPlus! 3\MsgPlus.exe
C:\Programas\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Programas\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
C:\Programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Programas\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Programas\Spyware Doctor\swdoctor.exe
C:\Programas\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programas\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\Programas\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Programas\Netropa\Onscreen Display\OSD.exe
C:\Programas\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Programas\MSN Messenger\msnmsgr.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programas\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programas\hijackthis\AnalyseThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Programas\Ficheiros comuns\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programas\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programas\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Programas\Ficheiros comuns\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programas\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Programas\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programas\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programas\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [PCTVRemote] C:\Programas\Pinnacle\Pinnacle PCTV\Remote\Remoterm.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Programas\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Programas\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [swg] C:\Programas\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [CyberDefender Early Detection Center] "C:\Programas\CyberDefender\AntiSpyware\cdas17c.exe" /minimize
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programas\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [msnmsgr] "C:\Programas\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\programas\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programas\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programas\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programas\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programas\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programas\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programas\Ficheiros comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Programas\Ficheiros comuns\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Programas\Ficheiros comuns\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Programas\Ficheiros comuns\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programas\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Programas\Ahead\InCD\InCDsrv.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Programas\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Programas\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Programas\Spyware Doctor\sdhelp.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programas\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\AppCore\AppSvc32.exe

:flowers:

#7 YounGun

YounGun

    The malware-fighting kid


  • Members
  • 244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania, Bucharest
  • Local time:05:49 AM

Posted 10 January 2007 - 02:25 AM

Download and scan with SUPERAntiSypware Free for Home Users
alternate site
  • Double-click SUPERAntiSypware.exe to install and use the default settings for installation.
  • Run SUPERAntiSypware and update the definitions before scanning by selecting "Check for Udates".
  • When done, select "Scan for Harmful Software".
  • There are three scanning options available. Choose "Perform Complete Scan" and click "Next".
  • When done, a Scan Summary will appear with potentially harmful items that were detected. Click "OK".
  • Place a checkmark next to items you wish to remove/quarantine and Click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • Please post the results of the superantispyware log in your next reply.
  • Select close to exit the program.
Note: If you encounter any problems while downloading the updates, manually download and unzip them from here.

Download and unzip Avenger to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens, copy,then paste all the text in the quote box below.

Files to delete:
C:\WINDOWS\system32\byhdnalg.dll
C:\WINDOWS\system32\geeba.dll
C:\WINDOWS\system32\mljgf.dll


Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Note: This script is for this topic only and should not be used for any other

After the reboot post a new hijackthis log and the avenger log.

#8 Nunosan

Nunosan
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 10 January 2007 - 06:24 AM

Hi Victor.
Following your last instructions we have:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\vtcuqooy

*******************

Script file located at: \??\C:\WINDOWS\system32\hjsduosa.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\byhdnalg.dll not found!
Deletion of file C:\WINDOWS\system32\byhdnalg.dll failed!

Could not process line:
C:\WINDOWS\system32\byhdnalg.dll
Status: 0xc0000034



File C:\WINDOWS\system32\geeba.dll not found!
Deletion of file C:\WINDOWS\system32\geeba.dll failed!

Could not process line:
C:\WINDOWS\system32\geeba.dll
Status: 0xc0000034



File C:\WINDOWS\system32\mljgf.dll not found!
Deletion of file C:\WINDOWS\system32\mljgf.dll failed!

Could not process line:
C:\WINDOWS\system32\mljgf.dll
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

Logfile of HijackThis v1.99.1
Scan saved at 11:09:30, on 10-01-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccSvcHst.exe
C:\Programas\Ficheiros comuns\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Ahead\InCD\InCD.exe
C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Programas\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Programas\MessengerPlus! 3\MsgPlus.exe
C:\Programas\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
C:\Programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Programas\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Programas\Spyware Doctor\swdoctor.exe
C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programas\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Programas\Netropa\Onscreen Display\OSD.exe
C:\Programas\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Programas\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Programas\MSN Messenger\msnmsgr.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programas\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\System32\alg.exe
C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Programas\Pinnacle\Shared Files\Programs\Scheduler\PCLEScheduler.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programas\hijackthis\AnalyseThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Programas\Ficheiros comuns\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programas\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programas\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Programas\Ficheiros comuns\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Programas\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Programas\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Programas\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Programas\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Programas\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [ccApp] "C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Programas\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Programas\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [swg] C:\Programas\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [CyberDefender Early Detection Center] "C:\Programas\CyberDefender\AntiSpyware\cdas17c.exe" /minimize
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Programas\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programas\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Pinnacle Scheduler.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\programas\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\programas\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\programas\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\programas\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\programas\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\programas\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Programas\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programas\Ficheiros comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Programas\Ficheiros comuns\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Programas\Ficheiros comuns\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Programas\Ficheiros comuns\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Programas\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Programas\Ahead\InCD\InCDsrv.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Programas\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Programas\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Programas\Spyware Doctor\sdhelp.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programas\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\AppCore\AppSvc32.exe

The only strange thing is that, after reboot, the norton bar did not show. And I have now runing the two spywares simoultaneasly. Should I uninstall one of them? No conflits runnning together plus the norton?. I will reboot again, to see if the norton bar shows as it should. If not, I'll let you know.

Thank you. :thumbsup:

Edited by Nunosan, 10 January 2007 - 06:26 AM.


#9 YounGun

YounGun

    The malware-fighting kid


  • Members
  • 244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania, Bucharest
  • Local time:05:49 AM

Posted 10 January 2007 - 06:35 AM

Looks clean now :thumbsup:

You can uninstall SuperAntispyware if you already have Spyware Doctor running.
As for Norton I suggest you get rid of it and install something better like : AVG as anti-virus and Zone Alarm as firewall.

My personal experience has shown that the most infected pcs had NAV installed. To support my statement, I'll quote your first post "

I also have running, and had before, The Norton Internet Security2007 who can't find anything.



#10 Nunosan

Nunosan
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:04:49 AM

Posted 10 January 2007 - 06:45 AM

I came back to post the log from superantiSpyware, which I had forgoten and found already your reply. Thank you so much for all the time and great help with me. great job!!! :thumbsup:

I post the log but, as can see, notthing special was found. Anyway i quarentine them.
I will follow your sugestions concerning the choice of antivirus and spyware.

SUPERAntiSpyware Scan Log
Generated 01/10/2007 at 10:39 AM

Application Version : 3.4.1000

Core Rules Database Version : 3161
Trace Rules Database Version: 1173

Scan type : Complete Scan
Total Scan Time : 00:06:14

Memory items scanned : 531
Memory threats detected : 0
Registry items scanned : 6038
Registry threats detected : 0
File items scanned : 1536
File threats detected : 3

Adware.Tracking Cookie
C:\Documents and Settings\Cliente\Cookies\cliente@weborama[1].txt
C:\Documents and Settings\Cliente\Cookies\cliente@estat[1].txt

Unclassified.Unknown Origin
D:\DOWNLOADS\NERO\KEY\NERO-KEYGEN\KEYGEN.EXE

#11 YounGun

YounGun

    The malware-fighting kid


  • Members
  • 244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania, Bucharest
  • Local time:05:49 AM

Posted 10 January 2007 - 06:53 AM

Great :thumbsup:

Glad we could help :flowers:

I'm locking this topic since the issue has been resolved.
If you ever should need this topic re-opened, please private message a moderator. (this applies to the original topic starter)
Everybody else please start a new thread with your issue.

To reduce the re-infection potential for malware and protect yourself against spyware, here are a few helpful suggestions:

1. Keep Windows and Internet Explorer current with the latest critical security updates from Microsoft. This will patch many of the security holes through which attackers can gain access to your computer.

2. Prevent spyware, homepage hijacking and increase your browser security by using the following free programs:

SpywareGuard
SpywareBlaster
IE-SPYAD

3. Prevention and Protection Tips:

"Help Preventing Spyware" by Pieter Arntz [aka: Metallica] for detailed instructions on how to install and use the above preventive tools.
"How to Protect yourself from malware!" and download a FREE anti-spyware, Firewalls and security tools from ONE LOCATION.
"How did I get infected in the first place?" by Tony Klein.
"THE PARASITE FIGHT: Finding, Removing & Protecting Yourself From Scumware"
"Basic understanding of security" by me, Victor C. aka YounGun for an introduction into the security world.

4. Safer Internet Explorer Settings:

"Safer Settings for Internet Explorer for SP1 & SP2" by Larry Stevenson [aka: Prince_Serendip]
"How to Configure Enhanced Security Features for Internet Explorer in XP SP2".

5. Increase Your Computer Stability and Overall Security

"COMPUTER HEALTH: Getting greater stability from Windows".
"Secure Your Home Computer" by TomCat for a comprehensive overview on how to keep your computer safe.

6. Confused about which apps are good or not? Read "Rogue/Suspect Anti-Spyware Products".

Edited by YounGun, 10 January 2007 - 06:53 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users