Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With (what I Believe To Be) Some Sort Of Smitfraud


  • Please log in to reply
19 replies to this topic

#1 ghawk

ghawk

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 29 June 2007 - 03:14 PM

Let me reproduce here the box screens that appear (too) often.

This one is an icon in the tray, and it says:

"System Alert

System detected virus activities. These may impact the performance of your computer. Please, use recommended antispyware software to protect your system from parasite programs."

The other one is a window named Malware Alert, and it says:

"Warning!

Trojan Adware.W32.ExpDwnldr spyware detected. This Trojan [...]" (it goes on and on about it and then asks me to click Yes and download all available antispyware software."

----------------------


I've already took all the steps in the Preparation Guide, and this is the HijackThis Log:




Logfile of HijackThis v1.99.1
Scan saved at 17:08:20, on 29/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\VM_STI.EXE
C:\Arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe
C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe
C:\Arquivos de programas\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\Arquivos de programas\FreeRAM Pro\FreeRAM XP Pro.exe
C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe
C:\Arquivos de programas\Arquivos comuns\EPSON\EBAPI\SAgent2.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\ARQUIV~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\Arquivos de programas\iPod\bin\iPodService.exe
C:\WINDOWS\mgrs.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\Download Accelerator\DAP.EXE
C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\xar6000v7.exe
C:\WINDOWS\xar6000v7.exe
C:\WINDOWS\xar6000v7.exe
C:\WINDOWS\xar6000v7.exe
C:\WINDOWS\xar6000v7.exe
C:\WINDOWS\xar6000v7.exe
C:\WINDOWS\xar6000v7.exe
C:\WINDOWS\xar6000v7.exe
C:\WINDOWS\xar6000v7.exe
C:\WINDOWS\xar6000v7.exe
C:\WINDOWS\xar6000v7.exe
C:\WINDOWS\xar6000v7.exe
C:\WINDOWS\xar6000v7.exe
C:\WINDOWS\xar6000v7.exe
C:\WINDOWS\xar6000v7.exe
C:\WINDOWS\xar6000v7.exe
C:\WINDOWS\xar6000v7.exe
C:\WINDOWS\xar6000v7.exe
C:\WINDOWS\xar6000v7.exe
C:\WINDOWS\xar6000v7.exe
C:\WINDOWS\xar6000v7.exe
C:\WINDOWS\xar6000v7.exe
C:\WINDOWS\xar6000v7.exe
C:\WINDOWS\xar6000v7.exe
C:\WINDOWS\xar6000v7.exe
C:\WINDOWS\xar6000v7.exe
C:\WINDOWS\xar6000v7.exe
C:\Arquivos de programas\HijackThis\HijackThis.exe
C:\WINDOWS\xar6000v7.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WLLoginProxy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gomyron.com/NjU2NA==/2/3560/homepage/
F2 - REG:system.ini: Shell=explorer.exe c:\windows\winvhost2.exe
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Arquivos de programas\Download Accelerator\dapbho.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: MSVPS System - {8E6CFDFE-79A8-421C-B854-04081690CE6B} - C:\WINDOWS\ddesupport.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE VIMICRO USB PC Camera
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "C:\Arquivos de programas\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [avp] C:\WINDOWS\xar6000v7.exe
O4 - HKLM\..\RunOnce: [megauploadtoolbar] C:\DOCUME~1\Gabriel\CONFIG~1\Temp\tbuninstall.exe -df "C:\Arquivos de programas\MegauploadToolbar\"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Arquivos de programas\FreeRAM Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\Gabriel\Dados de aplicativos\Mozilla\Firefox\Profiles\62t56syd.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Gabriel\Dados de aplicativos\Mozilla\Firefox\Profiles/62t56syd.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - C:\Arquivos de programas\Download Accelerator\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Arquivos de programas\Download Accelerator\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Arquivos de programas\Download Accelerator\dapextie2.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Arquivos de programas\Party Poker\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Arquivos de programas\Party Poker\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1B91A6F3-8ABC-41EF-9E77-119C5E9C2BEA}: NameServer = 200.149.55.142 200.165.132.154
O17 - HKLM\System\CS1\Services\Tcpip\..\{1B91A6F3-8ABC-41EF-9E77-119C5E9C2BEA}: NameServer = 200.149.55.142 200.165.132.154
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: msole - {2BDF733F-FD21-46E1-83CB-EC2FE5082CAF} - C:\WINDOWS\msole.dll (file missing)
O21 - SSODL: msdde - {31A4A86C-8822-4D78-87BA-DA340824C1DA} - C:\WINDOWS\msdde.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Arquivos de programas\Arquivos comuns\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VideoAcceleratorEngine - Speedbit Ltd. - C:\ARQUIV~1\SPEEDB~1\VideoAcceleratorEngine.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe





Already thankful,


Gabriel

Edited by ghawk, 29 June 2007 - 03:15 PM.


BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:44 PM

Posted 29 June 2007 - 03:59 PM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gomyron.com/NjU2NA==/2/3560/homepage/
F2 - REG:system.ini: Shell=explorer.exe c:\windows\winvhost2.exe
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: MSVPS System - {8E6CFDFE-79A8-421C-B854-04081690CE6B} - C:\WINDOWS\ddesupport.dll
O4 - HKLM\..\Run: [avp] C:\WINDOWS\xar6000v7.exe
O4 - HKLM\..\RunOnce: [megauploadtoolbar] C:\DOCUME~1\Gabriel\CONFIG~1\Temp\tbuninstall.exe -df "C:\Arquivos de programas\MegauploadToolbar\"
O21 - SSODL: msole - {2BDF733F-FD21-46E1-83CB-EC2FE5082CAF} - C:\WINDOWS\msole.dll (file missing)
O21 - SSODL: msdde - {31A4A86C-8822-4D78-87BA-DA340824C1DA} - C:\WINDOWS\msdde.dll

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Using Windows Explorer, please locate the following files/folders, and delete them if still present:

c:\windows\winvhost2.exe
C:\WINDOWS\ddesupport.dll
C:\WINDOWS\msdde.dll

I want you to clean your cache and cookies from your internet explorer.
There are a few infected files which need to be removed from your system.

° Close all instances of Internet Explorer .
° Go to your control panel and open "Internet Options".
° Click on the "General" tab.
° Click the "Delete Cookies" button, then the "Delete Files" button.
° If prompted, place a tick in the "Delete all offline content" box and click OK.

Also, please clean other Temporary files and Empty the Recycle Bin

° Go to start and click on the "run" button.
° Type the following in the box --> cleanmgr and click ok.
° Let it scan your system for files to remove.
° Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
° Press OK to remove them.

Reboot back into normal mode.

Please download Combofix to your desktop.
Doubleclick combofix.exe to launch the application.

Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

#3 ghawk

ghawk
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 29 June 2007 - 08:35 PM

Hi there David,

thanks for your help.

I followed the steps, and everything seems to have worked out okay.

One of the files you told me to delete in HijackThis wasn't there.

O4 - HKLM\..\RunOnce: [megauploadtoolbar] C:\DOCUME~1\Gabriel\CONFIG~1\Temp\tbuninstall.exe -df "C:\Arquivos de programas\MegauploadToolbar\"

But, as I said, the computer now is working fine, so I imagined it to not be so big a deal.

I guess it's good to mention that I use Firefox and not IE. Just for clarification.

Without your help I probably would have already gone crazy with this malware.

So, VERY thankful again,

Gabriel

--------------------------------------------------------------

ComboFix Log:

"Gabriel" - 2007-06-29 22:02:57 - ComboFix 07-06-27.7 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Gabriel\FAVORI~1.\Error Cleaner.url
C:\DOCUME~1\Gabriel\FAVORI~1.\Privacy Protector.url
C:\DOCUME~1\Gabriel\FAVORI~1.\Spyware&Malware Protection.url
C:\WINDOWS\dat.txt
C:\WINDOWS\mgrs.exe
C:\WINDOWS\rs.txt
C:\WINDOWS\search_res.txt


((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-30 )))))))))))))))))))))))))))))))


2007-06-29 22:02 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-29 17:50 <DIR> d-------- C:\Arquivos de programas\CCleaner
2007-06-29 16:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\Spybot - Search & Destroy
2007-06-29 15:52 <DIR> d-------- C:\Arquivos de programas\Enigma Software Group
2007-06-29 13:51 94,480 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-06-29 13:50 <DIR> d-------- C:\DOCUME~1\Gabriel\DADOSD~1\HouseCall 6.6
2007-06-29 13:48 <DIR> d-------- C:\DOCUME~1\Gabriel\.housecall6.6
2007-06-29 13:37 21,504 --a------ C:\WINDOWS\xar6000v7.exe
2007-06-29 12:54 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-29 06:47 212,992 --a------ C:\WINDOWS\defaultscreen1.scr
2007-06-29 06:46 498,176 --a------ C:\WINDOWS\defaultscreen.scr
2007-06-29 06:46 258,048 --a------ C:\WINDOWS\defaultscreenn.scr
2007-06-28 18:03 <DIR> d-------- C:\WINDOWS\privacy_danger
2007-06-25 14:17 23 --a------ C:\WINDOWS\clofghls.dll
2007-06-24 12:17 <DIR> d-------- C:\Arquivos de programas\FreeRAM Pro
2007-06-23 23:13 <DIR> d-------- C:\Arquivos de programas\FreshUI
2007-06-23 23:13 <DIR> d-------- C:\Arquivos de programas\Disk Defrag
2007-06-17 18:25 <DIR> d-------- C:\Arquivos de programas\iPod
2007-06-16 16:13 <DIR> d-------- C:\Arquivos de programas\PPT to AVI
2007-06-15 17:58 <DIR> d-------- C:\Arquivos de programas\FLV Converter
2007-06-15 13:50 <DIR> d-------- C:\Arquivos de programas\ImTOO
2007-06-14 16:25 <DIR> d-------- C:\Arquivos de programas\Picasa2
2007-06-12 22:16 <DIR> d-------- C:\Arquivos de programas\Mario Forever
2007-06-12 20:06 <DIR> d-------- C:\Arquivos de programas\Windows Live
2007-05-30 17:23 306,688 --a------ C:\WINDOWS\IsUninst.exe
2007-05-30 06:41 <DIR> d-------- C:\DOCUME~1\Gabriel\DADOSD~1\iolo
2007-05-30 06:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\iolo
2007-05-30 06:41 <DIR> d-------- C:\Arquivos de programas\iolo


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-30 00:27:17 48,628 ----a-w C:\WINDOWS\system32\perfc016.dat
2007-06-30 00:27:17 344,380 ----a-w C:\WINDOWS\system32\perfh016.dat
2007-06-29 19:06:14 -------- d-----w C:\Arquivos de programas\Party Poker
2007-06-29 19:03:53 -------- d-----w C:\Arquivos de programas\IDoser
2007-06-28 18:53:03 -------- d-----w C:\DOCUME~1\Gabriel\DADOSD~1\uTorrent
2007-06-24 12:49:02 -------- d-----w C:\Arquivos de programas\MV RegClean 4.0
2007-06-24 12:39:10 -------- d-----w C:\DOCUME~1\Gabriel\DADOSD~1\Skype
2007-06-23 17:34:23 -------- d-----w C:\Arquivos de programas\LimeWire
2007-06-23 16:04:01 -------- d-----w C:\DOCUME~1\Gabriel\DADOSD~1\LimeWire
2007-06-23 13:43:23 -------- d-----w C:\Arquivos de programas\Mozilla Thunderbird
2007-06-17 21:26:14 -------- d-----w C:\Arquivos de programas\iTunes
2007-06-17 21:24:41 -------- d-----w C:\Arquivos de programas\QuickTime
2007-06-17 21:14:35 -------- d-----w C:\Arquivos de programas\Apple Software Update
2007-06-12 23:06:19 -------- d-----w C:\Arquivos de programas\MSN Plus
2007-05-23 13:31:19 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
2007-05-23 13:14:51 -------- d-----w C:\Arquivos de programas\Teclado Player
2007-05-23 12:49:20 -------- d--h--w C:\Arquivos de programas\InstallShield Installation Information
2007-05-23 12:49:15 -------- d-----w C:\Arquivos de programas\Rockstar Games
2007-05-23 11:48:04 5,376 ----a-w C:\WINDOWS\mozver.dat
2007-05-22 19:25:49 -------- d-----w C:\DOCUME~1\Gabriel\DADOSD~1\Opera
2007-05-22 18:56:42 -------- d-----w C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared
2007-05-21 21:16:21 -------- d-----w C:\Arquivos de programas\Everest Home Edition
2007-05-21 20:16:56 -------- d-----w C:\Arquivos de programas\uTorrent
2007-05-16 23:10:37 -------- d-----w C:\Arquivos de programas\Google
2007-05-16 22:45:41 -------- d-----w C:\Arquivos de programas\SpeedBit Video Accelerator
2007-05-16 15:13:54 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-04 18:28:19 -------- d-----w C:\Arquivos de programas\Avid
2007-05-03 20:07:27 -------- d-----w C:\Arquivos de programas\Stuff Plug-in
2007-05-02 00:09:02 -------- d-----w C:\Arquivos de programas\VirtualDJ
2007-04-28 13:00:10 22,464 ----a-w C:\DOCUME~1\Gabriel\DADOSD~1\GDIPFONTCACHEV1.DAT
2007-04-25 14:22:27 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-19 21:07:46 994 ----a-w C:\WINDOWS\eReg.dat
2007-04-18 16:13:00 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 01:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 01:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 01:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 01:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 01:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 01:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 01:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 01:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{0000CC75-ACF3-4cac-A0A9-DD3868E06852}=C:\Arquivos de programas\Download Accelerator\dapbho.dll [2007-03-16 20:45]
{53707962-6F74-2D53-2644-206D7942484F}=C:\ARQUIV~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{8E6CFDFE-79A8-421C-B854-04081690CE6B}=C:\WINDOWS\ddesupport.dll []
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 20:33]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\arquivos de programas\google\googletoolbar2.dll [2007-01-19 23:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe" [2007-04-21 08:17]
"SiSPower"="SiSPower.dll" [2005-05-26 00:01 C:\WINDOWS\system32\SiSPower.dll]
"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"ZoneAlarm Client"="C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"Adobe Reader Speed Launcher"="C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"iTunesHelper"="C:\Arquivos de programas\iTunes\iTunesHelper.exe" [2007-06-01 16:51]
"!AVG Anti-Spyware"="C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 06:25]
"avp"="C:\WINDOWS\xar6000v7.exe" [2007-06-28 13:54]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45]
"msnmsgr"="C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"MSMSGS"="C:\Arquivos de programas\Messenger\msmsgs.exe" [2004-10-13 13:24]
"FreeRAM XP"="C:\Arquivos de programas\FreeRAM Pro\FreeRAM XP Pro.exe" [2006-03-23 00:13]
"SpybotSD TeaTimer"="C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"FFTI"=C:\Documents and Settings\Gabriel\Dados de aplicativos\Mozilla\Firefox\Profiles\62t56syd.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Gabriel\Dados de aplicativos\Mozilla\Firefox\Profiles/62t56syd.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 09:29]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{31A4A86C-8822-4D78-87BA-DA340824C1DA}"="C:\WINDOWS\msdde.dll" []

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Synchronizer.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^WinZip Quick Pick.lnk]
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
"C:\Arquivos de programas\Download Accelerator\DAP.EXE" /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Arquivos de programas\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PicasaNet]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
"C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Arquivos de programas\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe


Contents of the 'Scheduled Tasks' folder
2007-06-23 22:58:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-29 22:05:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-29 22:06:14
C:\ComboFix-quarantined-files.txt ... 2007-06-29 22:06

--- E O F ---


-------------------------------------------------------------------------------------------------------

HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 22:33:48, on 29/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe
C:\Arquivos de programas\Arquivos comuns\EPSON\EBAPI\SAgent2.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\ARQUIV~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\WINDOWS\Explorer.EXE
C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe
C:\Arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe
C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe
C:\Arquivos de programas\iTunes\iTunesHelper.exe
C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\xar6000v7.exe
C:\WINDOWS\system32\ctfmon.exe
C:\ARQUIV~1\SPEEDB~1\VideoAccelerator.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\Arquivos de programas\FreeRAM Pro\FreeRAM XP Pro.exe
C:\Arquivos de programas\iPod\bin\iPodService.exe
C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\mgrs.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gomyron.com/NjU2NA==/2/3560/homepage/
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Arquivos de programas\Download Accelerator\dapbho.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: MSVPS System - {8E6CFDFE-79A8-421C-B854-04081690CE6B} - C:\WINDOWS\ddesupport.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Arquivos de programas\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [avp] C:\WINDOWS\xar6000v7.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Arquivos de programas\FreeRAM Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\Gabriel\Dados de aplicativos\Mozilla\Firefox\Profiles\62t56syd.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Gabriel\Dados de aplicativos\Mozilla\Firefox\Profiles/62t56syd.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - C:\Arquivos de programas\Download Accelerator\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Arquivos de programas\Download Accelerator\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Arquivos de programas\Download Accelerator\dapextie2.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Arquivos de programas\Party Poker\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Arquivos de programas\Party Poker\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1B91A6F3-8ABC-41EF-9E77-119C5E9C2BEA}: NameServer = 200.149.55.142 200.165.132.154
O17 - HKLM\System\CS1\Services\Tcpip\..\{1B91A6F3-8ABC-41EF-9E77-119C5E9C2BEA}: NameServer = 200.149.55.142 200.165.132.154
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: msole - {2BDF733F-FD21-46E1-83CB-EC2FE5082CAF} - (no file)
O21 - SSODL: msdde - {31A4A86C-8822-4D78-87BA-DA340824C1DA} - C:\WINDOWS\msdde.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Arquivos de programas\Arquivos comuns\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VideoAcceleratorEngine - Speedbit Ltd. - C:\ARQUIV~1\SPEEDB~1\VideoAcceleratorEngine.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Edited by ghawk, 29 June 2007 - 08:36 PM.


#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:44 PM

Posted 30 June 2007 - 04:23 AM

Good work! Let's continue.. :thumbsup:

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer during HijackThis Cleanup
Then, Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gomyron.com/NjU2NA==/2/3560/homepage/
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: MSVPS System - {8E6CFDFE-79A8-421C-B854-04081690CE6B} - C:\WINDOWS\ddesupport.dll (file missing)
O4 - HKLM\..\Run: [avp] C:\WINDOWS\xar6000v7.exe
O21 - SSODL: msole - {2BDF733F-FD21-46E1-83CB-EC2FE5082CAF} - (no file)
O21 - SSODL: msdde - {31A4A86C-8822-4D78-87BA-DA340824C1DA} - C:\WINDOWS\msdde.dll (file missing)

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Using Windows Explorer, please locate the following files/folders, and delete them if still present:

C:\WINDOWS\privacy_danger <--folder
C:\WINDOWS\xar6000v7.exe

Reboot back to normal mode.

Please perform this online scan: Kaspersky Webscan
Note that this scanner will only work on Internet Explorer, so please use this browser for the scan.
Read the Requirements and Privacy statement, then select "Accept"
A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
Select "Install" to download the ActiveX controls that allows ActiveScan to run.
When the download is complete it will say ready, click "Next"
Select a target to scan: Click on "My Computer"
When the scan is complete choose to save the results as "Save as Text"
Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.

#5 ghawk

ghawk
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 30 June 2007 - 09:24 AM

Hey there, David.

The Kaspersky Log is too big to fit the posts or even to upload. Any ideas?
It's a 12.8MB Firefox Document; in Word it's a 4.2MB file; in Notepad it's a 6.2MB file.

Kinda big, huh...

--------------------------------------------------------------------------------

Anyway, here goes the HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 11:03:10, on 30/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe
C:\Arquivos de programas\Arquivos comuns\EPSON\EBAPI\SAgent2.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe
C:\Arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe
C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe
C:\Arquivos de programas\iTunes\iTunesHelper.exe
C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\Arquivos de programas\FreeRAM Pro\FreeRAM XP Pro.exe
C:\Arquivos de programas\iPod\bin\iPodService.exe
C:\Arquivos de programas\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gomyron.com/NjU2NA==/2/3560/homepage/
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Arquivos de programas\Download Accelerator\dapbho.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: MSVPS System - {8E6CFDFE-79A8-421C-B854-04081690CE6B} - C:\WINDOWS\ddesupport.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Arquivos de programas\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [avp] C:\WINDOWS\xar6000v7.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Arquivos de programas\FreeRAM Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\Gabriel\Dados de aplicativos\Mozilla\Firefox\Profiles\62t56syd.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Gabriel\Dados de aplicativos\Mozilla\Firefox\Profiles/62t56syd.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - C:\Arquivos de programas\Download Accelerator\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Arquivos de programas\Download Accelerator\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Arquivos de programas\Download Accelerator\dapextie2.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Arquivos de programas\Party Poker\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Arquivos de programas\Party Poker\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1B91A6F3-8ABC-41EF-9E77-119C5E9C2BEA}: NameServer = 200.149.55.142 200.165.132.154
O17 - HKLM\System\CS1\Services\Tcpip\..\{1B91A6F3-8ABC-41EF-9E77-119C5E9C2BEA}: NameServer = 200.149.55.142 200.165.132.154
O17 - HKLM\System\CS2\Services\Tcpip\..\{1B91A6F3-8ABC-41EF-9E77-119C5E9C2BEA}: NameServer = 200.149.55.142 200.165.132.154
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: msole - {2BDF733F-FD21-46E1-83CB-EC2FE5082CAF} - (no file)
O21 - SSODL: msdde - {31A4A86C-8822-4D78-87BA-DA340824C1DA} - C:\WINDOWS\msdde.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Arquivos de programas\Arquivos comuns\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VideoAcceleratorEngine - Speedbit Ltd. - C:\ARQUIV~1\SPEEDB~1\VideoAcceleratorEngine.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe




Thank you VERY much again,

Gabriel

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:44 PM

Posted 30 June 2007 - 01:43 PM

Good work! Let's continue.. :thumbsup:

The infected files have been deleted, it just appears as though your antispwyware programs are stopping the HJT fix.

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

You are using Download Accelerator - DAP Be informed that it delivers popup/popunder ads, and tracks your internet usage. You can find safer alternatives here: http://www.spywareinfo.com/downloads.php?cat=dlman#dlman
I suggest you remove it. Go to Start > Settings > Control Panel > Add/Remove Programs and remove it

I have noticed from your log that you have various online poker programs installed on your computer. I understand that you may use these games on a regular basis but I think it's important to note that often these kind of programs are installed with other unwanted software, namely spyware or adware. If you did not install these programs yourself, or you do not use them any more, I would definitely recommend that you uninstall them from your computer, even if it is simply a precautionary measure. The amount of different poker software which arises on the internet means it is impossible to keep track of which ones are infected and which ones are not. If you do use the software, and wish to continue doing so, please ignore this. If you do decide to go ahead and remove the poker software, you should be able uninstall them via add/remove which can be found in the control panel. Let me know if you have any problems whilst doing so.

Launch AVG Anti-Spyware by double-clicking its icon on your desktop or in the system tray.
The main "Status" menu will appear. Select "Change state" to inactivate 'Resident Shield" and Automatic Updates.
Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows".
Go to Start > Run and type: services.msc, and press OK.
Click the "Extended tab" and scroll down the list to find "AVG Anti-Spyware guard"

When you find the guard service, double-click on it.
In the Properties Window > General Tab that opens, click the "Stop" button.
From the drop-down menu next to "Startup Type", click on "Manual".
Now click "Apply", then "OK" and close the Services window.
Reboot your computer.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gomyron.com/NjU2NA==/2/3560/homepage/
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: MSVPS System - {8E6CFDFE-79A8-421C-B854-04081690CE6B} - C:\WINDOWS\ddesupport.dll (file missing)
O4 - HKLM\..\Run: [avp] C:\WINDOWS\xar6000v7.exe
O21 - SSODL: msole - {2BDF733F-FD21-46E1-83CB-EC2FE5082CAF} - (no file)
O21 - SSODL: msdde - {31A4A86C-8822-4D78-87BA-DA340824C1DA} - C:\WINDOWS\msdde.dll (file missing)

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Reboot back to normal mode, and post a new Hijackthis log. :flowers:

#7 ghawk

ghawk
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 30 June 2007 - 03:12 PM

Hey David,

Here goes the Log:

-------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 17:10:56, on 30/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe
C:\Arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe
C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe
C:\Arquivos de programas\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\Arquivos de programas\FreeRAM Pro\FreeRAM XP Pro.exe
C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe
C:\Arquivos de programas\Arquivos comuns\EPSON\EBAPI\SAgent2.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\ARQUIV~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\Arquivos de programas\iPod\bin\iPodService.exe
C:\ARQUIV~1\SPEEDB~1\VideoAccelerator.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\HijackThis\HijackThis.exe

O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Arquivos de programas\Download Accelerator\dapbho.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8E6CFDFE-79A8-421C-B854-04081690CE6B} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.6.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Arquivos de programas\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Arquivos de programas\FreeRAM Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\Gabriel\Dados de aplicativos\Mozilla\Firefox\Profiles\62t56syd.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Gabriel\Dados de aplicativos\Mozilla\Firefox\Profiles/62t56syd.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - C:\Arquivos de programas\Download Accelerator\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Arquivos de programas\Download Accelerator\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Arquivos de programas\Download Accelerator\dapextie2.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Arquivos de programas\Party Poker\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Arquivos de programas\Party Poker\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1B91A6F3-8ABC-41EF-9E77-119C5E9C2BEA}: NameServer = 200.149.55.142 200.165.132.154
O17 - HKLM\System\CS1\Services\Tcpip\..\{1B91A6F3-8ABC-41EF-9E77-119C5E9C2BEA}: NameServer = 200.149.55.142 200.165.132.154
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Arquivos de programas\Arquivos comuns\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VideoAcceleratorEngine - Speedbit Ltd. - C:\ARQUIV~1\SPEEDB~1\VideoAcceleratorEngine.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe



VERY VERY thankful,


Gabriel

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:44 PM

Posted 30 June 2007 - 03:24 PM

No problem, glad to be able to help. :thumbsup:
Please open the Kaspersky report, and scan down the lines.
Is there a large quantity of lines that look similar, or have similar filepaths?
If there are please let me know, by posting them back here..

#9 ghawk

ghawk
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 30 June 2007 - 05:07 PM

Hey David,

Most of them are objects that were skipped, because they're from other users in my PC, like my brother.

But I believe these ones are pretty similar, and are infected.

I've done some cleaning on the Log, removing the files that were skipped 'cause they belonged to other users (that hide them).

This is what's left:

-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, June 30, 2007 11:01:52 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 30/06/2007
Kaspersky Anti-Virus database records: 355843
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 68180
Number of viruses found: 8
Number of infected objects: 51
Number of suspicious objects: 0
Duration of the scan process: 00:48:33

Infected Object Name / Virus Name / Last Action
C:\Arquivos de programas\Download Accelerator\History\Thomaz\_lasthist.dat Object is locked skipped
C:\Arquivos de programas\Download Accelerator\History\Vivi\_lasthist.dat Object is locked skipped
C:\Arquivos de programas\Download Accelerator\History\waldemar\_lasthist.dat Object is locked skipped
C:\Arquivos de programas\HijackThis\backups\backup-20070629-214637-359.dll Infected: not-a-virus:AdWare.Win32.Agent.bn skipped
C:\Arquivos de programas\InstallShield Installation Information\{017E65B1-7484-461A-B16F-7C931166083B}\setup.ilg Object is locked skipped
C:\Arquivos de programas\InstallShield Installation Information\{2727FBEF-3155-11D4-8F73-0050DA0F6297}\setup.ilg Object is locked skipped
C:\Arquivos de programas\InstallShield Installation Information\{3D9231F6-A287-4222-9EBC-519BB206F590}\setup.ilg Object is locked skipped
C:\Arquivos de programas\InstallShield Installation Information\{7BF68B83-5057-4D4B-0093-28285EEB9EE3}\setup.ilg Object is locked skipped
C:\Arquivos de programas\InstallShield Installation Information\{7D268154-7A31-40F2-9779-7A250914BB39}\setup.ilg Object is locked skipped
C:\Arquivos de programas\InstallShield Installation Information\{D7D50E0C-27DD-4999-BC05-E026B580F93A}\Setup.ilg Object is locked skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Gabriel\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Gabriel\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Gabriel\Configurações locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Gabriel\Configurações locais\Histórico\History.IE5\MSHist012007063020070701\index.dat Object is locked skipped
C:\Documents and Settings\Gabriel\Configurações locais\Temp\BIT20B.tmp/ac8zt2/xar6000v7.exe Infected: Trojan-Downloader.Win32.Agent.bwq skipped
C:\Documents and Settings\Gabriel\Configurações locais\Temp\BIT20B.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\Gabriel\Configurações locais\Temp\BIT20C.tmp/ac8zt2/xar6000v7.exe Infected: Trojan-Downloader.Win32.Agent.bwq skipped
C:\Documents and Settings\Gabriel\Configurações locais\Temp\BIT20C.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\Gabriel\Configurações locais\Temp\BIT20D.tmp/ac8zt2/xar6000v7.exe Infected: Trojan-Downloader.Win32.Agent.bwq skipped
C:\Documents and Settings\Gabriel\Configurações locais\Temp\BIT20D.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\Gabriel\Configurações locais\Temp\BIT20E.tmp/ac8zt2/xar6000v7.exe Infected: Trojan-Downloader.Win32.Agent.bwq skipped
C:\Documents and Settings\Gabriel\Configurações locais\Temp\BIT20E.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\Gabriel\Configurações locais\Temp\BIT20F.tmp/ac8zt2/xar6000v7.exe Infected: Trojan-Downloader.Win32.Agent.bwq skipped
C:\Documents and Settings\Gabriel\Configurações locais\Temp\BIT20F.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\Gabriel\Configurações locais\Temp\BIT210.tmp/ac8zt2/xar6000v7.exe Infected: Trojan-Downloader.Win32.Agent.bwq skipped
C:\Documents and Settings\Gabriel\Configurações locais\Temp\BIT210.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\Gabriel\Configurações locais\Temp\BIT211.tmp/ac8zt2/xar6000v7.exe Infected: Trojan-Downloader.Win32.Agent.bwq skipped
C:\Documents and Settings\Gabriel\Configurações locais\Temp\BIT211.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\Gabriel\Configurações locais\Temp\BIT212.tmp/ac8zt2/xar6000v7.exe Infected: Trojan-Downloader.Win32.Agent.bwq skipped
C:\Documents and Settings\Gabriel\Configurações locais\Temp\BIT212.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\Gabriel\Configurações locais\Temp\Perflib_Perfdata_4f4.dat Object is locked skipped
C:\Documents and Settings\Gabriel\Configurações locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Gabriel\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Gabriel\Meus documentos\Arquivos Baixados\download98719p2s2.exe/PRE/data/{65145FC9-DEA0-4738-A4FE-376C2BA51806}/1/EnigmaUpdater.dll Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\Documents and Settings\Gabriel\Meus documentos\Arquivos Baixados\download98719p2s2.exe/PRE/data/{65145FC9-DEA0-4738-A4FE-376C2BA51806}/2/esgi_md5h.dll Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\Documents and Settings\Gabriel\Meus documentos\Arquivos Baixados\download98719p2s2.exe/PRE/data/{65145FC9-DEA0-4738-A4FE-376C2BA51806}/7/SpyHunter.exe Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\Documents and Settings\Gabriel\Meus documentos\Arquivos Baixados\download98719p2s2.exe/PRE/data/{65145FC9-DEA0-4738-A4FE-376C2BA51806}/17/Esgiutl1.dll Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\Documents and Settings\Gabriel\Meus documentos\Arquivos Baixados\download98719p2s2.exe/PRE/data/{65145FC9-DEA0-4738-A4FE-376C2BA51806}/18/SHSched.dll Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\Documents and Settings\Gabriel\Meus documentos\Arquivos Baixados\download98719p2s2.exe/PRE Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\Documents and Settings\Gabriel\Meus documentos\Arquivos Baixados\download98719p2s2.exe Ghost Installer: infected - 6 skipped
C:\Documents and Settings\Gabriel\Meus documentos\Arquivos Baixados\download98719p2s2.exe UPX: infected - 6 skipped
C:\Documents and Settings\Gabriel\Meus documentos\Arquivos Baixados\NewMediaCodecInstaller.exe/data0007 Infected: Trojan-Downloader.Win32.Agent.bjc skipped
C:\Documents and Settings\Gabriel\Meus documentos\Arquivos Baixados\NewMediaCodecInstaller.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Gabriel\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Gabriel\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\mgrs.exe.vir Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1007\Dc10.torrent Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1007\Dc11.torrent Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1007\Dc12.torrent Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1007\Dc19.url Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1007\Dc2.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1007\Dc20.url Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1007\Dc21.url Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1007\Dc3.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1007\Dc4.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1007\Dc5.JPG Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1007\Dc7\12_3_2007 17_29_0001.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1007\Dc7\Thumbs.db Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1007\Dc8\beer_funil 003_0001.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1007\Dc8\beer_funil 005_0001.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1007\Dc8\beer_funil 005_0002.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1007\Dc8\beer_funil 005_0003.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1007\Dc8\Thumbs.db Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1008\Dc37.tmp Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1008\Dc38.exe Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1008\Dc39.exe Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1008\Dc40.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1008\Dc41.exe Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1008\Dc47.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1008\Dc48.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1008\Dc49.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1008\Dc50.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1008\Dc51.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1008\Dc52.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1008\Dc53.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1008\Dc54.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1008\Dc55.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1008\Dc56.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1008\Dc57.lnk Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1008\Dc58.exe Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1008\Dc59.bmp Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1008\Dc60.bmp Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1008\Dc61.bmp Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1008\Dc62.bmp Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1008\Dc63.bmp Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1008\Dc64.bmp Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1008\Dc65.bmp Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1008\Dc66.jpg Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1008\Dc67.JPG Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1008\Dc68.gif Object is locked skipped
C:\RECYCLER\S-1-5-21-1708537768-1677128483-682003330-1008\Dc69.txt Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{28EAD551-91DE-4313-954B-D6D6D985D2AA}\RP149\A0051395.exe Infected: Trojan-Downloader.Win32.Agent.bjc skipped
C:\System Volume Information\_restore{28EAD551-91DE-4313-954B-D6D6D985D2AA}\RP149\A0051396.dll Infected: not-a-virus:AdWare.Win32.Agent.bn skipped
C:\System Volume Information\_restore{28EAD551-91DE-4313-954B-D6D6D985D2AA}\RP149\A0051397.exe Infected: Trojan-Downloader.Win32.Banload.bej skipped
C:\System Volume Information\_restore{28EAD551-91DE-4313-954B-D6D6D985D2AA}\RP149\A0051406.exe Infected: Trojan-Spy.Win32.Banker.ju skipped
C:\System Volume Information\_restore{28EAD551-91DE-4313-954B-D6D6D985D2AA}\RP149\A0051430.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{28EAD551-91DE-4313-954B-D6D6D985D2AA}\RP149\A0051431.exe Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\System Volume Information\_restore{28EAD551-91DE-4313-954B-D6D6D985D2AA}\RP149\A0051435.dll Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\System Volume Information\_restore{28EAD551-91DE-4313-954B-D6D6D985D2AA}\RP149\A0051436.dll Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\System Volume Information\_restore{28EAD551-91DE-4313-954B-D6D6D985D2AA}\RP149\A0051439.dll Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\System Volume Information\_restore{28EAD551-91DE-4313-954B-D6D6D985D2AA}\RP149\A0051440.dll Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\System Volume Information\_restore{28EAD551-91DE-4313-954B-D6D6D985D2AA}\RP149\A0051492.exe Infected: Trojan-Downloader.Win32.Agent.bwq skipped
C:\System Volume Information\_restore{28EAD551-91DE-4313-954B-D6D6D985D2AA}\RP149\A0051511.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{28EAD551-91DE-4313-954B-D6D6D985D2AA}\RP149\A0051514.exe Infected: Trojan-Downloader.Win32.Agent.bwq skipped
C:\System Volume Information\_restore{28EAD551-91DE-4313-954B-D6D6D985D2AA}\RP149\A0051720.dll Infected: not-a-virus:AdWare.Win32.Agent.bn skipped
C:\System Volume Information\_restore{28EAD551-91DE-4313-954B-D6D6D985D2AA}\RP149\A0052501.dll Infected: not-a-virus:AdWare.Win32.Agent.bn skipped
C:\System Volume Information\_restore{28EAD551-91DE-4313-954B-D6D6D985D2AA}\RP149\A0053506.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{28EAD551-91DE-4313-954B-D6D6D985D2AA}\RP149\A0053527.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{28EAD551-91DE-4313-954B-D6D6D985D2AA}\RP150\A0053626.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{28EAD551-91DE-4313-954B-D6D6D985D2AA}\RP150\A0054622.exe Infected: Trojan-Downloader.Win32.Agent.bwq skipped
C:\System Volume Information\_restore{28EAD551-91DE-4313-954B-D6D6D985D2AA}\RP150\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\defaultscreen.scr Infected: Trojan-Spy.Win32.Banker.ju skipped
C:\WINDOWS\defaultscreen1.scr Infected: Trojan-Downloader.Win32.Banload.bej skipped
C:\WINDOWS\defaultscreenn.scr Infected: Trojan-PSW.Win32.Delf.qk skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\USUARIO-4F1CEFF.ldb Object is locked skipped
C:\WINDOWS\mgrs.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\WINDOWS\privacy_danger\images\capt.gif Object is locked skipped
C:\WINDOWS\privacy_danger\images\danger.jpg Object is locked skipped
C:\WINDOWS\privacy_danger\images\down.gif Object is locked skipped
C:\WINDOWS\privacy_danger\images\spacer.gif Object is locked skipped
C:\WINDOWS\privacy_danger\index.htm Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT049e4.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT049e7.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.



Thank you,

Gabriel

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:44 PM

Posted 01 July 2007 - 03:17 AM

Good work! Let's continue.. :thumbsup:

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Using Windows Explorer, please locate the following files/folders, and delete them if still present:

C:\Documents and Settings\Gabriel\Meus documentos\Arquivos Baixados\download98719p2s2.exe
C:\QooBox
C:\WINDOWS\defaultscreen.scr
C:\WINDOWS\defaultscreen1.scr
C:\WINDOWS\defaultscreenn.scr
C:\WINDOWS\mgrs.exe
C:\WINDOWS\privacy_danger <--folder

I want you to clean your cache and cookies from your internet explorer.
There are a few infected files which need to be removed from your system.

° Close all instances of Internet Explorer .
° Go to your control panel and open "Internet Options".
° Click on the "General" tab.
° Click the "Delete Cookies" button, then the "Delete Files" button.
° If prompted, place a tick in the "Delete all offline content" box and click OK.

Also, please clean other Temporary files and Empty the Recycle Bin

° Go to start and click on the "run" button.
° Type the following in the box --> cleanmgr and click ok.
° Let it scan your system for files to remove.
° Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
° Press OK to remove them.

Reboot back into normal mode.

We need to purge your infected system restore points.
On the Desktop, right-click My Computer, then click Properties.
Click the System Restore tab near the top of the window.
Check Turn off System Restore, click Apply, and then click OK.
More information on how to disable your system restore can be found here.

We want to create a new, clean restore point. Please first reboot your computer.
On the Desktop, right-click My Computer, then click Properties.
Click the System Restore tab near the top of the window.
Uncheck "Turn off System Restore", click Apply, and then click OK.

Click Start > All Programs > Accessories > System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point - Something like "After trojan/spyware cleanup".
Click Create, and after it has created the restore point, click "Close".
Further instructions on creating a restore point can be found here

Please post back letting me know how the system is running.
I see a clean HJT log now! :flowers:

#11 ghawk

ghawk
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 04 July 2007 - 01:34 PM

Hey there David,

sorry for taking so long, I had a trip that took a little longer than I thought it would.

Listen, I cleaned all those files you said, except one, the C:\WINDOWS\privacy_danger
When I try to erase the folder, it opens up a window saying something like: "Access denied. Make sure the disk is not protected and the file isn't being used". Something like that.

All other steps followed.



Awaiting for your answer,


Gabriel


Oh, and the system is working just fine, thanks.

Edited by ghawk, 04 July 2007 - 01:34 PM.


#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:44 PM

Posted 04 July 2007 - 04:57 PM

Hiya Gabriel, let's try this..

Please download SmitfraudFix (by S!Ri)
Open the file and it will extract the contents (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1, and press Enter.
A text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

#13 ghawk

ghawk
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 05 July 2007 - 11:43 AM

Hey David,

here it goes.


Thanks,

Gabriel


-------------------------------------------------------------

SmitFraudFix v2.200

Scan done at 13:41:55,32, qui 05/07/2007
Run from C:\Documents and Settings\Gabriel\Meus documentos\Arquivos Baixados\SmitfraudFix
OS: Microsoft Windows XP [versÆo 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe
C:\Arquivos de programas\Arquivos comuns\EPSON\EBAPI\SAgent2.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\MSN Messenger\usnsvc.exe
C:\Arquivos de programas\iPod\bin\iPodService.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe
C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\FreeRAM Pro\FreeRAM XP Pro.exe
C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\ARQUIV~1\MOZILL~1\FIREFOX.EXE
C:\Arquivos de programas\Download Accelerator\DAP.EXE
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\privacy_danger FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Gabriel


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Gabriel\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Gabriel\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Arquivos de programas


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Minha p gina inicial atual"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: WAN (PPP/SLIP) Interface
DNS Server Search Order: 200.149.55.142
DNS Server Search Order: 200.165.132.154

HKLM\SYSTEM\CCS\Services\Tcpip\..\{1B91A6F3-8ABC-41EF-9E77-119C5E9C2BEA}: NameServer=200.149.55.142 200.165.132.154
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1B91A6F3-8ABC-41EF-9E77-119C5E9C2BEA}: NameServer=200.149.55.142 200.165.132.154


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

#14 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:04:44 PM

Posted 05 July 2007 - 12:08 PM

Ok, let's continue...

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Once in Safe Mode, open the SmitfraudFix folder again.
Double-click smitfraudfix.cmd.
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Warning : running option #2 on a non infected computer will remove your Desktop background.
Also post a new Hijackthis log.

David

#15 ghawk

ghawk
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:10:44 AM

Posted 05 July 2007 - 01:40 PM

Hey David,

OK.

Here it goes:

--------------------------------------------------------------------------------

SmitFraudFix v2.200

Scan done at 14:55:49,10, qui 05/07/2007
Run from C:\Documents and Settings\Gabriel\Meus documentos\Arquivos Baixados\SmitfraudFix
OS: Microsoft Windows XP [versÆo 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

Problem while deleting C:\WINDOWS\privacy_danger

»»»»»»»»»»»»»»»»»»»»»»»» DNS



»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

-------------------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 15:38:34, on 5/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe
C:\Arquivos de programas\Arquivos comuns\EPSON\EBAPI\SAgent2.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe
C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\FreeRAM Pro\FreeRAM XP Pro.exe
C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\Arquivos de programas\MSN Messenger\usnsvc.exe
C:\Arquivos de programas\Download Accelerator\DAP.EXE
C:\Arquivos de programas\HijackThis\HijackThis.exe

O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Arquivos de programas\Download Accelerator\dapbho.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8E6CFDFE-79A8-421C-B854-04081690CE6B} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Arquivos de programas\FreeRAM Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\Gabriel\Dados de aplicativos\Mozilla\Firefox\Profiles\62t56syd.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\Gabriel\Dados de aplicativos\Mozilla\Firefox\Profiles/62t56syd.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Clean Traces - C:\Arquivos de programas\Download Accelerator\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Arquivos de programas\Download Accelerator\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Arquivos de programas\Download Accelerator\dapextie2.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1B91A6F3-8ABC-41EF-9E77-119C5E9C2BEA}: NameServer = 200.149.55.142 200.165.132.154
O17 - HKLM\System\CS1\Services\Tcpip\..\{1B91A6F3-8ABC-41EF-9E77-119C5E9C2BEA}: NameServer = 200.149.55.142 200.165.132.154
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Arquivos de programas\Arquivos comuns\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Arquivos de programas\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VideoAcceleratorEngine - Speedbit Ltd. - C:\ARQUIV~1\SPEEDB~1\VideoAcceleratorEngine.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users