Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fighting Rrrar.exe, Zzzip.exe, Update.exe


  • Please log in to reply
16 replies to this topic

#1 Terrau

Terrau

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 30 June 2007 - 08:13 PM

Hi,

I've been fighting RRRAR.EXE, ZZZIP.EXE, UPDATE.EXE for some hours now and finally I've arrived to the point where I can send you a HijackThis log. Can you help me? Is it ok now or am I doomed?

Logfile of HijackThis v1.99.1
Scan saved at 1:35:46, on 01-07-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Messenger\msmsgs.exe
C:\WINDOWS\System32\LVComsX.exe
C:\Programas\Alwil Software\Avast4\ashSimpl.exe
E:\Programas\HiJackThis_v2.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Malicious Scripts Scanner - {55EA1964-F5E4-4D6A-B9B2-125B37655FCB} - C:\Documents and Settings\All Users\Application Data\Prevx\pxbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Programas\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9A072AA0-A30B-4717-A573-4511BB05F6AC} - (no file)
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programas\google\googletoolbar3.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programas\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {C0CEB10A-ABC3-42E4-8C7D-9F1DD7D090FD} - (no file)
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programas\google\googletoolbar3.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RemoteControl] C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programas\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programas\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Programas\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "E:\Programas\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "E:\Programas\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Programas\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "E:\Programas\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Programas\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Programas\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Programas\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Programas\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [Office SturtUp] osa9.exe
O4 - HKLM\..\Run: [gfxtray] rundll32 ctccw32.dll,findwnd
O4 - HKLM\..\Run: [PrevxOne] "C:\Programas\Prevx1\PXConsole.exe"
O4 - HKLM\..\Run: [VBSysTray] "E:\PROGRA~1\VIRUSB~1\Bin\vbsystry.exe"
O4 - HKLM\..\Run: [AVLoginToDo] "E:\PROGRA~1\VIRUSB~1\Bin\avltd.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Programas\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [CleanUp!] C:\PROGRA~1\CleanUp!\cleanup.exe /WindowsRestart
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MonacoGamma.lnk = C:\Programas\Monaco Systems\MonacoEZcolor 2.5\MonacoGamma.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Programas\Norton SystemWorks\Norton GoBack\GBTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programas\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programas\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Post2Blog - {7E3D69D0-0D79-4E0C-9D68-7A6F9437B36B} - E:\Programas\Post2Blog\post2blog_ie.html
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\Programas\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\Programas\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: (no name) - {E32C7587-150F-427E-9464-F227702A0E48} - E:\Programas\Post2Blog\post2blog_ie.html
O9 - Extra 'Tools' menuitem: Post2Blog - {E32C7587-150F-427E-9464-F227702A0E48} - E:\Programas\Post2Blog\post2blog_ie.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/139eb8334f3080...ip/RdxIE601.cab
O16 - DPF: {590FFB84-6A29-4797-9C0E-B15DF2C4CDCB} - http://www.googlecaches.com/install/tload.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - http://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.18 85.255.112.168
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.18 85.255.112.168
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHEI~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: hggghhf - C:\WINDOWS\
O20 - Winlogon Notify: mljjk - C:\WINDOWS\System32\mljjk.dll (file missing)
O20 - Winlogon Notify: rpcc - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O20 - Winlogon Notify: winbfi32 - winbfi32.dll (file missing)
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programas\Ficheiros comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccProxy.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Programas\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Programas\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Programas\Prevx1\PXAgent.exe" -f (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VirusBuster Component Manager Service (VBCompManService) - VirusBuster Kft. - E:\PROGRA~1\VIRUSB~1\Bin\vbcmserv.exe

Once again, thhaaannkkkssss!

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:36 AM

Posted 01 July 2007 - 07:40 AM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Please download SmitfraudFix (by S!Ri)
Open the file and it will extract the contents (a folder named SmitfraudFix) to your Desktop.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {9A072AA0-A30B-4717-A573-4511BB05F6AC} - (no file)
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - (no file)
O2 - BHO: (no name) - {C0CEB10A-ABC3-42E4-8C7D-9F1DD7D090FD} - (no file)
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522} - (no file)
O4 - HKLM\..\Run: [Office SturtUp] osa9.exe
O4 - HKLM\..\Run: [gfxtray] rundll32 ctccw32.dll,findwnd
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/139eb8334f3080...ip/RdxIE601.cab
O16 - DPF: {590FFB84-6A29-4797-9C0E-B15DF2C4CDCB} - http://www.googlecaches.com/install/tload.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.18 85.255.112.168
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.18 85.255.112.168
O20 - Winlogon Notify: hggghhf - C:\WINDOWS\
O20 - Winlogon Notify: mljjk - C:\WINDOWS\System32\mljjk.dll (file missing)
O20 - Winlogon Notify: rpcc - C:\WINDOWS\
O20 - Winlogon Notify: winbfi32 - winbfi32.dll (file missing)
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)
Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Go to Start -> Control Panel, and choose Network Connections.
Right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties.
Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically.
Click OK twice, and restart your computer.

Go to Start > Run and type in cmd Click OK.
This will open a commad prompt.
Type or copy and paste the following line in the command window:
ipconfig /flushdns
Hit Enter
Exit the command window

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Using Windows Explorer, please locate the following files/folders, and delete them if still present:

C:\WINDOWS\System32\osa9.exe
C:\WINDOWS\System32\ctccw32.dll

Once in Safe Mode, open the SmitfraudFix folder again.
Double-click smitfraudfix.cmd.
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Please download FixWareout from here:
http://downloads.subratam.org/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.

Also post the rapport.txt from the smitfraudfix application we ran earlier.

#3 Terrau

Terrau
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 01 July 2007 - 10:13 PM

Hi David,

First, let me thank you. Is difficult to believe that a site like yours exists. Cool!!!

I've had my share of trouble to go through all the steps you asked. When in normal mode, things seem to start ok but after 2 or 3 minutes go sssllllooowww. I've had to download Smitfraudfix and Fixwareout through safe mode (but just for this, I read the instructions and did the steps in safe mode but no netwaork support) because in normal mode internet just stalls as installation after 2 or 3 minutes from booting.

These are the repports I've got:

SmitFraudFix v2.197

Scan done at 2:50:20,35, 02-07-2007
Run from C:\Documents and Settings\GATO\Ambiente de trabalho\SmitfraudFix
OS: Microsoft Windows XP [VersÆo 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"incestuously"="{03413bf7-e34c-445b-bfc0-a2b127255871}"


»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts


127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\DOCUME~1\ALLUSE~1\MENUIN~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\MENUIN~1\Security Troubleshooting.url Deleted
C:\Programas\DirectVideo\ Deleted
C:\Programas\HQvideo\ Deleted
C:\Programas\Safety Bar\ Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{84A4F327-687F-4C26-BD8E-404389AE4622}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{AB7554F1-7C8D-4C30-85D9-AAB2D9EC52A0}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{84A4F327-687F-4C26-BD8E-404389AE4622}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{AB7554F1-7C8D-4C30-85D9-AAB2D9EC52A0}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{84A4F327-687F-4C26-BD8E-404389AE4622}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{AB7554F1-7C8D-4C30-85D9-AAB2D9EC52A0}: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: NameServer=85.255.115.18 85.255.112.168


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End



Fixwareout Last edited 6/27/2007
Post this report in the forums please
...
»»»»»Prerun check

Cache de resolução DNS limpa com êxito.


PC crashed or was not allowed to reboot.

»»»»» Postrun check
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "1trap" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "2trap" Deleted
....
»»»»» Misc files.
C:\Documents and Settings\GATO\Application Data\Install.dat Deleted
....
»»»»» Checking for older varients.
....
»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\\Programas\\CyberLink\\PowerDVD\\PDVDServ.exe"
"ccApp"="\"C:\\Programas\\Ficheiros comuns\\Symantec Shared\\ccApp.exe\""
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"LVCOMSX"="C:\\WINDOWS\\System32\\LVCOMSX.EXE"
"LogitechVideoRepair"="C:\\Programas\\Logitech\\Video\\ISStart.exe "
"LogitechVideoTray"="C:\\Programas\\Logitech\\Video\\LogiTray.exe"
"TkBellExe"="\"C:\\Programas\\Ficheiros comuns\\Real\\Update_OB\\realsched.exe\" -osboot"
"SunJavaUpdateSched"="\"E:\\Programas\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"Adobe Photo Downloader"="\"E:\\Programas\\Adobe\\Adobe Photoshop Lightroom 1.1\\apdproxy.exe\""
"Acrobat Assistant 8.0"="\"E:\\Programas\\Adobe\\Acrobat 8.0\\Acrobat\\Acrotray.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"QuickTime Task"="\"C:\\Programas\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"E:\\Programas\\iTunes\\iTunesHelper.exe\""
"DAEMON Tools"="\"E:\\Programas\\DAEMON Tools\\daemon.exe\" -lang 1033"
"lxcrmon.exe"="\"C:\\Programas\\Lexmark 2400 Series\\lxcrmon.exe\""
"EzPrint"="\"C:\\Programas\\Lexmark 2400 Series\\ezprint.exe\""
"FaxCenterServer"="\"C:\\Programas\\Lexmark Fax Solutions\\fm3032.exe\" /s"
"LXCRCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXCRtime.dll,_RunDLLEntry@16"
"SPAMfighter Agent"="\"C:\\Programas\\SPAMfighter\\SFAgent.exe\" update delay 60"
"VBSysTray"="\"E:\\PROGRA~1\\VIRUSB~1\\Bin\\vbsystry.exe\""
"AVLoginToDo"="\"E:\\PROGRA~1\\VIRUSB~1\\Bin\\avltd.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Free Download Manager"="E:\\Programas\\Free Download Manager\\fdm.exe -autorun"
"swg"="C:\\Programas\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
"dlcipscl"="C:\\WINDOWS\\system32\\dcpavss.exe"
"ascdps"="C:\\WINDOWS\\system32\\itsdde.exe"
"nvipctl"="C:\\WINDOWS\\system32\\cligeqah.exe"
"sysctlio"="C:\\WINDOWS\\system32\\cligeqah.exe"
"askdmme"="cmdorwkg.exe"
"mstatdsa"="C:\\WINDOWS\\system32\\cligeqah.exe"
"msdlstat"="C:\\WINDOWS\\system32\\smbssldp.exe"
"rsalibz"="C:\\WINDOWS\\system32\\cligeqah.exe"
"ncsysproc"="C:\\WINDOWS\\system32\\sdmvproc.exe"
"drmconns"="C:\\WINDOWS\\system32\\dlmmsers.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdater]
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»


Logfile of HijackThis v1.99.1
Scan saved at 3:56:40, on 02-07-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Ficheiros comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
E:\PROGRA~1\VIRUSB~1\Bin\vbcmserv.exe
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Programas\Logitech\Video\LogiTray.exe
C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe
E:\Programas\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\Programas\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe
E:\Programas\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Programas\QuickTime\qttask.exe
C:\Programas\Logitech\Video\FxSvr2.exe
E:\Programas\iTunes\iTunesHelper.exe
E:\Programas\DAEMON Tools\daemon.exe
C:\Programas\Lexmark 2400 Series\lxcrmon.exe
C:\Programas\Lexmark 2400 Series\ezprint.exe
C:\Programas\SPAMfighter\SFAgent.exe
E:\PROGRA~1\VIRUSB~1\Bin\vbsystry.exe
C:\Programas\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Programas\Norton SystemWorks\Norton GoBack\GBTray.exe
E:\Programas\OpenOffice.org 2.0\program\soffice.exe
E:\Programas\OpenOffice.org 2.0\program\soffice.BIN
C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroDist.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.folha.uol.com.br/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Programas\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programas\google\googletoolbar3.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programas\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {C0CEB10A-ABC3-42E4-8C7D-9F1DD7D090FD} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programas\google\googletoolbar3.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RemoteControl] C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programas\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programas\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Programas\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "E:\Programas\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "E:\Programas\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Programas\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "E:\Programas\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Programas\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Programas\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Programas\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Programas\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [VBSysTray] "E:\PROGRA~1\VIRUSB~1\Bin\vbsystry.exe"
O4 - HKLM\..\Run: [AVLoginToDo] "E:\PROGRA~1\VIRUSB~1\Bin\avltd.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Free Download Manager] E:\Programas\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [swg] C:\Programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [dlcipscl] C:\WINDOWS\system32\dcpavss.exe
O4 - HKCU\..\Run: [ascdps] C:\WINDOWS\system32\itsdde.exe
O4 - HKCU\..\Run: [nvipctl] C:\WINDOWS\system32\cligeqah.exe
O4 - HKCU\..\Run: [sysctlio] C:\WINDOWS\system32\cligeqah.exe
O4 - HKCU\..\Run: [askdmme] cmdorwkg.exe
O4 - HKCU\..\Run: [mstatdsa] C:\WINDOWS\system32\cligeqah.exe
O4 - HKCU\..\Run: [msdlstat] C:\WINDOWS\system32\smbssldp.exe
O4 - HKCU\..\Run: [rsalibz] C:\WINDOWS\system32\cligeqah.exe
O4 - HKCU\..\Run: [ncsysproc] C:\WINDOWS\system32\sdmvproc.exe
O4 - HKCU\..\Run: [drmconns] C:\WINDOWS\system32\dlmmsers.exe
O4 - Startup: Adobe Gamma.lnk = C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 2.0.lnk = E:\Programas\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MonacoGamma.lnk = C:\Programas\Monaco Systems\MonacoEZcolor 2.5\MonacoGamma.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Programas\Norton SystemWorks\Norton GoBack\GBTray.exe
O8 - Extra context menu item: Append to existing PDF - res://E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Post2Blog - E:\Programas\Post2Blog\post2blog_ie.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programas\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programas\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Post2Blog - {7E3D69D0-0D79-4E0C-9D68-7A6F9437B36B} - E:\Programas\Post2Blog\post2blog_ie.html
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\Programas\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\Programas\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: (no name) - {E32C7587-150F-427E-9464-F227702A0E48} - E:\Programas\Post2Blog\post2blog_ie.html
O9 - Extra 'Tools' menuitem: Post2Blog - {E32C7587-150F-427E-9464-F227702A0E48} - E:\Programas\Post2Blog\post2blog_ie.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - http://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHEI~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programas\Ficheiros comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccProxy.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Programas\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Programas\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VirusBuster Component Manager Service (VBCompManService) - VirusBuster Kft. - E:\PROGRA~1\VIRUSB~1\Bin\vbcmserv.exe

Once again, thank you so much.

#4 Terrau

Terrau
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 02 July 2007 - 10:40 AM

Hi again,

Sorry, this morning I didn't read the first Fixwareout report and didn't see that the reboot had crashed (I know what it was, windows automatic updates were stalling the pc because of the problems with internet connection on normal mode).

Please forget the previous Fixwareout report and use this one.
Internet connection still won't work with browser on normal mode so I did that dnsbak.reg procedure, it did nothing. I'm writting you on safe mode with network, where everything goes fine.


Fixwareout Last edited 6/27/2007
Post this report in the forums please
...
»»»»»Prerun check

Cache de resolução DNS limpa com êxito.


System was rebooted successfully.

»»»»» Postrun check
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....
»»»»» Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\\Programas\\CyberLink\\PowerDVD\\PDVDServ.exe"
"ccApp"="\"C:\\Programas\\Ficheiros comuns\\Symantec Shared\\ccApp.exe\""
"Cmaudio"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"LVCOMSX"="C:\\WINDOWS\\System32\\LVCOMSX.EXE"
"LogitechVideoRepair"="C:\\Programas\\Logitech\\Video\\ISStart.exe "
"LogitechVideoTray"="C:\\Programas\\Logitech\\Video\\LogiTray.exe"
"TkBellExe"="\"C:\\Programas\\Ficheiros comuns\\Real\\Update_OB\\realsched.exe\" -osboot"
"SunJavaUpdateSched"="\"E:\\Programas\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"Adobe Photo Downloader"="\"E:\\Programas\\Adobe\\Adobe Photoshop Lightroom 1.1\\apdproxy.exe\""
"Acrobat Assistant 8.0"="\"E:\\Programas\\Adobe\\Acrobat 8.0\\Acrobat\\Acrotray.exe\""
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"QuickTime Task"="\"C:\\Programas\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"E:\\Programas\\iTunes\\iTunesHelper.exe\""
"DAEMON Tools"="\"E:\\Programas\\DAEMON Tools\\daemon.exe\" -lang 1033"
"lxcrmon.exe"="\"C:\\Programas\\Lexmark 2400 Series\\lxcrmon.exe\""
"EzPrint"="\"C:\\Programas\\Lexmark 2400 Series\\ezprint.exe\""
"FaxCenterServer"="\"C:\\Programas\\Lexmark Fax Solutions\\fm3032.exe\" /s"
"LXCRCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXCRtime.dll,_RunDLLEntry@16"
"SPAMfighter Agent"="\"C:\\Programas\\SPAMfighter\\SFAgent.exe\" update delay 60"
"VBSysTray"="\"E:\\PROGRA~1\\VIRUSB~1\\Bin\\vbsystry.exe\""
"AVLoginToDo"="\"E:\\PROGRA~1\\VIRUSB~1\\Bin\\avltd.exe\""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Free Download Manager"="E:\\Programas\\Free Download Manager\\fdm.exe -autorun"
"swg"="C:\\Programas\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
"dlcipscl"="C:\\WINDOWS\\system32\\dcpavss.exe"
"ascdps"="C:\\WINDOWS\\system32\\itsdde.exe"
"nvipctl"="C:\\WINDOWS\\system32\\cligeqah.exe"
"sysctlio"="C:\\WINDOWS\\system32\\cligeqah.exe"
"askdmme"="cmdorwkg.exe"
"mstatdsa"="C:\\WINDOWS\\system32\\cligeqah.exe"
"msdlstat"="C:\\WINDOWS\\system32\\smbssldp.exe"
"rsalibz"="C:\\WINDOWS\\system32\\cligeqah.exe"
"ncsysproc"="C:\\WINDOWS\\system32\\sdmvproc.exe"
"drmconns"="C:\\WINDOWS\\system32\\dlmmsers.exe"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdater]
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»

Sorry again for my mistake, thank you

#5 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:36 AM

Posted 02 July 2007 - 04:35 PM

No problem, let's continue..
In normal mode please do the following, even though there is no internet:

Go to Start -> Control Panel, and choose Network Connections.
Right click on your default connection, usually Local Area Connection or Dial-up Connection if you are using Dial-up, and left click on properties.
Double-click on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically.
Click OK twice, and restart your computer.

Go to Start > Run and type in cmd Click OK.
This will open a commad prompt.
Type or copy and paste the following line in the command window:
ipconfig /flushdns
Hit Enter
Exit the command window

Go to start > run and type cmd
A dos Window will appear.
Type next in the dos window: netsh winsock reset
Hit enter and reboot.

I do not recommend that you have more than one anti virus product installed and running on your computer at a time.
The reason for this is that if both products have their automatic (Real-Time) protection switched on, then those products which do not encrypt the virus strings within them can cause other anti virus products to create "false alarms".

It can also lead to a clash as both products fight for access to files which are opened again this is the resident/automatic protection. In general terms, the two programs may conflict and cause false alarms - When the anti virus software tells you that your PC has a virus when it actually doesn't. Also it can cause system performance problems; your system may lock up due to both software products attempting to access the same file at the same time.

Therefore please go to add/remove in the control panel and remove either Avast or Symantec.

The internet should be back up now, so you should be able to download the following in normal mode.
If the internet is still not working, please let me know, but continue by downloading this in safe mode...

Please download Combofix to your desktop.
Doubleclick combofix.exe to launch the application.

Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

#6 Terrau

Terrau
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 02 July 2007 - 08:54 PM

Hi David,

I don't use more than one anti virus. The thing is I have 3 different ones: Norton AV + System Works, which I used almost for a decade 'till some months ago, when I finally lost my patience as it's getting worst year by year when it comes to PC behaviour, Prevex1 and Avast. Irony, the free Avast seems to be the one that works better on my pc. But as I spoted the virus myself, Avast was blind to it, I tried the other two and even another trial from Virus Buster. Prevex and Virus Buster spot the files but Prevex group hasn't still decided to consider it "good or bad" and VB decided to do nothing. Norton AV just like Avast didn't see it. I uninstalled Prevex and VB without problems but Norton, as usual, won't go. System Works doesn't finish to uninstall and seems to be corrupted now. Nevertheless I still have symantec files on my PC, which I can't get rid of.

The Internet i running normal now. Thank You. Here are the new Log Files:

Logfile of HijackThis v1.99.1
Scan saved at 2:48:06, on 03-07-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
C:\Programas\Logitech\Video\LogiTray.exe
C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe
E:\Programas\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\LVComsX.exe
C:\Programas\Logitech\Video\FxSvr2.exe
E:\Programas\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe
E:\Programas\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Programas\QuickTime\qttask.exe
E:\Programas\iTunes\iTunesHelper.exe
E:\Programas\DAEMON Tools\daemon.exe
C:\Programas\Lexmark 2400 Series\lxcrmon.exe
C:\Programas\Lexmark 2400 Series\ezprint.exe
C:\Programas\SPAMfighter\SFAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programas\Norton SystemWorks\Norton GoBack\GBTray.exe
E:\Programas\OpenOffice.org 2.0\program\soffice.exe
E:\Programas\OpenOffice.org 2.0\program\soffice.BIN
C:\Programas\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Ficheiros comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Programas\iPod\bin\iPodService.exe
C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\svchost.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.folha.uol.com.br/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Programas\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programas\google\googletoolbar3.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programas\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {C0CEB10A-ABC3-42E4-8C7D-9F1DD7D090FD} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programas\google\googletoolbar3.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RemoteControl] C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programas\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programas\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Programas\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "E:\Programas\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "E:\Programas\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Programas\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "E:\Programas\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Programas\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Programas\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Programas\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [SPAMfighter Agent] "C:\Programas\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Free Download Manager] E:\Programas\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [swg] C:\Programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [dlcipscl] C:\WINDOWS\system32\dcpavss.exe
O4 - HKCU\..\Run: [ascdps] C:\WINDOWS\system32\itsdde.exe
O4 - HKCU\..\Run: [nvipctl] C:\WINDOWS\system32\cligeqah.exe
O4 - HKCU\..\Run: [sysctlio] C:\WINDOWS\system32\cligeqah.exe
O4 - HKCU\..\Run: [askdmme] cmdorwkg.exe
O4 - HKCU\..\Run: [mstatdsa] C:\WINDOWS\system32\cligeqah.exe
O4 - HKCU\..\Run: [msdlstat] C:\WINDOWS\system32\smbssldp.exe
O4 - HKCU\..\Run: [rsalibz] C:\WINDOWS\system32\cligeqah.exe
O4 - HKCU\..\Run: [drmconns] C:\WINDOWS\system32\dlmmsers.exe
O4 - Startup: Adobe Gamma.lnk = C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 2.0.lnk = E:\Programas\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MonacoGamma.lnk = C:\Programas\Monaco Systems\MonacoEZcolor 2.5\MonacoGamma.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Programas\Norton SystemWorks\Norton GoBack\GBTray.exe
O8 - Extra context menu item: Append to existing PDF - res://E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Post2Blog - E:\Programas\Post2Blog\post2blog_ie.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programas\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programas\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Post2Blog - {7E3D69D0-0D79-4E0C-9D68-7A6F9437B36B} - E:\Programas\Post2Blog\post2blog_ie.html
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\Programas\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\Programas\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: (no name) - {E32C7587-150F-427E-9464-F227702A0E48} - E:\Programas\Post2Blog\post2blog_ie.html
O9 - Extra 'Tools' menuitem: Post2Blog - {E32C7587-150F-427E-9464-F227702A0E48} - E:\Programas\Post2Blog\post2blog_ie.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - http://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHEI~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programas\Ficheiros comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Programas\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccProxy.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Programas\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Programas\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\CCPD-LC\symlcsvc.exe


"GATO" - 2007-07-03 2:23:54 - ComboFix 07-06-27.7 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\components
C:\WINDOWS\wpcjmd.log


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\nm


((((((((((((((((((((((((( Files Created from 2007-06-03 to 2007-07-03 )))))))))))))))))))))))))))))))


2007-07-03 02:23 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-07-03 01:17 <DIR> d-------- C:\WINDOWS\pss
2007-07-02 17:09 158,416 --a------ C:\DOCUME~1\ADMINI~1\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-07-02 03:40 11,820 --a------ C:\dnsbak.reg
2007-07-02 02:50 4,592 --a------ C:\WINDOWS\system32\tmp.reg
2007-07-01 22:59 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Definies locais
2007-07-01 15:21 28,672 --a------ C:\WINDOWS\system32\drivers\CO_Mon.sys
2007-07-01 15:05 <DIR> d-------- C:\Programas\Security Task Manager
2007-07-01 15:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SecTaskMan
2007-07-01 12:59 <DIR> d--hs---- C:\found.001
2007-07-01 01:53 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-07-01 01:41 <DIR> d-------- C:\Programas\Ficheiros comuns\Wise Installation Wizard
2007-07-01 01:35 <DIR> d-------- C:\HijackThis
2007-07-01 00:57 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Prevx
2007-07-01 00:36 <DIR> d-------- C:\Programas\IObit
2007-06-30 19:04 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Contacts
2007-06-30 18:46 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Real
2007-06-30 18:35 1,835,008 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-30 18:35 <DIR> dr------- C:\DOCUME~1\ADMINI~1\Menu Iniciar
2007-06-30 18:35 <DIR> d--hs---- C:\WINDOWS\CSC
2007-06-30 18:35 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Modelos
2007-06-30 18:35 <DIR> d--h----- C:\DOCUME~1\ADMINI~1\Defini‡äes locais
2007-06-30 18:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Os meus documentos
2007-06-30 18:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Favoritos
2007-06-30 18:35 <DIR> d-------- C:\DOCUME~1\ADMINI~1\Ambiente de trabalho
2007-06-30 00:56 <DIR> d-------- C:\WINDOWS\Google Toolbar
2007-06-30 00:03 <DIR> d-------- C:\VBUSTER
2007-06-29 18:34 <DIR> d--hs---- C:\found.000
2007-06-29 16:55 <DIR> d-------- C:\WINDOWS\system32\pt-pt
2007-06-29 16:52 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-06-29 12:05 283 --a------ C:\WINDOWS\comm.bin
2007-06-29 12:00 257 --a------ C:\WINDOWS\msdres.bin
2007-06-27 19:32 43,528 --------- C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-06-26 10:14 <DIR> d-------- C:\Programas\SPAMfighter
2007-06-26 10:14 <DIR> d-------- C:\Programas\Ficheiros comuns\Application
2007-06-26 10:14 <DIR> d-------- C:\Programas\Ficheiros comuns\Ankiro
2007-06-23 15:43 <DIR> d-------- C:\DOCUME~1\GATO\APPLIC~1\Kazaa Lite
2007-06-20 10:22 <DIR> d-------- C:\DOCUME~1\GATO\APPLIC~1\FaxCtr
2007-06-20 00:07 <DIR> d-------- C:\Programas\VID_0E8F&PID_0003
2007-06-19 23:23 409,600 --a------ C:\WINDOWS\system32\lxcrinpa.dll
2007-06-19 23:23 40,960 --a------ C:\WINDOWS\system32\lxcrvs.dll
2007-06-19 23:23 393,216 --a------ C:\WINDOWS\system32\lxcriesc.dll
2007-06-19 23:23 303,104 --a------ C:\WINDOWS\system32\lxcrcoin.dll
2007-06-19 23:23 <DIR> d-------- C:\Programas\lx_cats
2007-06-19 23:22 98,345 --a------ C:\WINDOWS\system32\IMHOST32.DLL
2007-06-19 23:22 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2007-06-19 23:22 692,224 --a------ C:\WINDOWS\system32\lxcrdrs.dll
2007-06-19 23:22 65,536 --a------ C:\WINDOWS\system32\lxcrcaps.dll
2007-06-19 23:22 61,440 --a------ C:\WINDOWS\system32\lxcrcnv4.dll
2007-06-19 23:22 40,960 --a------ C:\WINDOWS\system32\LXPRMON.DLL
2007-06-19 23:22 339,968 --a------ C:\WINDOWS\system32\IMGMAN32.DLL
2007-06-19 23:22 32,768 --a------ C:\WINDOWS\system32\LXPMONUI.DLL
2007-06-19 23:22 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-06-19 23:22 12,288 --a------ C:\WINDOWS\system32\LXPMONRC.DLL
2007-06-19 23:22 <DIR> d-------- C:\Programas\Lexmark Fax Solutions
2007-06-19 23:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FaxCtr
2007-06-19 23:21 <DIR> d-------- C:\Programas\Lexmark Toolbar
2007-06-19 23:21 <DIR> d-------- C:\Programas\Lexmark 2400 Series
2007-06-19 23:21 <DIR> d-------- C:\Programas\Abbyy FineReader 6.0 Sprint
2007-06-19 23:20 995,328 --a------ C:\WINDOWS\system32\lxcrusb1.dll
2007-06-19 23:20 983,107 --a------ C:\WINDOWS\system32\lxcrgf.dll
2007-06-19 23:20 86,016 --a------ C:\WINDOWS\system32\lxcrcub.dll
2007-06-19 23:20 73,728 --a------ C:\WINDOWS\system32\lxcrcu.dll
2007-06-19 23:20 73,728 --a------ C:\WINDOWS\system32\LXCRcfg.dll
2007-06-19 23:20 667,648 --a------ C:\WINDOWS\system32\lxcrpmui.dll
2007-06-19 23:20 610,304 --a------ C:\WINDOWS\system32\lxcrcomc.dll
2007-06-19 23:20 536,576 --a------ C:\WINDOWS\system32\lxcrlmpm.dll
2007-06-19 23:20 495,616 --a------ C:\WINDOWS\system32\lxcrcoms.exe
2007-06-19 23:20 446,464 --a------ C:\WINDOWS\system32\lxcrutil.dll
2007-06-19 23:20 421,888 --a------ C:\WINDOWS\system32\lxcrcomm.dll
2007-06-19 23:20 380,928 --a------ C:\WINDOWS\system32\lxcrih.exe
2007-06-19 23:20 36,864 --a------ C:\WINDOWS\system32\lxcrcur.dll
2007-06-19 23:20 233,472 --a------ C:\WINDOWS\system32\LXCRinst.dll
2007-06-19 23:20 200,704 --a------ C:\WINDOWS\system32\lxcrinsb.dll
2007-06-19 23:20 163,840 --a------ C:\WINDOWS\system32\lxcrprox.dll
2007-06-19 23:20 155,648 --a------ C:\WINDOWS\system32\lxcrins.dll
2007-06-19 23:20 143,360 --a------ C:\WINDOWS\system32\lxcrjswr.dll
2007-06-19 23:20 110,592 --a------ C:\WINDOWS\system32\lxcrinsr.dll
2007-06-19 23:20 1,183,744 --a------ C:\WINDOWS\system32\lxcrserv.dll
2007-06-19 13:51 <DIR> d-------- C:\EPSON
2007-06-18 18:01 <DIR> d-------- C:\DOCUME~1\GATO\.housecall6.6
2007-06-17 21:19 <DIR> d-------- C:\DOCUME~1\GATO\APPLIC~1\vlc
2007-06-17 16:29 <DIR> d-------- C:\DOCUME~1\GATO\APPLIC~1\SopCast
2007-06-08 09:56 <DIR> d-------- C:\Programas\iPod
2007-06-08 09:53 <DIR> d-------- C:\Programas\QuickTime
2007-06-05 10:34 1,184,664 --a------ C:\WINDOWS\system32\FreeImage.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

3007-06-18 07:44:14 223,128 ----a-w C:\WINDOWS\system32\drivers\dtscsi.sys
3007-06-18 07:40:29 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd5117.sys
3007-06-18 07:40:29 664,064 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
3006-09-23 00:33:55 -------- d-----w C:\Programas\OfficeUpdate11
2007-07-03 01:29:49 -------- d-----w C:\DOCUME~1\GATO\APPLIC~1\OpenOffice.org2
2007-07-03 01:12:00 -------- d--h--w C:\Programas\InstallShield Installation Information
2007-07-01 22:04:05 664 ----a-w C:\WINDOWS\system32\d3d9caps.dat
2007-07-01 10:36:17 77,312 ----a-w C:\WINDOWS\ua2.dll
2007-06-29 18:25:25 63,724 ----a-w C:\WINDOWS\system32\perfc016.dat
2007-06-29 18:25:25 427,728 ----a-w C:\WINDOWS\system32\perfh016.dat
2007-06-29 15:10:04 -------- d-----w C:\Programas\Norton SystemWorks
2007-06-29 15:09:04 -------- d-----w C:\Programas\Ficheiros comuns\Symantec Shared
2007-06-27 16:20:21 -------- d-----w C:\DOCUME~1\GATO\APPLIC~1\Skype
2007-06-21 00:15:21 158,416 ----a-w C:\DOCUME~1\GATO\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-06-19 12:51:41 -------- d-----w C:\Programas\EPSON
2007-06-17 16:57:54 8,384 ----a-w C:\WINDOWS\mozver.dat
2007-06-13 10:26:39 -------- d-----w C:\DOCUME~1\GATO\APPLIC~1\SPAMfighter
2007-06-08 08:48:02 -------- d-----w C:\Programas\Apple Software Update
2007-06-02 17:09:23 4,096 ----a-w C:\WINDOWS\system32\Ry4CoInst.dll
2007-06-02 17:09:23 22,016 ----a-w C:\WINDOWS\system32\drivers\Rockey4.sys
2007-06-02 17:09:23 12,928 ----a-w C:\WINDOWS\system32\drivers\Rockey4USB.sys
2007-05-29 23:44:41 -------- d-----w C:\Programas\MSN Messenger
2007-05-21 17:10:52 -------- d-----w C:\DOCUME~1\GATO\APPLIC~1\Opera
2007-05-20 16:21:55 -------- d-----w C:\Programas\vbSpec
2007-05-19 00:39:18 -------- d-----w C:\Programas\Ficheiros comuns\Adobe Systems Shared
2007-05-16 15:13:54 683,520 ------w C:\WINDOWS\system32\inetcomm.dll
2007-05-07 11:03:24 -------- d-----w C:\Programas\chrome
2007-05-03 14:08:00 -------- d-----w C:\DOCUME~1\GATO\APPLIC~1\Leadertech
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-04-25 14:22:27 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:14:21 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 21:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 21:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 21:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 21:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 21:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 21:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 21:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 21:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2004-08-04 07:57:03 47,983 --sha-r C:\WINDOWS\system32\atlhdeij.exe~
2004-08-04 07:57:03 91,615 --sha-r C:\WINDOWS\system32\sysqbjif.exe~


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=E:\Programas\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\programas\google\googletoolbar3.dll [2007-01-20 00:55]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}=C:\Programas\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [2007-06-25 16:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Programas\CyberLink\PowerDVD\PDVDServ.exe" [2003-12-08 17:35]
"ccApp"="C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe" [2006-11-21 18:38]
"Cmaudio"="cmicnfg.cpl" []
"LogitechVideoRepair"="C:\Programas\Logitech\Video\ISStart.exe" [2004-12-14 18:57]
"LogitechVideoTray"="C:\Programas\Logitech\Video\LogiTray.exe" [2004-12-14 18:51]
"TkBellExe"="C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe" [2006-09-13 23:26]
"SunJavaUpdateSched"="E:\Programas\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 16:42]
"Adobe Photo Downloader"="E:\Programas\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe" [2007-06-19 09:21]
"Acrobat Assistant 8.0"="E:\Programas\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"QuickTime Task"="C:\Programas\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="E:\Programas\iTunes\iTunesHelper.exe" [2007-06-01 16:51]
"DAEMON Tools"="E:\Programas\DAEMON Tools\daemon.exe" [2005-11-08 23:00]
"lxcrmon.exe"="C:\Programas\Lexmark 2400 Series\lxcrmon.exe" [2006-03-06 18:48]
"EzPrint"="C:\Programas\Lexmark 2400 Series\ezprint.exe" [2006-02-07 06:10]
"FaxCenterServer"="C:\Programas\Lexmark Fax Solutions\fm3032.exe" [2006-02-02 09:11]
"SPAMfighter Agent"="C:\Programas\SPAMfighter\SFAgent.exe" [2007-06-25 15:03]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]
"Free Download Manager"="E:\Programas\Free Download Manager\fdm.exe" []
"swg"="C:\Programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-25 16:55]
"dlcipscl"="C:\WINDOWS\system32\dcpavss.exe" []
"ascdps"="C:\WINDOWS\system32\itsdde.exe" []
"nvipctl"="C:\WINDOWS\system32\cligeqah.exe" []
"sysctlio"="C:\WINDOWS\system32\cligeqah.exe" []
"askdmme"="cmdorwkg.exe" []
"mstatdsa"="C:\WINDOWS\system32\cligeqah.exe" []
"msdlstat"="C:\WINDOWS\system32\smbssldp.exe" []
"rsalibz"="C:\WINDOWS\system32\cligeqah.exe" []
"drmconns"="C:\WINDOWS\system32\dlmmsers.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Symantec NetDriver Warning"=C:\PROGRA~1\SYMNET~1\SNDWarn.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f5caafae-7d36-11db-b07a-0001e109929f}]
AutoRun\command- H:\LaunchU3.exe -a


Contents of the 'Scheduled Tasks' folder
2007-06-23 10:27:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-03 02:29:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-03 2:30:41 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-03 02:30

--- E O F ---


Once again, thank you. If I ever can be of any assistance to you on Bleeping (I can't imagine doing what but just the same) feel free to ask. Super cool site, super nice people. Best Regards.

#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:36 AM

Posted 03 July 2007 - 02:28 PM

Hi there, thanks for the comments! :thumbsup:

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Norton/Symantec can be a real pain to remove, the uninstaller fails leaving leftovers all over the PC, which I imagine happened in your case. Norton has specific removal progs to help you get rid of their products.
Please download and save SymNRT.exe to your desktop.
Close all programs and double click on the tool.
Follow the on-screen instructions.

Restart the computer if asked.
Then delete the SymNRT.exe tool from your desktop.
Open the Program Files folder on your local disk ( normally C: )
Find and delete the following folders (if present):

C:\Programas\Ficheiros comuns\Symantec Shared
C:\Programas\Symantec
C:\Programas\Norton SystemWorks

You still have PrevX and Avast running at the same time,
As these are both real time scanners, they will slow your PC to a crawl.
I recommend you remove one of them if not done so already, from add/remove.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\system32\atlhdeij.exe~
C:\WINDOWS\system32\sysqbjif.exe~
C:\WINDOWS\system32\dcpavss.exe
C:\WINDOWS\system32\itsdde.exe
C:\WINDOWS\system32\cligeqah.exe
C:\WINDOWS\system32\cligeqah.exe
C:\WINDOWS\system32\cligeqah.exe
C:\WINDOWS\system32\smbssldp.exe
C:\WINDOWS\system32\cligeqah.exe
C:\WINDOWS\system32\dlmmsers.exe
C:\WINDOWS\system32\cmdorwkg.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

Please perform this online scan: Kaspersky Webscan
Note that this scanner will only work on Internet Explorer, so please use this browser for the scan.
Read the Requirements and Privacy statement, then select "Accept"
A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
Select "Install" to download the ActiveX controls that allows ActiveScan to run.
When the download is complete it will say ready, click "Next"
Select a target to scan: Click on "My Computer"
When the scan is complete choose to save the results as "Save as Text"
Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.

#8 Terrau

Terrau
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 04 July 2007 - 01:23 PM

Hi David,

Here they are. Watching the virus scan, I discovered I have hidden folders called RECYCLER with a subfolder in it called NPPROTECT. Do you know if this has still something to do witn Norton? If co should I delete them? Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 19:15:01, on 04-07-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
C:\Programas\Logitech\Video\LogiTray.exe
C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe
E:\Programas\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\Programas\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe
E:\Programas\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Programas\Logitech\Video\FxSvr2.exe
C:\WINDOWS\System32\LVComsX.exe
C:\Programas\QuickTime\qttask.exe
E:\Programas\iTunes\iTunesHelper.exe
E:\Programas\DAEMON Tools\daemon.exe
C:\Programas\Lexmark 2400 Series\lxcrmon.exe
C:\Programas\Lexmark 2400 Series\ezprint.exe
E:\Programas\SPAMfighter\SFAgent.exe


KASPERSKY ONLINE SCANNER REPORT
Wednesday, July 04, 2007 7:13:43 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 4/07/2007
Kaspersky Anti-Virus database records: 357977
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 117667
Number of viruses found: 15
Number of infected objects: 37
Number of suspicious objects: 4
Duration of the scan process: 03:09:26

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\03955D58.tmp Infected: Trojan-PSW.Win32.Small.bs skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\03A62652.tmp Infected: Trojan-PSW.Win32.Small.bs skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\13666BB1.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1397617B.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\169A3972.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dt skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1C4C2B3D.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1CEC348D.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1CF327F1.dll Infected: not-virus:Hoax.Win32.Renos.ds skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1D060470.tmp/[From ilkshop@netcabo.pt][Date Tue, 12 Dec 2006 20:59:47 +0000]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1D060470.tmp/[From ilkshop@netcabo.pt][Date Tue, 12 Dec 2006 20:59:47 +0000]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1D060470.tmp Mail: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\1D060470.tmp CryptFF: suspicious - 2 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2373135B.ocx Infected: Trojan-Downloader.Win32.Small.ddp skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\27D92C37.exe Infected: Trojan.Win32.Small.fb skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2DF637CA.ocx Infected: Trojan-Downloader.Win32.Small.ddp skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\42540A46.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\44806E56.exe Infected: Trojan-Downloader.Win32.Tibs.ik skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\45E628BA.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\4FFE5F98.tmp Infected: Trojan-PSW.Win32.Small.bs skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\52FD6A4C.tmp Infected: Trojan-PSW.Win32.Small.bs skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\58205FDC.tmp Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5AF1168B.exe Infected: not-virus:Hoax.Win32.Renos.gs skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\643A7326.tmp Infected: Trojan-PSW.Win32.Small.bs skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\65E81E8F.tmp/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\65E81E8F.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\65E81E8F.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6B523787.exe Infected: Trojan-Downloader.Win32.Tibs.il skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6EE736F1.tmp/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6EE736F1.tmp ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6EE736F1.tmp CryptFF: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\72902896.tmp/stream/data0003 Infected: not-a-virus:AdWare.Win32.Agent.y skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\72902896.tmp/stream/data0005 Infected: not-a-virus:AdWare.Win32.Softomate.q skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\72902896.tmp/stream/data0007 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\72902896.tmp/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\72902896.tmp NSIS: infected - 4 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\72902896.tmp CryptFF: infected - 4 skipped
C:\Documents and Settings\GATO\Ambiente de trabalho\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\GATO\Application Data\Mozilla\Firefox\Profiles\qbpiw6og.default\cert8.db Object is locked skipped
C:\Documents and Settings\GATO\Application Data\Mozilla\Firefox\Profiles\qbpiw6og.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\GATO\Application Data\Mozilla\Firefox\Profiles\qbpiw6og.default\history.dat Object is locked skipped
C:\Documents and Settings\GATO\Application Data\Mozilla\Firefox\Profiles\qbpiw6og.default\key3.db Object is locked skipped
C:\Documents and Settings\GATO\Application Data\Mozilla\Firefox\Profiles\qbpiw6og.default\parent.lock Object is locked skipped
C:\Documents and Settings\GATO\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\GATO\Definições locais\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\GATO\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\GATO\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\GATO\Definições locais\Application Data\Mozilla\Firefox\Profiles\qbpiw6og.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\GATO\Definições locais\Application Data\Mozilla\Firefox\Profiles\qbpiw6og.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\GATO\Definições locais\Application Data\Mozilla\Firefox\Profiles\qbpiw6og.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\GATO\Definições locais\Application Data\Mozilla\Firefox\Profiles\qbpiw6og.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\GATO\Definições locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\GATO\Definições locais\Histórico\History.IE5\MSHist012007070420070705\index.dat Object is locked skipped
C:\Documents and Settings\GATO\Definições locais\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\GATO\Definições locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\GATO\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\GATO\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Definições locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Definições locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Programas\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Programas\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Programas\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Programas\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Programas\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Programas\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{F28178C1-820D-42F1-B72E-D0131F210644}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd5117.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\sysqbjif.exe~ Infected: Backdoor.Win32.SdBot.bgc skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_67c.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\Twunk002.MTX Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\Programas\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
E:\Programas\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
E:\Programas\SmitfraudFix.exe RarSFX: infected - 2 skipped
E:\Programas\SPAMfighter\Agent.log.txt Object is locked skipped
E:\Programas\SPAMfighter\Core.log.txt Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

#9 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:36 AM

Posted 04 July 2007 - 05:01 PM

The Hijackthis log was cut off, can you repost it please! :thumbsup:

#10 Terrau

Terrau
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 05 July 2007 - 12:38 PM

Ooopss, sorry,

Logfile of HijackThis v1.99.1
Scan saved at 19:15:01, on 04-07-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
C:\Programas\Logitech\Video\LogiTray.exe
C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe
E:\Programas\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\Programas\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe
E:\Programas\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Programas\Logitech\Video\FxSvr2.exe
C:\WINDOWS\System32\LVComsX.exe
C:\Programas\QuickTime\qttask.exe
E:\Programas\iTunes\iTunesHelper.exe
E:\Programas\DAEMON Tools\daemon.exe
C:\Programas\Lexmark 2400 Series\lxcrmon.exe
C:\Programas\Lexmark 2400 Series\ezprint.exe
E:\Programas\SPAMfighter\SFAgent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\nvsvc32.exe
E:\Programas\OpenOffice.org 2.0\program\soffice.exe
E:\Programas\OpenOffice.org 2.0\program\soffice.BIN
C:\WINDOWS\System32\svchost.exe
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\Programas\iPod\bin\iPodService.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\svchost.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.folha.uol.com.br/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Programas\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programas\google\googletoolbar3.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programas\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {C0CEB10A-ABC3-42E4-8C7D-9F1DD7D090FD} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programas\google\googletoolbar3.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RemoteControl] C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programas\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programas\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Programas\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "E:\Programas\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "E:\Programas\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Programas\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DAEMON Tools] "E:\Programas\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Programas\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Programas\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Programas\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [SPAMfighter Agent] "E:\Programas\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Free Download Manager] E:\Programas\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [swg] C:\Programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [dlcipscl] C:\WINDOWS\system32\dcpavss.exe
O4 - HKCU\..\Run: [ascdps] C:\WINDOWS\system32\itsdde.exe
O4 - HKCU\..\Run: [nvipctl] C:\WINDOWS\system32\cligeqah.exe
O4 - HKCU\..\Run: [sysctlio] C:\WINDOWS\system32\cligeqah.exe
O4 - HKCU\..\Run: [askdmme] cmdorwkg.exe
O4 - HKCU\..\Run: [mstatdsa] C:\WINDOWS\system32\cligeqah.exe
O4 - HKCU\..\Run: [msdlstat] C:\WINDOWS\system32\smbssldp.exe
O4 - HKCU\..\Run: [rsalibz] C:\WINDOWS\system32\cligeqah.exe
O4 - HKCU\..\Run: [drmconns] C:\WINDOWS\system32\dlmmsers.exe
O4 - Startup: Adobe Gamma.lnk = C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 2.0.lnk = E:\Programas\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MonacoGamma.lnk = C:\Programas\Monaco Systems\MonacoEZcolor 2.5\MonacoGamma.exe
O8 - Extra context menu item: Append to existing PDF - res://E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Post2Blog - E:\Programas\Post2Blog\post2blog_ie.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programas\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programas\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Post2Blog - {7E3D69D0-0D79-4E0C-9D68-7A6F9437B36B} - E:\Programas\Post2Blog\post2blog_ie.html
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\Programas\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\Programas\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: (no name) - {E32C7587-150F-427E-9464-F227702A0E48} - E:\Programas\Post2Blog\post2blog_ie.html
O9 - Extra 'Tools' menuitem: Post2Blog - {E32C7587-150F-427E-9464-F227702A0E48} - E:\Programas\Post2Blog\post2blog_ie.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - http://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHEI~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programas\Ficheiros comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Programas\iPod\bin\iPodService.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Thanks

#11 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:36 AM

Posted 06 July 2007 - 05:29 PM

Good work! Let's continue.. :thumbsup:

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O2 - BHO: (no name) - {C0CEB10A-ABC3-42E4-8C7D-9F1DD7D090FD} - (no file)
O4 - HKCU\..\Run: [dlcipscl] C:\WINDOWS\system32\dcpavss.exe
O4 - HKCU\..\Run: [ascdps] C:\WINDOWS\system32\itsdde.exe
O4 - HKCU\..\Run: [nvipctl] C:\WINDOWS\system32\cligeqah.exe
O4 - HKCU\..\Run: [sysctlio] C:\WINDOWS\system32\cligeqah.exe
O4 - HKCU\..\Run: [askmme] cmdorwkg.exe
O4 - HKCU\..\Run: [mstatdsa] C:\WINDOWS\system32\cligeqah.exe
O4 - HKCU\..\Run: [msdlstat] C:\WINDOWS\system32\smbssldp.exe
O4 - HKCU\..\Run: [rsalibz] C:\WINDOWS\system32\cligeqah.exe
O4 - HKCU\..\Run: [drmconns] C:\WINDOWS\system32\dlmmsers.exe

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Using Windows Explorer, please locate the following files/folders, and delete them if still present:

C:\WINDOWS\system32\sysqbjif.exe~
C:\Documents and Settings\All Users\Application Data\Symantec <--folder

Reboot back into normal mode.

How is the Pc running? Please post a new Hijackthis log.

#12 Terrau

Terrau
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 10 July 2007 - 09:17 AM

Hi David,

The PC seems to be working fine although I still get each time I start it a message that, in english, would go more or less like this (pardon the poor translation work):

A controller required to an application as failed to start C:\PROGRA~1\SYMANTEC\S32EVNT1.dll. With a pair of buttons CLOSE / IGNORE

The HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 15:06:38, on 10-07-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
C:\Programas\Logitech\Video\LogiTray.exe
C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe
E:\Programas\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\Programas\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe
C:\Programas\Logitech\Video\FxSvr2.exe
E:\Programas\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\System32\LVComsX.exe
C:\Programas\QuickTime\qttask.exe
E:\Programas\DAEMON Tools\daemon.exe
C:\Programas\Lexmark 2400 Series\lxcrmon.exe
C:\Programas\Lexmark 2400 Series\ezprint.exe
E:\Programas\SPAMfighter\SFAgent.exe
C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
E:\Programas\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
E:\Programas\OpenOffice.org 2.0\program\soffice.exe
E:\Programas\OpenOffice.org 2.0\program\soffice.BIN
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Programas\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.folha.uol.com.br/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Programas\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programas\google\googletoolbar3.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programas\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programas\google\googletoolbar3.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RemoteControl] C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Programas\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Programas\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "E:\Programas\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "E:\Programas\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "E:\Programas\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools] "E:\Programas\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Programas\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Programas\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Programas\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [SPAMfighter Agent] "E:\Programas\SPAMfighter\SFAgent.exe" update delay 60
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [iTunesHelper] "E:\Programas\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Free Download Manager] E:\Programas\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [swg] C:\Programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: Adobe Gamma.lnk = C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 2.0.lnk = E:\Programas\OpenOffice.org 2.0\program\quickstart.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MonacoGamma.lnk = C:\Programas\Monaco Systems\MonacoEZcolor 2.5\MonacoGamma.exe
O8 - Extra context menu item: Append to existing PDF - res://E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Post2Blog - E:\Programas\Post2Blog\post2blog_ie.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programas\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Programas\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Post2Blog - {7E3D69D0-0D79-4E0C-9D68-7A6F9437B36B} - E:\Programas\Post2Blog\post2blog_ie.html
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\Programas\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - E:\Programas\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: (no name) - {E32C7587-150F-427E-9464-F227702A0E48} - E:\Programas\Post2Blog\post2blog_ie.html
O9 - Extra 'Tools' menuitem: Post2Blog - {E32C7587-150F-427E-9464-F227702A0E48} - E:\Programas\Post2Blog\post2blog_ie.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} - http://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHEI~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programas\Ficheiros comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Programas\iPod\bin\iPodService.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Thanks again

#13 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:36 AM

Posted 10 July 2007 - 09:35 AM

Run HijackThis.
Click on Open the Misc Tools Section.
Then press Generate StartupList log, making sure that both boxes next to it are checked.
Select Yes at the prompt.
A Notepad file will open, and will automatically be saved in your HijackThis folder.
Paste this log in your next reply.

#14 Terrau

Terrau
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:36 AM

Posted 13 July 2007 - 08:24 AM

Hi David,

Here is the report. Something I noticed is that dat keeps adding 1000 (a thousand) years, i must reset to 2007 it happens sometimes more than once a day, sometimes doesn't happen at all. I tried to figure it out if it happened with a program or routine but it seems to happen randomly.

StartupList report, 13-07-2007, 14:16:32
StartupList version: 1.52.2
Started from : C:\HijackThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v7.00 (7.00.6000.16473)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
C:\Programas\Logitech\Video\LogiTray.exe
C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe
E:\Programas\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programas\Logitech\Video\FxSvr2.exe
E:\Programas\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe
C:\WINDOWS\System32\LVComsX.exe
E:\Programas\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Programas\QuickTime\qttask.exe
E:\Programas\DAEMON Tools\daemon.exe
C:\Programas\Lexmark 2400 Series\lxcrmon.exe
C:\Programas\Lexmark 2400 Series\ezprint.exe
C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\nvsvc32.exe
E:\Programas\SPAMfighter\SFAgent.exe
E:\Programas\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe
E:\Programas\OpenOffice.org 2.0\program\soffice.exe
E:\Programas\OpenOffice.org 2.0\program\soffice.BIN
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\iPod\bin\iPodService.exe
E:\Programas\Soulseek\slsk.exe
C:\Programas\Internet Explorer\iexplore.exe
C:\Programas\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\GATO\Menu Iniciar\Programas\Arranque]
Adobe Gamma.lnk = C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe
OpenOffice.org 2.0.lnk = E:\Programas\OpenOffice.org 2.0\program\quickstart.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque]
Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
MonacoGamma.lnk = C:\Programas\Monaco Systems\MonacoEZcolor 2.5\MonacoGamma.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

RemoteControl = C:\Programas\CyberLink\PowerDVD\PDVDServ.exe
Cmaudio = RunDll32 cmicnfg.cpl,CMICtrlWnd
LogitechVideoRepair = C:\Programas\Logitech\Video\ISStart.exe
LogitechVideoTray = C:\Programas\Logitech\Video\LogiTray.exe
TkBellExe = "C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe" -osboot
SunJavaUpdateSched = "E:\Programas\Java\jre1.6.0_01\bin\jusched.exe"
avast! = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
Adobe Photo Downloader = "E:\Programas\Adobe\Adobe Photoshop Lightroom 1.1\apdproxy.exe"
Acrobat Assistant 8.0 = "E:\Programas\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
nwiz = nwiz.exe /install
QuickTime Task = "C:\Programas\QuickTime\qttask.exe" -atboottime
DAEMON Tools = "E:\Programas\DAEMON Tools\daemon.exe" -lang 1033
lxcrmon.exe = "C:\Programas\Lexmark 2400 Series\lxcrmon.exe"
EzPrint = "C:\Programas\Lexmark 2400 Series\ezprint.exe"
FaxCenterServer = "C:\Programas\Lexmark Fax Solutions\fm3032.exe" /s
SPAMfighter Agent = "E:\Programas\SPAMfighter\SFAgent.exe" update delay 60
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

CTFMON.EXE = C:\WINDOWS\system32\ctfmon.exe
Free Download Manager = E:\Programas\Free Download Manager\fdm.exe -autorun
swg = C:\Programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[optionalcomponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

[AdobeUpdater]
=

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\system32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}] *
StubPath = C:\WINDOWS\system32\ieudinit.exe

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = C:\WINDOWS\system32\ie4uinit.exe -BaseSettings

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Editor de registo'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - E:\Programas\Java\jre1.6.0_01\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - c:\programas\google\googletoolbar3.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - E:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll - {AE7CD045-E861-484f-8273-0445EE161910}
(no name) - C:\Programas\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D}

--------------------------------------------------

Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job

--------------------------------------------------

Enumerating Download Program Files:

[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

[{33564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/D/0...D0C/wmv9dmo.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc3.cab

[Java Plug-in 1.6.0_01]
InProcServer32 = E:\Programas\Java\jre1.6.0_01\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

[{B020B534-4AA2-4B99-BD6D-5F6EE286DF5C}]
CODEBASE = http://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab

[Java Plug-in 1.5.0_06]
InProcServer32 = E:\Programas\Java\jre1.6.0_01\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

[Java Plug-in 1.5.0_09]
InProcServer32 = E:\Programas\Java\jre1.6.0_01\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab

[Java Plug-in 1.6.0_01]
InProcServer32 = E:\Programas\Java\jre1.6.0_01\bin\ssv.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

[Java Plug-in 1.6.0_01]
InProcServer32 = E:\Programas\Java\jre1.6.0_01\bin\npjpi160_01.dll
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
NameSpace #4: C:\WINDOWS\System32\nwprovau.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\WINDOWS\system32\mswsock.dll
Protocol #20: C:\WINDOWS\system32\mswsock.dll
Protocol #21: C:\WINDOWS\system32\mswsock.dll
Protocol #22: C:\WINDOWS\system32\mswsock.dll
Protocol #23: C:\WINDOWS\system32\mswsock.dll
Protocol #24: C:\WINDOWS\system32\mswsock.dll
Protocol #25: C:\WINDOWS\system32\mswsock.dll
Protocol #26: C:\WINDOWS\system32\mswsock.dll
Protocol #27: C:\WINDOWS\system32\mswsock.dll
Protocol #28: C:\WINDOWS\system32\mswsock.dll
Protocol #29: C:\WINDOWS\system32\mswsock.dll
Protocol #30: C:\WINDOWS\system32\mswsock.dll
Protocol #31: C:\WINDOWS\system32\mswsock.dll
Protocol #32: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Controlador ACPI da Microsoft: System32\DRIVERS\ACPI.sys (system)
Adobe LM Service: "C:\Programas\Ficheiros comuns\Adobe Systems Shared\Service\Adobelmsvc.exe" (manual start)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
Ambiente de suporte com funcionalidades de rede AFD: \SystemRoot\System32\drivers\afd.sys (system)
Filtro de barramento Intel AGP: System32\DRIVERS\agp440.sys (system)
Alerta: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Serviço de gateway de camada de aplicação: %SystemRoot%\System32\alg.exe (manual start)
AmeLanPc: System32\DRIVERS\AmeLanPc.sys (manual start)
Apple Mobile Device: "C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe" (autostart)
Gestão de aplicações: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
Protocolo de cliente ARP 1394: System32\DRIVERS\arp1394.sys (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
avast! iAVS4 Control Service: "C:\Programas\Alwil Software\Avast4\aswUpdSv.exe" (autostart)
Controlador de média assíncrono de RAS: System32\DRIVERS\asyncmac.sys (manual start)
Controlador de disco rígido IDE/ESDI padrão: System32\DRIVERS\atapi.sys (system)
ATM - protocolo para cliente ARP: System32\DRIVERS\atmarpc.sys (manual start)
Áudio do Windows: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Controladores de stub de áudio: System32\DRIVERS\audstub.sys (manual start)
avast! Antivirus: "C:\Programas\Alwil Software\Avast4\ashServ.exe" (autostart)
avast! Mail Scanner: "C:\Programas\Alwil Software\Avast4\ashMaiSv.exe" /service (manual start)
avast! Web Scanner: "C:\Programas\Alwil Software\Avast4\ashWebSv.exe" /service (manual start)
Serviço de transferência inteligente em fundo: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Browser de computador: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Descodificador de captura fechada: System32\DRIVERS\CCDECODE.sys (manual start)
Controlador de CD-ROM: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (disabled)
C-Media WDM Audio Interface: system32\drivers\cmuda.sys (manual start)
Aplicação de sistema COM+: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
CO_Mon: \??\C:\WINDOWS\system32\Drivers\CO_Mon.sys (manual start)
Serviços criptográficos: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DCOM - Lançador de processo de servidor: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
Cliente DHCP: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Controlador de disco: System32\DRIVERS\disk.sys (system)
Serviço administrativo de gestão de discos lógicos: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Controlador do gestor de disco lógico: System32\drivers\dmio.sys (system)
dmload: System32\drivers\dmload.sys (system)
Gestor de discos lógicos: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft - sintetizador Kernel DSL: system32\drivers\DMusic.sys (manual start)
Cliente DNS: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Descrambler Filter: system32\drivers\drmkaud.sys (manual start)
dtscsi: \SystemRoot\System32\Drivers\dtscsi.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Registo de eventos: %SystemRoot%\system32\services.exe (autostart)
Sistema de eventos do COM+: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
Compatibilidade de 'Mudança rápida de utilizador': %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Controlador de disquete: System32\DRIVERS\fdc.sys (manual start)
FLEXnet Licensing Service: "C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe" (manual start)
Controlador de unidades de disquetes: System32\DRIVERS\flpydisk.sys (manual start)
FltMgr: system32\drivers\fltmgr.sys (system)
Controlador do gestor de volume: System32\DRIVERS\ftdisk.sys (system)
GEARAspiWDM: System32\Drivers\GEARAspiWDM.sys (manual start)
gmer: System32\DRIVERS\gmer.sys (manual start)
Classificador de pacotes genérico: System32\DRIVERS\msgpc.sys (manual start)
Google Updater Service: "C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe" (manual start)
Ajuda e suporte: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Controlador de classe HID da Microsoft: System32\DRIVERS\hidusb.sys (manual start)
HTTP: System32\Drivers\HTTP.sys (manual start)
SSL de HTTP: %SystemRoot%\System32\svchost.exe -k HTTPFilter (manual start)
Controlador de porta de teclado i8042 e de rato PS/2: System32\DRIVERS\i8042prt.sys (system)
Controlador de filtro de gravação de CD: System32\DRIVERS\imapi.sys (system)
Serviço COM de gravação de CD de IMAPI: C:\WINDOWS\System32\imapi.exe (manual start)
Controlador de processador Intel: System32\DRIVERS\intelppm.sys (system)
Controlador de IPv6 do Firewall do Windows: system32\drivers\ip6fw.sys (manual start)
Controlador de filtração de tráfego IP: System32\DRIVERS\ipfltdrv.sys (manual start)
Controlador de túnel IP-em-IP: System32\DRIVERS\ipinip.sys (manual start)
Tradutor de endereços de rede IP: System32\DRIVERS\ipnat.sys (manual start)
iPod Service: C:\Programas\iPod\bin\iPodService.exe (manual start)
Controlador IPSEC: System32\DRIVERS\ipsec.sys (system)
Serviço enumerador IR: System32\DRIVERS\irenum.sys (manual start)
Controlador de barramento PnP ISA/EISA: System32\DRIVERS\isapnp.sys (system)
Controlador de classe de teclado: System32\DRIVERS\kbdclass.sys (system)
Controlador HID de teclado: system32\DRIVERS\kbdhid.sys (system)
Microsoft - misturador de áudio Kernel Wave: system32\drivers\kmixer.sys (manual start)
Servidor: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Estação de trabalho: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Programa auxiliar TCP/IP NetBIOS: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Logitech USB Monitor Filter: system32\drivers\lvusbsta.sys (manual start)
lxcr_device: C:\WINDOWS\system32\lxcrcoms.exe -service (manual start)
Mensageiro: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Partilha remota do ambiente de trabalho do NetMeeting: C:\WINDOWS\System32\mnmsrvc.exe (disabled)
Controlador de classe de rato: System32\DRIVERS\mouclass.sys (system)
Controlador HID de rato: System32\DRIVERS\mouhid.sys (manual start)
Redireccionador de cliente WebDav: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
DTC (Coordenador de transacções distribuídas): C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Proxy da Microsoft para serviços de fluxo: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Proxy da Microsoft para gestão de qualidade de fluxo: system32\drivers\MSPQM.sys (manual start)
Controlador BIOS Microsoft System Management: System32\DRIVERS\mssmbios.sys (manual start)
Conversor da Microsoft para fluxos Tee/Sink-to-Sink: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
Ligação de TV/Vídeo Microsoft: System32\DRIVERS\NdisIP.sys (manual start)
Controlador TAPI NDIS de acesso remoto: System32\DRIVERS\ndistapi.sys (manual start)
Protocolo E/S de modo de utilizador NDIS: System32\DRIVERS\ndisuio.sys (manual start)
Controlador WAN NDIS de acesso remoto: System32\DRIVERS\ndiswan.sys (manual start)
Interface de NetBIOS: System32\DRIVERS\netbios.sys (system)
NetBios através de Tcpip: System32\DRIVERS\netbt.sys (system)
Rede DDE: %SystemRoot%\system32\netdde.exe (disabled)
Rede DDE DSDM: %SystemRoot%\system32\netdde.exe (disabled)
Início de sessão de rede: %SystemRoot%\System32\lsass.exe (manual start)
Ligações de rede: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
1394 Net Driver: System32\DRIVERS\nic1394.sys (manual start)
Identificação da localização na rede (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (disabled)
Armazenamento amovível: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
NVIDIA Display Driver Service: %SystemRoot%\system32\nvsvc32.exe (autostart)
Controlador de filtração de tráfego IPX: System32\DRIVERS\nwlnkflt.sys (manual start)
Controlador de reencaminhamento de tráfego IPX: System32\DRIVERS\nwlnkfwd.sys (manual start)
NWLink - protocolo de transporte compatível com IPX/SPX/NetBIOS: system32\DRIVERS\nwlnkipx.sys (autostart)
NetBIOS de NWLink: system32\DRIVERS\nwlnknb.sys (autostart)
NWLink - protocolo SPX/SPXII: system32\DRIVERS\nwlnkspx.sys (autostart)
Controlador anfitrião VIA OHCI compatível com IEEE 1394: System32\DRIVERS\ohci1394.sys (system)
Controlador de porta paralela: System32\DRIVERS\parport.sys (manual start)
Controlador de barramento PCI: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Labtec WebCam(PID_0928): System32\DRIVERS\LV561AV.SYS (manual start)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Serviços IPSEC: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Controlador do processador: System32\DRIVERS\processr.sys (system)
Armazenamento protegido: %SystemRoot%\system32\lsass.exe (autostart)
Agendador de pacotes QoS: System32\DRIVERS\psched.sys (manual start)
Controlador de ligações directas por porta paralela: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\Drivers\PxHelp20.sys (system)
Controlador de ligação automática de acesso remoto: System32\DRIVERS\rasacd.sys (system)
Gestor de ligação automática de acesso remoto: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Gestor de ligação de acesso remoto: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Controlador de acesso remoto PPPOE: System32\DRIVERS\raspppoe.sys (manual start)
Paralelo directo: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Controlador de redireccionador de dispositivo de servidor de terminais: System32\DRIVERS\rdpdr.sys (manual start)
Gestor de sessões de ajuda do 'Ambiente de trabalho remoto': C:\WINDOWS\system32\sessmgr.exe (manual start)
Controlador de filtro de reprodução de áudio digital de CD: System32\DRIVERS\redbook.sys (system)
Encaminhamento e acesso remoto: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Registo remoto: %SystemRoot%\system32\svchost.exe -k LocalService (disabled)
Feitian ROCKEY4 Device Service: system32\DRIVERS\Rockey4.sys (manual start)
Localizador RPC (Remote Procedure Call): %SystemRoot%\System32\locator.exe (manual start)
Chamada de procedimento remoto (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Controlador NT de placa Fast Ethernet baseada na Realtek RTL8139(A/B/C): System32\DRIVERS\RTL8139.SYS (manual start)
Gestor de contas de segurança: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Programador de tarefas: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Início de sessão secundário: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Notificação de evento de sistema: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
seqcal: system32\drivers\seqcal.sys (manual start)
Controlador de filtro Serenum: System32\DRIVERS\serenum.sys (manual start)
Controlador de porta série: System32\DRIVERS\serial.sys (system)
StarForce Protection Environment Driver (version 1.x): System32\drivers\sfdrv01.sys (system)
StarForce Protection Helper Driver (version 2.x): System32\drivers\sfhlp02.sys (system)
StarForce Protection Synchronization Driver (version 3.x): System32\drivers\sfsync03.sys (system)
Internet Connection Sharing: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Detecção de hadrware da shell: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
BDA Slip De-Framer: System32\DRIVERS\SLIP.sys (manual start)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Spooler de impressão: %SystemRoot%\system32\spoolsv.exe (autostart)
sptd: System32\Drivers\sptd.sys (system)
Controlador do filtro de restauro do sistema: \SystemRoot\System32\DRIVERS\sr.sys (disabled)
Serviço de 'Restauro do sistema': %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
Serviço de identificação SSDP: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
BDA IPSink: System32\DRIVERS\StreamIP.sys (manual start)
Controlador de barramento por software: System32\DRIVERS\swenum.sys (manual start)
Microsoft - sintetizador Kernel GS Wavetable: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{DA43FE39-28EC-431E-9027-9D8D66BDD84D} (manual start)
symlcbrd: \??\C:\WINDOWS\System32\drivers\symlcbrd.sys (autostart)
Microsoft - dispositivo de áudio do kernel do sistema: system32\drivers\sysaudio.sys (manual start)
Alertas e registos de desempenho: %SystemRoot%\system32\smlogsvc.exe (disabled)
Dispositivos telefónicos: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Controlador do protocolo TCP/IP: System32\DRIVERS\tcpip.sys (system)
Controlador de dispositivo de terminal: System32\DRIVERS\termdd.sys (system)
Serviços de terminal: %SystemRoot%\System32\svchost -k DComLaunch (manual start)
Temas: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Telnet: C:\WINDOWS\System32\tlntsvr.exe (disabled)
Cliente de Distributed Link Tracking: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Controlador de actualização microcódigo: System32\DRIVERS\update.sys (manual start)
Anfitrião de dispositivos Universal Plug and Play: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 - controlador Miniport de anfitrião melhorado: System32\DRIVERS\usbehci.sys (manual start)
Controlador de concentrador padrão USB da Microsoft: System32\DRIVERS\usbhub.sys (manual start)
Classe de impressoras USB Microsoft: System32\DRIVERS\usbprint.sys (manual start)
Controlador de scanner USB: system32\DRIVERS\usbscan.sys (manual start)
Controlador de armazenamento de massa USB: System32\DRIVERS\USBSTOR.SYS (manual start)
Controlador miniport do controlador Microsoft USB universal: System32\DRIVERS\usbuhci.sys (manual start)
Aolynk ADSL Router: system32\DRIVERS\usb8023.sys (manual start)
Pastas Partilhadas do Messenger - USN Journal Reader Service: "C:\Programas\MSN Messenger\usnsvc.exe" (manual start)
VGA - controlador de visualização.: \SystemRoot\System32\drivers\vga.sys (system)
Cópia sombra de volume: %SystemRoot%\System32\vssvc.exe (manual start)
Hora do Windows: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Controlador ARP IP de acesso remoto: System32\DRIVERS\wanarp.sys (manual start)
Microsoft - controlador de compatibilidade áudio WINMM WDM: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
WMI (Instrumento de gestão do Windows): %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Serviço do número de série de leitores de multimédia portáteis: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Extens. contr. da Windows Management Instrumentation: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Adaptador de desempenho WMI: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Serviço de Partilha de Rede do Windows Media Player: "C:\Programas\Windows Media Player\WMPNetwk.exe" (manual start)
Centro de segurança: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
World Standard Teletext Codec: System32\DRIVERS\WSTCODEC.SYS (manual start)
Actualizações automáticas: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Windows Driver Foundation - User-mode Driver Framework Platform Driver: system32\DRIVERS\WudfPf.sys (manual start)
Windows Driver Foundation - User-mode Driver Framework: %SystemRoot%\system32\svchost.exe -k WudfServiceGroup (manual start)
Configuração zero sem fios: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Serviço de fornecimento de rede: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 39.122 bytes
Report generated in 0,282 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

#15 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:36 AM

Posted 19 July 2007 - 04:12 AM

I see a clean log here, there are no signs of malware or anything that may cause the error problems you are having. I recommend that you post your question in the following forum as you will recieve better help there. Let them know you have had your Hijackthis log checked, and it isn't a serious security issue.
Windows XP Home and Professional




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users