Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Removal of 3077ahntdksr.dll virus (Vundo) - HELP! [CLOSED]

Started by salves , Jul 13 2008 05:50 PM

  • This topic is locked This topic is locked

#1
salves
Posted 13 July 2008 - 05:50 PM

salves

    New Member

  • Member
  • Pip
  • 4 posts
Hi,

First, sorry about my english.

I was having some problem with the file 3077ahntdksr.dll wich was blocking various sites including google, gmail, and a lot more. I found this forum and think that here´s the best place for help.

I did the initial steps and now my PC looks better, but would like to be sure that the problem is gone.

A detail is that after installing SUPERAntiSpyware my computer started to crash (Blue Screen) in the logon screen with the error STOP: c000021a 0x0000005 (0x00000000 0x00000000), so I uninstalled it and the crash apperars to be gone too.

Thanks a Lot!!!

Here are the logs in order:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:48, on 2008-07-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Intel\IDU\awServ.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\ARQUIV~1\MICROS~3\MSSQL\binn\sqlservr.exe
C:\Arquivos de programas\Eset\nod32krn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Arquivos de programas\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Arquivos de programas\Eset\nod32kui.exe
C:\Arquivos de programas\Intel\IDU\iptray.exe
C:\Arquivos de programas\Intel\IDU\awtray.exe
C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe
C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe
C:\Arquivos de programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Skype\Phone\Skype.exe
C:\Arquivos de programas\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe
C:\Arquivos de programas\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Arquivos de programas\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Arquivos de programas\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\MSN Messenger\usnsvc.exe
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\Arquivos de programas\GbPlugin\gbiehabn.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Atalho para a Página de Propriedades do High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Arquivos de programas\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [ipTray.exe] "C:\Arquivos de programas\Intel\IDU\iptray.exe"
O4 - HKLM\..\Run: [awTray.exe] "C:\Arquivos de programas\Intel\IDU\awtray.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Arquivos de programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Arquivos de programas\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1194870207015
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsec...GbPluginABN.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O20 - Winlogon Notify: __GbPluginAbn - C:\Arquivos de programas\GbPlugin\gbiehabn.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Arquivos de programas\Intel\IDU\awServ.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Arquivos de programas\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 10656 bytes

#####################################

Malwarebytes' Anti-Malware 1.20
Database version: 941
Windows 5.1.2600 Service Pack 2

21:13:02 2008-07-11
mbam-log-7-11-2008 (21-13-02).txt

Scan type: Quick Scan
Objects scanned: 42432
Time elapsed: 3 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 11
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\hcgbvclo.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\vtUlKcYp.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\njayylms.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\urqQjGAq.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\jqitehxe.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{926d0c41-7ea3-40d4-a51e-7e0767e5861a} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{926d0c41-7ea3-40d4-a51e-7e0767e5861a} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c5e84927-cff0-4ca3-a068-02e7c01c1e7c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5e84927-cff0-4ca3-a068-02e7c01c1e7c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\urqqjgaq (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{c2fc9f5e-2913-4de3-9f1e-8a6fb8f82f6f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c2fc9f5e-2913-4de3-9f1e-8a6fb8f82f6f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\14ca65d4 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm17f95648 (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{c5e84927-cff0-4ca3-a068-02e7c01c1e7c} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\vtulkcyp -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\vtulkcyp -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\vtUlKcYp.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\pYcKlUtv.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pYcKlUtv.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hcgbvclo.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\olcvbgch.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\njayylms.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\urqQjGAq.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\jqitehxe.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\gqjbyfmv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qnumdwqt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM17f95648.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM17f95648.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

#####################################

SUPERAntiSpyware Scan Log
Generated 07/11/2008 at 11:24 PM

Application Version : 3.6.1000

Core Rules Database Version : 3503
Trace Rules Database Version: 1494

Scan type : Complete Scan
Total Scan Time : 01:58:40

Memory items scanned : 545
Memory threats detected : 0
Registry items scanned : 7277
Registry threats detected : 0
File items scanned : 156510
File threats detected : 0

#####################################

ComboFix 08-07-11.1 - admin 2008-07-12 14:59:52.7 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.1766 [GMT -3:00]
Executando de: C:\Documents and Settings\admin\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\hcgbvclo.dll
C:\WINDOWS\system32\jqitehxe.dll
C:\WINDOWS\system32\njayylms.dll
C:\WINDOWS\system32\pYcKlUtv.ini
C:\WINDOWS\system32\urqQjGAq.dll
C:\WINDOWS\system32\vtUlKcYp.dll

.
((((((((((((((((((((((( Ficheiros criados de 2008-06-12 to 2008-07-12 ))))))))))))))))))))))))))))))))
.

2008-07-12 14:25 . 2008-07-12 14:25 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-07-12 14:13 . 2001-08-17 21:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-07-12 14:12 . 2001-09-05 23:50 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2008-07-12 14:11 . 2004-08-04 00:45 4,274,816 --a--c--- C:\WINDOWS\system32\dllcache\nv4_disp.dll
2008-07-12 14:10 . 2004-08-04 00:45 1,737,856 --a--c--- C:\WINDOWS\system32\dllcache\mtxparhd.dll
2008-07-12 14:09 . 2001-08-17 21:28 802,683 --a--c--- C:\WINDOWS\system32\dllcache\ltsm.sys
2008-07-12 14:08 . 2001-09-05 23:49 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-07-12 14:07 . 2001-08-17 20:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2008-07-12 14:06 . 2001-09-05 23:17 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2008-07-12 14:05 . 2004-08-04 00:45 870,784 --a--c--- C:\WINDOWS\system32\dllcache\ati3d1ag.dll
2008-07-12 14:04 . 2001-08-17 21:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-07-12 13:33 . 2008-07-12 13:38 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-07-11 21:19 . 2008-07-11 21:19 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\SUPERAntiSpyware.com
2008-07-11 21:19 . 2008-07-11 21:19 <DIR> d-------- C:\Documents and Settings\admin\Dados de aplicativos\SUPERAntiSpyware.com
2008-07-11 21:19 . 2008-07-11 21:24 <DIR> d-------- C:\Arquivos de programas\SUPERAntiSpyware
2008-07-11 21:19 . 2008-07-11 21:19 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Wise Installation Wizard
2008-07-11 21:07 . 2008-07-11 21:07 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Malwarebytes
2008-07-11 21:07 . 2008-07-11 21:07 <DIR> d-------- C:\Documents and Settings\admin\Dados de aplicativos\Malwarebytes
2008-07-11 21:07 . 2008-07-11 21:07 <DIR> d-------- C:\Arquivos de programas\Malwarebytes' Anti-Malware
2008-07-11 21:07 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-11 21:07 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-11 19:35 . 2008-07-11 19:35 <DIR> d-------- C:\Documents and Settings\Administrador\Dados de aplicativos\Ipswitch
2008-07-09 22:08 . 2008-06-20 07:45 360,320 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2008-07-09 22:08 . 2008-06-20 07:45 360,320 --a--c--- C:\WINDOWS\system32\dllcache\tcpip.sys
2008-07-09 22:08 . 2008-06-20 06:52 225,920 --a------ C:\WINDOWS\system32\drivers\tcpip6.sys
2008-07-09 22:08 . 2008-06-20 06:52 225,920 --a--c--- C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-07-09 22:08 . 2008-06-20 07:44 138,368 --a------ C:\WINDOWS\system32\drivers\afd.sys
2008-07-09 22:08 . 2008-06-20 07:44 138,368 --a--c--- C:\WINDOWS\system32\dllcache\afd.sys
2008-07-08 02:03 . 2008-07-08 02:03 <DIR> d-------- C:\Arquivos de programas\Thegrideon Software
2008-07-08 01:40 . 2008-07-08 01:40 <DIR> d-------- C:\Documents and Settings\admin\Dados de aplicativos\Intelore
2008-07-08 01:40 . 2008-07-08 01:53 <DIR> d-------- C:\Arquivos de programas\Intelore
2008-07-04 01:14 . 2008-07-04 01:14 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\IT Evolution
2008-07-04 01:13 . 2008-07-04 01:13 103,424 --a------ C:\WINDOWS\system32\Tradezone.Lib.Delivery.HTTP.Client_nat.dll
2008-07-04 01:08 . 2008-07-04 01:11 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-07-04 01:08 . 2008-07-04 01:08 <DIR> d-------- C:\Arquivos de programas\Reference Assemblies
2008-07-04 01:08 . 2008-07-04 01:08 <DIR> d-------- C:\Arquivos de programas\MSBuild
2008-07-04 01:07 . 2008-07-04 01:07 <DIR> d-------- C:\Arquivos de programas\MSXML 6.0
2008-07-04 01:07 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-06-28 23:21 . 2008-06-28 23:21 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\vsosdk
2008-06-28 21:57 . 2008-06-28 21:57 <DIR> d-------- C:\Arquivos de programas\VSO
2008-06-28 21:57 . 2004-05-04 12:53 1,645,320 --a------ C:\WINDOWS\gdiplus.dll
2008-06-28 21:57 . 2006-05-20 17:16 1,184,984 --a------ C:\WINDOWS\system32\wvc1dmod.dll
2008-06-28 21:57 . 2006-05-11 20:21 626,688 --a------ C:\WINDOWS\system32\vp7vfw.dll
2008-06-28 21:57 . 2006-09-29 13:24 217,127 --a------ C:\WINDOWS\system32\drv43260.dll
2008-06-28 21:57 . 2006-09-29 13:25 208,935 --a------ C:\WINDOWS\system32\drv33260.dll
2008-06-28 21:57 . 2006-09-29 13:26 176,165 --a------ C:\WINDOWS\system32\drv23260.dll
2008-06-28 21:57 . 2007-03-18 21:37 65,602 --a------ C:\WINDOWS\system32\cook3260.dll
2008-06-28 21:48 . 2008-07-09 18:47 <DIR> d-------- C:\Documents and Settings\admin\Dados de aplicativos\Vso
2008-06-28 21:48 . 2008-06-28 21:58 87,608 --a------ C:\Documents and Settings\admin\Dados de aplicativos\inst.exe
2008-06-28 21:48 . 2008-06-28 21:58 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-06-28 21:48 . 2008-06-28 21:58 47,360 --a------ C:\Documents and Settings\admin\Dados de aplicativos\pcouffin.sys
2008-06-28 19:32 . 2008-06-28 19:32 <DIR> d-------- C:\Arquivos de programas\Gabest
2008-06-12 19:09 . 2008-06-14 14:59 272,384 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 19:09 . 2008-06-14 14:59 272,384 --a--c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-11 23:45 --------- d-----w C:\Documents and Settings\admin\Dados de aplicativos\Skype
2008-07-11 19:48 --------- d-----w C:\Documents and Settings\admin\Dados de aplicativos\Azureus
2008-07-11 15:48 --------- d-----w C:\Arquivos de programas\Azureus
2008-07-07 03:03 --------- d-----w C:\Documents and Settings\admin\Dados de aplicativos\skypePM
2008-07-04 04:13 --------- d-----w C:\Arquivos de programas\TradeZone
2008-06-07 00:42 --------- d-----w C:\Arquivos de programas\lockxls
2008-05-21 17:23 --------- d--h--w C:\Arquivos de programas\InstallShield Installation Information
2008-05-13 19:57 --------- d-----w C:\Arquivos de programas\Equis
2007-11-27 15:07 32 ----a-w C:\Documents and Settings\All Users\Dados de aplicativos\ezsid.dat
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" [2007-01-19 11:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45 15360]
"Skype"="C:\Arquivos de programas\Skype\Phone\Skype.exe" [2007-11-12 14:48 21760296]
"SUPERAntiSpyware"="C:\Arquivos de programas\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]
"PC Suite Tray"="C:\Arquivos de programas\Nokia\Nokia PC Suite 6\PCSuite.exe" [2007-12-10 09:12 695808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Arquivos de programas\Eset\nod32kui.exe" [2007-11-12 10:39 949376]
"ipTray.exe"="C:\Arquivos de programas\Intel\IDU\iptray.exe" [2005-12-02 16:50 1687552]
"awTray.exe"="C:\Arquivos de programas\Intel\IDU\awtray.exe" [2005-12-01 10:59 1305600]
"RemoteControl"="C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 21:57 30208]
"LanguageShortcut"="C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 10:09 49152]
"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Acrobat Assistant 7.0"="C:\Arquivos de programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 01:12 483328]
"HP Software Update"="C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 10:18 49152]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"QuickTime Task"="C:\Arquivos de programas\QuickTime\qttask.exe" [2008-04-28 18:22 155648]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 00:45 159744]
"Atalho para a Página de Propriedades do High Definition Audio"="HDAudPropShortcut.exe" [2004-03-17 14:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-09-23 23:27 77824 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-09-24 21:20 2557952 C:\WINDOWS\ALCWZRD.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:45 15360]
"Nokia.PCSync"="C:\Arquivos de programas\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 16:35 1294336]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399007}"= "C:\Arquivos de programas\GbPlugin\gbiehabn.dll" [2007-10-30 15:43 339888]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Arquivos de programas\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-02-27 11:39 282624 C:\Arquivos de programas\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__GbPluginAbn]
2007-10-30 15:43 339888 C:\Arquivos de programas\GbPlugin\gbiehabn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-04 00:45 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2007-02-27 11:39 1310720 C:\Arquivos de programas\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=
"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=
"C:\\Arquivos de programas\\Bonjour\\mDNSResponder.exe"=
"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Arquivos de programas\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Arquivos de programas\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=
"C:\\Arquivos de programas\\Azureus\\Azureus.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:UDP"= 9999:UDP:IDU Service UDP Port
"2804:TCP"= 2804:TCP:IDU Service TCP Port

S1 OsaFsLoc;OsaFsLoc;C:\WINDOWS\system32\drivers\OsaFsLoc.sys [2005-11-11 13:51]
S2 GenPort;GenPort;C:\WINDOWS\system32\drivers\GenPort.sys [1998-04-01 02:11]
S2 MSSEARCH;Microsoft Search;C:\Arquivos de programas\Arquivos comuns\System\MSSearch\Bin\mssearch.exe [2002-12-04 11:52]
S2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-06-30 15:58]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2005-03-22 19:17]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []

.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-RegistryMechanic - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-12 15:13:10
Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializ veis ocultas ...

Procurando ficheiros ocultos ...


**************************************************************************
.
Tempo para conclusÆo: 2008-07-12 15:22:28
ComboFix-quarantined-files.txt 2008-07-12 18:21:25

Pre-Run: 68,811,300,864 bytes disponíveis
Post-Run: 68,681,195,520 bytes dispon¡veis

176 --- E O F --- 2008-07-12 17:25:44

Thanks a Lot!!!

Edited by salves, 13 July 2008 - 06:42 PM.

  • 0

Advertisements

#2
Lusitano
Posted 17 July 2008 - 04:29 AM

Lusitano

    Trusted Helper

  • Malware Removal
  • 525 posts

First, sorry about my english.


Hello,

No problem. Pode ser em Português :)

1. Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


2. Please do an online scan with Kaspersky WebScanner

Click on Posted Image

You will be prompted to install an ActiveX component from Kaspersky, Click Posted Image
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on Posted Image
  • Now click on Posted Image
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click Posted Image
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post, along whit a new HijackThis log. Also let me know how i your computer its running.

  • 0

#3
salves
Posted 18 July 2008 - 06:37 AM

salves

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks for helping me Lusitano.

Ran the ATF Cleaner.

The Kaspersky Online Scanner took a long time (more than 5 hours) and did not finished, so I installed the Kaspersky locally, but it didn´t find anything.

I used to have the NOD32, but uninstalled for running Kaspersky. Which one is better? As I can see, NOD32 is fastter than Kasper. Kasper takes a long time at the startup.

I also would like another firewall solution than Zone Alarm, any suggestion?

Thanks again!!!

Here´s the Hijack Log (my PC is running much better now):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:24, on 2008-07-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Arquivos de programas\Intel\IDU\awServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Arquivos de programas\Intel\IDU\iptray.exe
C:\Arquivos de programas\Intel\IDU\awtray.exe
C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\ARQUIV~1\MICROS~3\MSSQL\binn\sqlservr.exe
C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe
C:\Arquivos de programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Arquivos de programas\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\System\MSSearch\Bin\mssearch.exe
C:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe
C:\WINDOWS\System32\alg.exe
C:\Arquivos de programas\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Arquivos de programas\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Arquivos de programas\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Arquivos de programas\MSN Messenger\usnsvc.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\Arquivos de programas\GbPlugin\gbiehabn.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Atalho para a Página de Propriedades do High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ipTray.exe] "C:\Arquivos de programas\Intel\IDU\iptray.exe"
O4 - HKLM\..\Run: [awTray.exe] "C:\Arquivos de programas\Intel\IDU\awtray.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Arquivos de programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [AVP] "C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Arquivos de programas\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1194870207015
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsec...GbPluginABN.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: __GbPluginAbn - C:\Arquivos de programas\GbPlugin\gbiehabn.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Arquivos de programas\Intel\IDU\awServ.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 10317 bytes
  • 0

#4
Lusitano
Posted 19 July 2008 - 02:59 AM

Lusitano

    Trusted Helper

  • Malware Removal
  • 525 posts

I used to have the NOD32, but uninstalled for running Kaspersky. Which one is better?

Both are very good. My choice its NOD32 :)

I also would like another firewall solution than Zone Alarm, any suggestion?

Good choices for free firewalls are:
Online Armor
and
Kerio


Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide

    Reenable system restore with instructions from tutorial above

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

    A tutorial on installing & using this product can be found here:

    Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Read the TonyKlein's good advice: So how did I get infected in the first place?

  • Also visit the Secunia Software Inspector

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software

Glad i was able to help and please let me know if you still need assistence.Posted Image
  • 0

#5
salves
Posted 20 July 2008 - 04:44 PM

salves

    New Member

  • Topic Starter
  • Member
  • Pip
  • 4 posts
Thanks Lusitano, I think it´s resolved, but now my startup process is extremally slow after the logon screen. Don´t know if it´s a virus or malware problem, but if you have any clue, I´ll be glad!
  • 0

#6
Lusitano
Posted 21 July 2008 - 08:54 AM

Lusitano

    Trusted Helper

  • Malware Removal
  • 525 posts
Hi,

Please ask for help on the others areas forum.

Thanks :)
  • 0

#7
Lusitano
Posted 24 July 2008 - 04:28 AM

Lusitano

    Trusted Helper

  • Malware Removal
  • 525 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP