First, sorry about my english.
I was having some problem with the file 3077ahntdksr.dll wich was blocking various sites including google, gmail, and a lot more. I found this forum and think that here´s the best place for help.
I did the initial steps and now my PC looks better, but would like to be sure that the problem is gone.
A detail is that after installing SUPERAntiSpyware my computer started to crash (Blue Screen) in the logon screen with the error STOP: c000021a 0x0000005 (0x00000000 0x00000000), so I uninstalled it and the crash apperars to be gone too.
Thanks a Lot!!!
Here are the logs in order:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:48, on 2008-07-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Intel\IDU\awServ.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\ARQUIV~1\MICROS~3\MSSQL\binn\sqlservr.exe
C:\Arquivos de programas\Eset\nod32krn.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Arquivos de programas\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\System\MSSearch\Bin\mssearch.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Arquivos de programas\Eset\nod32kui.exe
C:\Arquivos de programas\Intel\IDU\iptray.exe
C:\Arquivos de programas\Intel\IDU\awtray.exe
C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe
C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe
C:\Arquivos de programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\ALCWZRD.EXE
C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Skype\Phone\Skype.exe
C:\Arquivos de programas\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe
C:\Arquivos de programas\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Arquivos de programas\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Arquivos de programas\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\MSN Messenger\usnsvc.exe
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\Arquivos de programas\GbPlugin\gbiehabn.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Atalho para a Página de Propriedades do High Definition Audio] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nod32kui] "C:\Arquivos de programas\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [ipTray.exe] "C:\Arquivos de programas\Intel\IDU\iptray.exe"
O4 - HKLM\..\Run: [awTray.exe] "C:\Arquivos de programas\Intel\IDU\awtray.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Arquivos de programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Arquivos de programas\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Arquivos de programas\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsof...ss/allinone.asp
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1194870207015
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsec...GbPluginABN.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O20 - Winlogon Notify: __GbPluginAbn - C:\Arquivos de programas\GbPlugin\gbiehabn.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Arquivos de programas\Intel\IDU\awServ.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Arquivos de programas\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Arquivos de programas\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 10656 bytes
#####################################
Malwarebytes' Anti-Malware 1.20
Database version: 941
Windows 5.1.2600 Service Pack 2
21:13:02 2008-07-11
mbam-log-7-11-2008 (21-13-02).txt
Scan type: Quick Scan
Objects scanned: 42432
Time elapsed: 3 minute(s), 55 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 5
Registry Keys Infected: 11
Registry Values Infected: 3
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 12
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\system32\hcgbvclo.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\vtUlKcYp.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\njayylms.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\urqQjGAq.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\jqitehxe.dll (Trojan.Vundo) -> Unloaded module successfully.
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{926d0c41-7ea3-40d4-a51e-7e0767e5861a} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{926d0c41-7ea3-40d4-a51e-7e0767e5861a} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c5e84927-cff0-4ca3-a068-02e7c01c1e7c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5e84927-cff0-4ca3-a068-02e7c01c1e7c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\urqqjgaq (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{c2fc9f5e-2913-4de3-9f1e-8a6fb8f82f6f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c2fc9f5e-2913-4de3-9f1e-8a6fb8f82f6f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\14ca65d4 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bm17f95648 (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{c5e84927-cff0-4ca3-a068-02e7c01c1e7c} (Trojan.Vundo) -> Delete on reboot.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\vtulkcyp -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\vtulkcyp -> Delete on reboot.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\vtUlKcYp.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\pYcKlUtv.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pYcKlUtv.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hcgbvclo.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\olcvbgch.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\njayylms.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\urqQjGAq.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\jqitehxe.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\gqjbyfmv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qnumdwqt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM17f95648.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BM17f95648.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
#####################################
SUPERAntiSpyware Scan Log
Generated 07/11/2008 at 11:24 PM
Application Version : 3.6.1000
Core Rules Database Version : 3503
Trace Rules Database Version: 1494
Scan type : Complete Scan
Total Scan Time : 01:58:40
Memory items scanned : 545
Memory threats detected : 0
Registry items scanned : 7277
Registry threats detected : 0
File items scanned : 156510
File threats detected : 0
#####################################
ComboFix 08-07-11.1 - admin 2008-07-12 14:59:52.7 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.1766 [GMT -3:00]
Executando de: C:\Documents and Settings\admin\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\hcgbvclo.dll
C:\WINDOWS\system32\jqitehxe.dll
C:\WINDOWS\system32\njayylms.dll
C:\WINDOWS\system32\pYcKlUtv.ini
C:\WINDOWS\system32\urqQjGAq.dll
C:\WINDOWS\system32\vtUlKcYp.dll
.
((((((((((((((((((((((( Ficheiros criados de 2008-06-12 to 2008-07-12 ))))))))))))))))))))))))))))))))
.
2008-07-12 14:25 . 2008-07-12 14:25 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-07-12 14:13 . 2001-08-17 21:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-07-12 14:12 . 2001-09-05 23:50 495,616 --a--c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2008-07-12 14:11 . 2004-08-04 00:45 4,274,816 --a--c--- C:\WINDOWS\system32\dllcache\nv4_disp.dll
2008-07-12 14:10 . 2004-08-04 00:45 1,737,856 --a--c--- C:\WINDOWS\system32\dllcache\mtxparhd.dll
2008-07-12 14:09 . 2001-08-17 21:28 802,683 --a--c--- C:\WINDOWS\system32\dllcache\ltsm.sys
2008-07-12 14:08 . 2001-09-05 23:49 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-07-12 14:07 . 2001-08-17 20:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2008-07-12 14:06 . 2001-09-05 23:17 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2008-07-12 14:05 . 2004-08-04 00:45 870,784 --a--c--- C:\WINDOWS\system32\dllcache\ati3d1ag.dll
2008-07-12 14:04 . 2001-08-17 21:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-07-12 13:33 . 2008-07-12 13:38 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-07-11 21:19 . 2008-07-11 21:19 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\SUPERAntiSpyware.com
2008-07-11 21:19 . 2008-07-11 21:19 <DIR> d-------- C:\Documents and Settings\admin\Dados de aplicativos\SUPERAntiSpyware.com
2008-07-11 21:19 . 2008-07-11 21:24 <DIR> d-------- C:\Arquivos de programas\SUPERAntiSpyware
2008-07-11 21:19 . 2008-07-11 21:19 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Wise Installation Wizard
2008-07-11 21:07 . 2008-07-11 21:07 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Malwarebytes
2008-07-11 21:07 . 2008-07-11 21:07 <DIR> d-------- C:\Documents and Settings\admin\Dados de aplicativos\Malwarebytes
2008-07-11 21:07 . 2008-07-11 21:07 <DIR> d-------- C:\Arquivos de programas\Malwarebytes' Anti-Malware
2008-07-11 21:07 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-11 21:07 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-11 19:35 . 2008-07-11 19:35 <DIR> d-------- C:\Documents and Settings\Administrador\Dados de aplicativos\Ipswitch
2008-07-09 22:08 . 2008-06-20 07:45 360,320 --a------ C:\WINDOWS\system32\drivers\tcpip.sys
2008-07-09 22:08 . 2008-06-20 07:45 360,320 --a--c--- C:\WINDOWS\system32\dllcache\tcpip.sys
2008-07-09 22:08 . 2008-06-20 06:52 225,920 --a------ C:\WINDOWS\system32\drivers\tcpip6.sys
2008-07-09 22:08 . 2008-06-20 06:52 225,920 --a--c--- C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-07-09 22:08 . 2008-06-20 07:44 138,368 --a------ C:\WINDOWS\system32\drivers\afd.sys
2008-07-09 22:08 . 2008-06-20 07:44 138,368 --a--c--- C:\WINDOWS\system32\dllcache\afd.sys
2008-07-08 02:03 . 2008-07-08 02:03 <DIR> d-------- C:\Arquivos de programas\Thegrideon Software
2008-07-08 01:40 . 2008-07-08 01:40 <DIR> d-------- C:\Documents and Settings\admin\Dados de aplicativos\Intelore
2008-07-08 01:40 . 2008-07-08 01:53 <DIR> d-------- C:\Arquivos de programas\Intelore
2008-07-04 01:14 . 2008-07-04 01:14 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\IT Evolution
2008-07-04 01:13 . 2008-07-04 01:13 103,424 --a------ C:\WINDOWS\system32\Tradezone.Lib.Delivery.HTTP.Client_nat.dll
2008-07-04 01:08 . 2008-07-04 01:11 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-07-04 01:08 . 2008-07-04 01:08 <DIR> d-------- C:\Arquivos de programas\Reference Assemblies
2008-07-04 01:08 . 2008-07-04 01:08 <DIR> d-------- C:\Arquivos de programas\MSBuild
2008-07-04 01:07 . 2008-07-04 01:07 <DIR> d-------- C:\Arquivos de programas\MSXML 6.0
2008-07-04 01:07 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-06-28 23:21 . 2008-06-28 23:21 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\vsosdk
2008-06-28 21:57 . 2008-06-28 21:57 <DIR> d-------- C:\Arquivos de programas\VSO
2008-06-28 21:57 . 2004-05-04 12:53 1,645,320 --a------ C:\WINDOWS\gdiplus.dll
2008-06-28 21:57 . 2006-05-20 17:16 1,184,984 --a------ C:\WINDOWS\system32\wvc1dmod.dll
2008-06-28 21:57 . 2006-05-11 20:21 626,688 --a------ C:\WINDOWS\system32\vp7vfw.dll
2008-06-28 21:57 . 2006-09-29 13:24 217,127 --a------ C:\WINDOWS\system32\drv43260.dll
2008-06-28 21:57 . 2006-09-29 13:25 208,935 --a------ C:\WINDOWS\system32\drv33260.dll
2008-06-28 21:57 . 2006-09-29 13:26 176,165 --a------ C:\WINDOWS\system32\drv23260.dll
2008-06-28 21:57 . 2007-03-18 21:37 65,602 --a------ C:\WINDOWS\system32\cook3260.dll
2008-06-28 21:48 . 2008-07-09 18:47 <DIR> d-------- C:\Documents and Settings\admin\Dados de aplicativos\Vso
2008-06-28 21:48 . 2008-06-28 21:58 87,608 --a------ C:\Documents and Settings\admin\Dados de aplicativos\inst.exe
2008-06-28 21:48 . 2008-06-28 21:58 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-06-28 21:48 . 2008-06-28 21:58 47,360 --a------ C:\Documents and Settings\admin\Dados de aplicativos\pcouffin.sys
2008-06-28 19:32 . 2008-06-28 19:32 <DIR> d-------- C:\Arquivos de programas\Gabest
2008-06-12 19:09 . 2008-06-14 14:59 272,384 --------- C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 19:09 . 2008-06-14 14:59 272,384 --a--c--- C:\WINDOWS\system32\dllcache\bthport.sys
.
((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-11 23:45 --------- d-----w C:\Documents and Settings\admin\Dados de aplicativos\Skype
2008-07-11 19:48 --------- d-----w C:\Documents and Settings\admin\Dados de aplicativos\Azureus
2008-07-11 15:48 --------- d-----w C:\Arquivos de programas\Azureus
2008-07-07 03:03 --------- d-----w C:\Documents and Settings\admin\Dados de aplicativos\skypePM
2008-07-04 04:13 --------- d-----w C:\Arquivos de programas\TradeZone
2008-06-07 00:42 --------- d-----w C:\Arquivos de programas\lockxls
2008-05-21 17:23 --------- d--h--w C:\Arquivos de programas\InstallShield Installation Information
2008-05-13 19:57 --------- d-----w C:\Arquivos de programas\Equis
2007-11-27 15:07 32 ----a-w C:\Documents and Settings\All Users\Dados de aplicativos\ezsid.dat
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" [2007-01-19 11:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45 15360]
"Skype"="C:\Arquivos de programas\Skype\Phone\Skype.exe" [2007-11-12 14:48 21760296]
"SUPERAntiSpyware"="C:\Arquivos de programas\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-02-27 11:39 1310720]
"PC Suite Tray"="C:\Arquivos de programas\Nokia\Nokia PC Suite 6\PCSuite.exe" [2007-12-10 09:12 695808]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nod32kui"="C:\Arquivos de programas\Eset\nod32kui.exe" [2007-11-12 10:39 949376]
"ipTray.exe"="C:\Arquivos de programas\Intel\IDU\iptray.exe" [2005-12-02 16:50 1687552]
"awTray.exe"="C:\Arquivos de programas\Intel\IDU\awtray.exe" [2005-12-01 10:59 1305600]
"RemoteControl"="C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 21:57 30208]
"LanguageShortcut"="C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe" [2006-04-13 10:09 49152]
"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Acrobat Assistant 7.0"="C:\Arquivos de programas\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 01:12 483328]
"HP Software Update"="C:\Arquivos de programas\HP\HP Software Update\HPWuSchd2.exe" [2005-12-15 10:18 49152]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"QuickTime Task"="C:\Arquivos de programas\QuickTime\qttask.exe" [2008-04-28 18:22 155648]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 00:45 159744]
"Atalho para a Página de Propriedades do High Definition Audio"="HDAudPropShortcut.exe" [2004-03-17 14:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-09-23 23:27 77824 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-09-24 21:20 2557952 C:\WINDOWS\ALCWZRD.EXE]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:45 15360]
"Nokia.PCSync"="C:\Arquivos de programas\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 16:35 1294336]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399007}"= "C:\Arquivos de programas\GbPlugin\gbiehabn.dll" [2007-10-30 15:43 339888]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Arquivos de programas\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 12:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-02-27 11:39 282624 C:\Arquivos de programas\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__GbPluginAbn]
2007-10-30 15:43 339888 C:\Arquivos de programas\GbPlugin\gbiehabn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-04 00:45 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2007-02-27 11:39 1310720 C:\Arquivos de programas\SUPERAntiSpyware\SUPERAntiSpyware.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=
"C:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=
"C:\\Arquivos de programas\\Bonjour\\mDNSResponder.exe"=
"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Arquivos de programas\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Arquivos de programas\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Arquivos de programas\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=
"C:\\Arquivos de programas\\Azureus\\Azureus.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:UDP"= 9999:UDP:IDU Service UDP Port
"2804:TCP"= 2804:TCP:IDU Service TCP Port
S1 OsaFsLoc;OsaFsLoc;C:\WINDOWS\system32\drivers\OsaFsLoc.sys [2005-11-11 13:51]
S2 GenPort;GenPort;C:\WINDOWS\system32\drivers\GenPort.sys [1998-04-01 02:11]
S2 MSSEARCH;Microsoft Search;C:\Arquivos de programas\Arquivos comuns\System\MSSearch\Bin\mssearch.exe [2002-12-04 11:52]
S2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-06-30 15:58]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2005-03-22 19:17]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys []
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-RegistryMechanic - (no file)
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-12 15:13:10
Windows 5.1.2600 Service Pack 2 NTFS
Procurando processos ocultos ...
Procurando entradas auto inicializ veis ocultas ...
Procurando ficheiros ocultos ...
**************************************************************************
.
Tempo para conclusÆo: 2008-07-12 15:22:28
ComboFix-quarantined-files.txt 2008-07-12 18:21:25
Pre-Run: 68,811,300,864 bytes disponíveis
Post-Run: 68,681,195,520 bytes dispon¡veis
176 --- E O F --- 2008-07-12 17:25:44
Thanks a Lot!!!
Edited by salves, 13 July 2008 - 06:42 PM.