Jump to content

Welcome to Geeks to Go - Register now for FREE
Geeks To Go is a helpful hub, where thousands of friendly volunteers serve up answers and support. Get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more. This message and all ads will be removed once you have signed in.
Create an Account Login to Account

Unknown malware type removal help [Solved]


  • This topic is locked This topic is locked

#1
Karakal

Karakal

    New Member

  • Member
  • Pip
  • 9 posts
Hi guys :)
I´d appreciate a help in evaluation of my PC and instructions in fixing it.

Log file of HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:10:44, on 27/01/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\PROGRAM FILES\PANDA SECURITY\PANDA ANTIVIRUS PRO 2010\WebProxy.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Panda Security\Panda Antivirus Pro 2010\ApVxdWin.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Sophos\Sophos Anti-Rootkit\sargui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus Pro 2010\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Security\Panda Antivirus Pro 2010\Inicio.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com...t/PCPitStop.CAB
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcp.../PCPitStop2.cab
O23 - Service: Panda Software Controller - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2010\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2010\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Security, S.L. - C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe
O23 - Service: Panda On-Access Anti-Malware Service (PAVSRV) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2010\pavsrvx86.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Security S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2010\PsImSvc.exe
O23 - Service: Panda PSK service (PskSvcRetail) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2010\PskSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Antivirus Pro 2010\TPSrv.exe

--
End of file - 3311 bytes

Thanks in advance.
Best Regards.
Karakal

The missing data:

OTL logfile created on: 27/01/2010 16:24:08 - Run 1
OTL by OldTimer - Version 3.1.27.0 Folder = C:\Users\Dr. Cesar\Desktop
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000416 | Country: Brasil | Language: PTB | Date Format: dd/MM/yyyy

2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 71,00% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 85,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 78,13 Gb Total Space | 64,35 Gb Free Space | 82,36% Space Free | Partition Type: NTFS
Drive D: | 219,96 Gb Total Space | 208,82 Gb Free Space | 94,93% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CONSULTÓRIO
Current User Name: Dr. Cesar
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/01/27 15:36:28 | 00,548,864 | ---- | M] (OldTimer Tools) -- C:\Users\Dr. Cesar\Desktop\OTL.exe
PRC - [2009/09/17 12:17:32 | 00,293,120 | ---- | M] (Panda Security, S.L.) -- C:\Arquivos de programas\Panda Security\Panda Antivirus Pro 2010\pavsrvx86.exe
PRC - [2009/09/07 16:40:04 | 00,198,400 | ---- | M] (Panda Security, S.L.) -- C:\Arquivos de programas\Panda Security\Panda Antivirus Pro 2010\AVENGINE.EXE
PRC - [2009/08/25 13:28:20 | 00,028,928 | ---- | M] (Panda Security, S.L.) -- C:\Arquivos de programas\Panda Security\Panda Antivirus Pro 2010\psksvc.exe
PRC - [2009/08/10 13:46:08 | 00,173,312 | ---- | M] (Panda Security, S.L.) -- C:\Arquivos de programas\Panda Security\Panda Antivirus Pro 2010\PsCtrlS.exe
PRC - [2009/08/10 13:45:52 | 00,169,216 | ---- | M] (Panda Security, S.L.) -- C:\Arquivos de programas\Panda Security\Panda Antivirus Pro 2010\PavFnSvr.exe
PRC - [2009/07/13 23:17:29 | 00,673,048 | ---- | M] (Microsoft Corporation) -- C:\Arquivos de programas\Internet Explorer\iexplore.exe
PRC - [2009/07/13 23:14:42 | 00,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/07/13 23:14:20 | 02,613,248 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/04/23 12:31:16 | 00,107,776 | ---- | M] (Panda Security, S.L.) -- C:\Arquivos de programas\Panda Security\Panda Antivirus Pro 2010\WebProxy.exe
PRC - [2009/04/17 10:17:24 | 00,157,440 | ---- | M] (Panda Security, S.L.) -- C:\Arquivos de programas\Panda Security\Panda Antivirus Pro 2010\TPSrv.exe
PRC - [2008/06/19 12:59:50 | 00,108,288 | ---- | M] (Panda Security S.L.) -- C:\Arquivos de programas\Panda Security\Panda Antivirus Pro 2010\PsImSvc.exe
PRC - [2008/02/04 17:26:48 | 00,062,768 | ---- | M] (Panda Security, S.L.) -- C:\Arquivos de programas\Common Files\Panda Security\PavShld\PavPrSrv.exe


========== Modules (SafeList) ==========

MOD - [2010/01/27 15:36:28 | 00,548,864 | ---- | M] (OldTimer Tools) -- C:\Users\Dr. Cesar\Desktop\OTL.exe
MOD - [2009/07/13 23:16:15 | 00,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
MOD - [2009/07/13 23:16:13 | 00,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
MOD - [2009/07/13 23:16:13 | 00,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll
MOD - [2009/07/13 23:16:12 | 00,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
MOD - [2009/07/13 23:16:03 | 00,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll
MOD - [2009/07/13 23:15:35 | 00,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
MOD - [2009/07/13 23:15:13 | 00,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
MOD - [2009/07/13 23:15:11 | 00,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
MOD - [2009/07/13 23:15:07 | 00,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
MOD - [2009/07/13 23:15:02 | 00,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
MOD - [2009/07/13 23:03:50 | 01,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (OPCDX)
SRV - [2009/09/17 12:17:32 | 00,293,120 | ---- | M] (Panda Security, S.L.) [Auto | Running] -- C:\Program Files\Panda Security\Panda Antivirus Pro 2010\pavsrvx86.exe -- (PAVSRV)
SRV - [2009/08/25 13:28:20 | 00,028,928 | ---- | M] (Panda Security, S.L.) [Auto | Running] -- C:\Program Files\Panda Security\Panda Antivirus Pro 2010\PskSvc.exe -- (PskSvcRetail)
SRV - [2009/08/10 13:46:08 | 00,173,312 | ---- | M] (Panda Security, S.L.) [Auto | Running] -- C:\Program Files\Panda Security\Panda Antivirus Pro 2010\PsCtrls.exe -- (Panda Software Controller)
SRV - [2009/08/10 13:45:52 | 00,169,216 | ---- | M] (Panda Security, S.L.) [Auto | Running] -- C:\Program Files\Panda Security\Panda Antivirus Pro 2010\PavFnSvr.exe -- (PAVFNSVR)
SRV - [2009/07/13 23:16:21 | 00,185,856 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009/07/13 23:16:17 | 00,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009/07/13 23:16:17 | 00,119,808 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\System32\umpo.dll -- (Power)
SRV - [2009/07/13 23:16:16 | 00,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009/07/13 23:16:15 | 00,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009/07/13 23:16:13 | 00,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009/07/13 23:16:13 | 00,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 23:16:12 | 01,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/13 23:16:12 | 00,269,824 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
SRV - [2009/07/13 23:16:12 | 00,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009/07/13 23:16:12 | 00,165,376 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/13 23:16:12 | 00,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009/07/13 23:15:41 | 00,680,960 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Arquivos de programas\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/13 23:15:36 | 00,194,560 | ---- | M] (Microsoft Corporation) [Disabled | Stopped] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009/07/13 23:15:21 | 00,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/13 23:15:11 | 00,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/13 23:15:10 | 00,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)
SRV - [2009/07/13 23:14:59 | 00,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)
SRV - [2009/07/13 23:14:58 | 00,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) Instalador do ActiveX (AxInstSV)
SRV - [2009/07/13 23:14:53 | 00,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009/07/13 23:14:29 | 03,179,520 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)
SRV - [2009/06/26 09:26:20 | 00,085,504 | ---- | M] (PC Pitstop LLC) [Disabled | Stopped] -- C:\Arquivos de Programas\PCPitstop\PCPitstopScheduleService.exe -- (PCPitstop Scheduling)
SRV - [2009/04/17 10:17:24 | 00,157,440 | ---- | M] (Panda Security, S.L.) [Auto | Running] -- C:\Program Files\Panda Security\Panda Antivirus Pro 2010\TPSrv.exe -- (TPSrv)
SRV - [2008/07/02 14:09:36 | 00,060,160 | ---- | M] (Panda Security, S.L.) [Auto | Running] -- C:\Arquivos de programas\Panda Security\Panda Antivirus Pro 2010\GWMsrv.dll -- (Gwmsrv)
SRV - [2008/06/19 12:59:50 | 00,108,288 | ---- | M] (Panda Security S.L.) [Auto | Running] -- C:\Program Files\Panda Security\Panda Antivirus Pro 2010\PsImSvc.exe -- (PSIMSVC)
SRV - [2008/02/04 17:26:48 | 00,062,768 | ---- | M] (Panda Security, S.L.) [Auto | Running] -- C:\Program Files\Common Files\Panda Security\PavShld\pavprsrv.exe -- (PavPrSrv)
SRV - [2006/10/26 20:49:34 | 00,441,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE -- (odserv)
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com.br/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://br.msn.com/?ocid=iehp
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = pt-br
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = DC 79 16 90 21 8E CA 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



O1 HOSTS File: ([2006/09/18 19:41:30 | 00,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de Programas\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [APVXDWIN] C:\Program Files\Panda Security\Panda Antivirus Pro 2010\APVXDWIN.EXE (Panda Security, S.L.)
O4 - HKLM..\Run: [SCANINICIO] C:\Program Files\Panda Security\Panda Antivirus Pro 2010\Inicio.exe (Panda Security, S.L.)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Arquivos de Programas\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} http://pcpitstop.com...t/PCPitStop.CAB (PCPitstop Utility)
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} http://utilities.pcp.../PCPitStop2.cab (PCPitstop Exam)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Arquivos de Programas\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Arquivos de Programas\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - Winlogon\Notify\avldr: DllName - avldr.dll - C:\Windows\System32\avldr.dll (Panda Security, S.L.)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O24 - Desktop WallPaper: C:\Windows\web\Wallpaper\img24.jpg
O24 - Desktop BackupWallPaper: C:\Windows\web\Wallpaper\img24.jpg
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 19:42:20 | 00,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O34 - HKLM BootExecute: (MACHINE BootExecut) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2009/07/14 00:37:08 | 00,000,000 | ---D | M]
NetSvcs: Irmon - C:\Windows\System32\irmon.dll (Microsoft Corporation)
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found
NetSvcs: Themes - C:\Windows\System32\themeservice.dll (Microsoft Corporation)
NetSvcs: BDESVC - C:\Windows\System32\bdesvc.dll (Microsoft Corporation)

========== Files/Folders - Created Within 14 Days ==========

[2010/01/27 15:52:35 | 00,000,000 | ---D | C] -- C:\Windows\Minidump
[2010/01/27 15:47:01 | 00,439,808 | ---- | C] (OldTimer Tools) -- C:\Users\Dr. Cesar\Desktop\TFC.exe
[2010/01/27 15:40:13 | 00,548,864 | ---- | C] (OldTimer Tools) -- C:\Users\Dr. Cesar\Desktop\OTL.exe
[2010/01/27 13:44:06 | 00,000,000 | ---D | C] -- C:\ProgramData\PCPitstop
[2010/01/27 13:44:05 | 00,000,000 | ---D | C] -- C:\Arquivos de Programas\PCPitstop
[2010/01/27 12:53:35 | 00,000,000 | ---D | C] -- C:\Arquivos de Programas\Sophos
[2010/01/26 15:12:46 | 00,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2010/01/26 15:09:25 | 00,000,000 | ---D | C] -- C:\Windows\System32\appmgmt
[2010/01/26 13:48:41 | 00,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2010/01/26 13:48:20 | 00,000,000 | ---D | C] -- C:\Users\Dr. Cesar\AppData\Roaming\SUPERAntiSpyware.com
[2010/01/24 14:55:28 | 00,000,000 | ---D | C] -- C:\Users\Dr. Cesar\AppData\Roaming\Uniblue
[2010/01/22 12:19:30 | 00,000,000 | ---D | C] -- C:\Users\Dr. Cesar\AppData\Local\Panda Security
[2010/01/22 12:18:38 | 00,054,832 | ---- | C] (Panda Software) -- C:\Windows\System32\pavcpl.cpl
[2010/01/22 12:18:33 | 00,446,464 | ---- | C] (eHelp Corporation.) -- C:\Windows\System32\HHActiveX.dll
[2010/01/22 12:18:32 | 00,518,400 | ---- | C] (Panda Security, S.L.) -- C:\Windows\System32\PavSHook.dll
[2010/01/22 12:18:32 | 00,193,792 | ---- | C] (Panda Security, S.L.) -- C:\Windows\System32\TpUtil.dll
[2010/01/22 12:18:32 | 00,107,568 | ---- | C] (Panda Software) -- C:\Windows\System32\SYSTOOLS.DLL
[2010/01/22 12:18:32 | 00,087,296 | ---- | C] (Panda Security, S.L.) -- C:\Windows\System32\PavLspHook.dll
[2010/01/22 12:18:32 | 00,055,552 | ---- | C] (Panda Security, S.L.) -- C:\Windows\System32\pavipc.dll
[2010/01/22 12:18:31 | 00,058,672 | ---- | C] (Panda Security, S.L.) -- C:\Windows\System32\avldr.dll
[2010/01/22 12:18:30 | 00,049,160 | ---- | C] (Panda Security, S.L.) -- C:\Windows\System32\drivers\amm8660.sys
[2010/01/22 12:18:30 | 00,000,000 | ---D | C] -- C:\Windows\System32\PAV
[2010/01/22 12:18:30 | 00,000,000 | ---D | C] -- C:\Users\Dr. Cesar\AppData\Roaming\Panda Security
[2010/01/22 12:18:30 | 00,000,000 | ---D | C] -- C:\ProgramData\Panda Security
[2010/01/22 12:18:30 | 00,000,000 | ---D | C] -- C:\Arquivos de Programas\Panda Security
[2010/01/22 12:10:26 | 00,028,552 | ---- | C] (Panda Security, S.L.) -- C:\Windows\System32\drivers\pavboot.sys
[2010/01/22 12:10:02 | 00,163,336 | ---- | C] (Panda Security, S.L.) -- C:\Windows\System32\drivers\PavProc.sys
[2010/01/22 12:10:02 | 00,041,144 | ---- | C] (Panda Security, S.L.) -- C:\Windows\System32\drivers\ShlDrv51.sys
[2010/01/22 12:10:02 | 00,000,000 | ---D | C] -- C:\Arquivos de Programas\Common Files\Panda Security
[2010/01/21 20:07:19 | 00,000,000 | ---D | C] -- C:\Windows\ERDNT
[2010/01/21 16:35:39 | 00,614,400 | ---- | C] (Exontrol Inc.) -- C:\Windows\System32\ExButton.dll
[2010/01/21 16:35:39 | 00,602,112 | ---- | C] (Exontrol Inc.) -- C:\Windows\System32\ExMenu.dll
[2010/01/21 16:35:39 | 00,516,096 | ---- | C] (Exontrol Inc.) -- C:\Windows\System32\ExTab.dll
[2010/01/21 16:35:39 | 00,307,200 | ---- | C] (Exontrol Inc.) -- C:\Windows\System32\ExPMenu.dll
[2010/01/21 16:35:37 | 00,356,352 | ---- | C] (eSellerate Inc.) -- C:\Windows\System32\eSellerateEngine.dll
[2010/01/21 16:35:37 | 00,118,784 | ---- | C] (eSellerate Inc.) -- C:\Windows\System32\eWebControl.dll
[2010/01/20 17:00:03 | 01,753,088 | ---- | C] (Exontrol Inc.) -- C:\Windows\System32\ExGrid.dll
[2010/01/20 16:59:58 | 00,000,000 | ---D | C] -- C:\Arquivos de Programas\AnswersThatWork
[2010/01/19 15:04:52 | 00,311,312 | ---- | C] (Kaspersky Lab) -- C:\Windows\System32\drivers\7361858.sys
[2010/01/19 15:04:52 | 00,128,016 | ---- | C] (Kaspersky Lab) -- C:\Windows\System32\drivers\73618581.sys
[2010/01/19 15:04:52 | 00,037,392 | ---- | C] (Kaspersky Lab) -- C:\Windows\System32\drivers\73618582.sys
[2010/01/19 14:21:20 | 00,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/01/19 14:21:17 | 00,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/01/19 14:21:17 | 00,000,000 | ---D | C] -- C:\Arquivos de Programas\Malwarebytes' Anti-Malware
[2010/01/19 13:05:56 | 05,115,832 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Dr. Cesar\Documents\mbam-setup.exe
[2010/01/18 19:16:04 | 00,311,312 | ---- | C] (Kaspersky Lab) -- C:\Windows\System32\drivers\7812743.sys
[2010/01/18 19:16:04 | 00,128,016 | ---- | C] (Kaspersky Lab) -- C:\Windows\System32\drivers\78127431.sys
[2010/01/18 19:16:04 | 00,037,392 | ---- | C] (Kaspersky Lab) -- C:\Windows\System32\drivers\78127432.sys
[2010/01/18 18:40:54 | 00,000,000 | -HSD | C] -- C:\Config.Msi
[2010/01/17 19:06:35 | 00,000,000 | ---D | C] -- C:\ProgramData\Kaspersky Lab
[2010/01/16 13:53:36 | 00,000,000 | ---D | C] -- C:\Users\Dr. Cesar\AppData\Roaming\Malwarebytes
[2010/01/16 13:53:27 | 00,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes

========== Files - Modified Within 14 Days ==========

[2010/01/27 16:26:07 | 01,835,008 | -HS- | M] () -- C:\Users\Dr. Cesar\ntuser.dat
[2010/01/27 16:16:05 | 00,013,232 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/01/27 16:16:05 | 00,013,232 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/01/27 16:14:59 | 01,409,822 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/01/27 16:14:59 | 00,620,354 | ---- | M] () -- C:\Windows\System32\prfh0416.dat
[2010/01/27 16:14:59 | 00,574,600 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/01/27 16:14:59 | 00,117,788 | ---- | M] () -- C:\Windows\System32\prfc0416.dat
[2010/01/27 16:14:59 | 00,096,434 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/01/27 16:10:28 | 00,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/01/27 16:10:21 | 00,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/01/27 16:10:10 | 16,029,36832 | -HS- | M] () -- C:\hiberfil.sys
[2010/01/27 16:06:03 | 15,796,9822 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/01/27 15:39:24 | 00,293,376 | ---- | M] () -- C:\Users\Dr. Cesar\Desktop\gmer.exe
[2010/01/27 15:36:28 | 00,548,864 | ---- | M] (OldTimer Tools) -- C:\Users\Dr. Cesar\Desktop\OTL.exe
[2010/01/27 15:28:22 | 00,439,808 | ---- | M] (OldTimer Tools) -- C:\Users\Dr. Cesar\Desktop\TFC.exe
[2010/01/27 13:44:06 | 00,001,980 | ---- | M] () -- C:\Users\Dr. Cesar\Desktop\PC Pitstop Driver Alert2.lnk
[2010/01/26 21:02:00 | 01,525,281 | -H-- | M] () -- C:\Users\Dr. Cesar\AppData\Local\IconCache.db
[2010/01/26 19:12:17 | 00,008,627 | ---- | M] () -- C:\Windows\System32\PAV_FOG.OPC
[2010/01/26 14:34:08 | 00,000,274 | ---- | M] () -- C:\Windows\Jelly.ini
[2010/01/24 21:36:42 | 00,000,218 | ---- | M] () -- C:\Users\Dr. Cesar\.recently-used.xbel
[2010/01/24 11:16:03 | 00,723,304 | ---- | M] () -- C:\Users\Dr. Cesar\Desktop\windows_vista_first_steps_1298.pdf
[2010/01/22 12:18:45 | 00,000,250 | ---- | M] () -- C:\Windows\System32\PavCPL.dat
[2010/01/20 21:33:29 | 00,524,288 | -HS- | M] () -- C:\Users\Dr. Cesar\ntuser.dat{352b7e41-0612-11df-9da1-002185ff1f6b}.TMContainer00000000000000000002.regtrans-ms
[2010/01/20 21:33:29 | 00,524,288 | -HS- | M] () -- C:\Users\Dr. Cesar\ntuser.dat{352b7e41-0612-11df-9da1-002185ff1f6b}.TMContainer00000000000000000001.regtrans-ms
[2010/01/20 21:33:29 | 00,065,536 | -HS- | M] () -- C:\Users\Dr. Cesar\ntuser.dat{352b7e41-0612-11df-9da1-002185ff1f6b}.TM.blf
[2010/01/20 13:34:38 | 00,000,607 | ---- | M] () -- C:\Users\Dr. Cesar\Desktop\Windows Explorer.lnk
[2010/01/19 14:21:23 | 00,000,979 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/19 13:06:05 | 05,115,832 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Dr. Cesar\Documents\mbam-setup.exe
[2010/01/18 19:14:04 | 00,024,576 | ---- | M] () -- C:\Users\Dr. Cesar\Desktop\ESCALA VASCULAR jan 2010.doc
[2010/01/18 16:17:34 | 00,107,968 | ---- | M] () -- C:\Users\Dr. Cesar\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/01/13 20:03:22 | 00,408,600 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT

========== Files Created - No Company Name ==========

[2010/01/27 15:52:30 | 15,796,9822 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/01/27 13:44:06 | 00,001,980 | ---- | C] () -- C:\Users\Dr. Cesar\Desktop\PC Pitstop Driver Alert2.lnk
[2010/01/24 21:36:42 | 00,000,218 | ---- | C] () -- C:\Users\Dr. Cesar\.recently-used.xbel
[2010/01/24 11:16:03 | 00,723,304 | ---- | C] () -- C:\Users\Dr. Cesar\Desktop\windows_vista_first_steps_1298.pdf
[2010/01/22 12:18:45 | 00,000,250 | ---- | C] () -- C:\Windows\System32\PavCPL.dat
[2010/01/20 20:22:21 | 00,524,288 | -HS- | C] () -- C:\Users\Dr. Cesar\ntuser.dat{352b7e41-0612-11df-9da1-002185ff1f6b}.TMContainer00000000000000000002.regtrans-ms
[2010/01/20 20:22:21 | 00,524,288 | -HS- | C] () -- C:\Users\Dr. Cesar\ntuser.dat{352b7e41-0612-11df-9da1-002185ff1f6b}.TMContainer00000000000000000001.regtrans-ms
[2010/01/20 20:22:21 | 00,065,536 | -HS- | C] () -- C:\Users\Dr. Cesar\ntuser.dat{352b7e41-0612-11df-9da1-002185ff1f6b}.TM.blf
[2010/01/19 14:21:23 | 00,000,979 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/01/18 19:14:02 | 00,024,576 | ---- | C] () -- C:\Users\Dr. Cesar\Desktop\ESCALA VASCULAR jan 2010.doc
[2010/01/16 14:43:22 | 00,000,274 | ---- | C] () -- C:\Windows\Jelly.ini
[2009/12/03 18:55:53 | 00,003,584 | ---- | C] () -- C:\Users\Dr. Cesar\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/09/04 17:33:19 | 00,019,968 | ---- | C] () -- C:\Windows\System32\cpuinf32.dll
[2009/09/04 17:33:18 | 00,152,064 | ---- | C] () -- C:\Windows\System32\unrar.dll
[2009/09/04 17:33:17 | 00,761,856 | ---- | C] () -- C:\Windows\System32\xvidcore.dll
[2009/08/25 15:29:33 | 00,335,872 | ---- | C] () -- C:\Windows\System32\ldf252.dll
[2009/08/14 12:07:25 | 00,271,264 | ---- | C] () -- C:\Windows\System32\VBRUN100.DLL
[2009/07/13 21:51:43 | 00,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 21:42:10 | 00,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll

========== LOP Check ==========

[2009/08/23 21:32:30 | 00,000,000 | ---D | M] -- C:\Users\Dr. Cesar\AppData\Roaming\Goodsol
[2010/01/24 21:25:57 | 00,000,000 | ---D | M] -- C:\Users\Dr. Cesar\AppData\Roaming\gtk-2.0
[2009/08/23 21:32:32 | 00,000,000 | ---D | M] -- C:\Users\Dr. Cesar\AppData\Roaming\JAM Software
[2010/01/22 12:18:30 | 00,000,000 | ---D | M] -- C:\Users\Dr. Cesar\AppData\Roaming\Panda Security
[2010/01/24 14:55:28 | 00,000,000 | ---D | M] -- C:\Users\Dr. Cesar\AppData\Roaming\Uniblue
[2009/12/01 13:54:16 | 00,032,584 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2009/07/13 23:26:15 | 00,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\drivers\AGP440.sys
[2009/07/13 23:26:15 | 00,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_x86_neutral_65848c2d7375a720\AGP440.sys
[2009/07/13 23:26:15 | 00,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.1.7600.16385_none_b9e9435f20046eeb\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/07/13 23:26:15 | 00,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\drivers\atapi.sys
[2009/07/13 23:26:15 | 00,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys
[2009/07/13 23:26:15 | 00,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2009/07/13 23:15:06 | 00,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\System32\cngaudit.dll
[2009/07/13 23:15:06 | 00,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_e83a414890e8132b\cngaudit.dll

< MD5 for: IASTORV.SYS >
[2009/07/13 23:20:36 | 00,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\System32\drivers\iaStorV.sys
[2009/07/13 23:20:36 | 00,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_x86_neutral_18cccb83b34e1453\iaStorV.sys
[2009/07/13 23:20:36 | 00,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7600.16385_none_aee7a89be91b9000\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2009/07/13 23:16:02 | 00,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\System32\netlogon.dll
[2009/07/13 23:16:02 | 00,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_fd8e0d66994d7dc8\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2009/07/13 23:20:44 | 00,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\System32\drivers\nvstor.sys
[2009/07/13 23:20:44 | 00,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_x86_neutral_5bde3fe2945bce9e\nvstor.sys
[2009/07/13 23:20:44 | 00,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7600.16385_none_39b1194b205239d8\nvstor.sys

< MD5 for: SCECLI.DLL >
[2009/07/13 23:16:13 | 00,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\System32\scecli.dll
[2009/07/13 23:16:13 | 00,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_37e4387f3a6f0483\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< End of report >



OTL Extras logfile created on: 27/01/2010 16:24:08 - Run 1
OTL by OldTimer - Version 3.1.27.0 Folder = C:\Users\Dr. Cesar\Desktop
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000416 | Country: Brasil | Language: PTB | Date Format: dd/MM/yyyy

2,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 71,00% Memory free
4,00 Gb Paging File | 3,00 Gb Available in Paging File | 85,00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 78,13 Gb Total Space | 64,35 Gb Free Space | 82,36% Space Free | Partition Type: NTFS
Drive D: | 219,96 Gb Total Space | 208,82 Gb Free Space | 94,93% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CONSULTÓRIO
Current User Name: Dr. Cesar
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "C:\Program Files\Internet Explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
"DisableUnicastResponsesToMulticastBroadcast" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1
"DoNotAllowExceptions" = 1

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{29D3773E-54F4-23C2-D523-236A4453B844}_is1" = FileAlyzer
"{590B11BB-7FF9-4D4F-A9E8-E8165BF88381}" = Panda Antivirus Pro 2010
"{90120000-0015-0816-0000-0000000FF1CE}" = Microsoft Office Access MUI (Portuguese (Portugal)) 2007
"{90120000-0016-0816-0000-0000000FF1CE}" = Microsoft Office Excel MUI (Portuguese (Portugal)) 2007
"{90120000-0018-0816-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (Portuguese (Portugal)) 2007
"{90120000-0019-0816-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (Portuguese (Portugal)) 2007
"{90120000-001A-0816-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (Portuguese (Portugal)) 2007
"{90120000-001B-0816-0000-0000000FF1CE}" = Microsoft Office Word MUI (Portuguese (Portugal)) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0816-0000-0000000FF1CE}" = Microsoft Office Proof (Portuguese (Portugal)) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0816-0000-0000000FF1CE}" = Microsoft Office Proofing (Portuguese (Portugal)) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0816-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (Portuguese (Portugal)) 2007
"{90120000-006E-0816-0000-0000000FF1CE}" = Microsoft Office Shared MUI (Portuguese (Portugal)) 2007
"{90120000-00A1-0816-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (Portuguese (Portugal)) 2007
"{90120000-00BA-0816-0000-0000000FF1CE}" = Microsoft Office Groove MUI (Portuguese (Portugal)) 2007
"{A5181519-9F3D-4372-ABC6-C333C2F3A816}_is1" = RunAlyzer
"{AC76BA86-7AD7-1033-7B44-A90000000001}" = Adobe Reader 9
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{C270BC04-1540-4673-960F-A546B2C860CD}" = Commandos 3 - Destination Berlin
"{E55FB276-73C9-4776-AB53-BC028C0509ED}" = Panda Antivirus Pro 2010
"{FFFF6D5C-E2F1-4B40-BC89-8923312E89EB}}_is1" = ACE Mega CoDecS Pack
"3DFiBs Backgammon_is1" = 3DFiBs version 3.0.63
"3DFiBs_is1" = 3DFiBs Backgammon 4.0.72
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"CCleaner" = CCleaner (remove only)
"Cygnus Hex Editor" = Cygnus Hex Editor 2.50
"ENTERPRISE" = Microsoft Office Enterprise 2007
"GNU Backgammon 0.15-stable_is1" = GNU Backgammon 0.15-stable (20061119 code)
"GNU Backgammon_is1" = GNU Backgammon (MAIN branch, 20091230 code)
"HDMI" = Intel® Graphics Media Accelerator Driver
"HijackThis" = HijackThis 2.0.2
"Icon Sucker 2 Standard Edition" = Icon Sucker 2 Standard Edition
"JellyFish Light 3.5" = JellyFish Light 3.5
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"PC Pitstop Driver Alert2_is1" = PC Pitstop Driver Alert2 2.0.0.0
"PicaView" = PicaView
"Pretty Good Solitaire - Royal Card Set_is1" = Pretty Good Solitaire - Royal Card Set 1.0
"Pretty Good Solitaire - Traditional Card Set_is1" = Pretty Good Solitaire - Traditional Card Set 1.0
"Pretty Good Solitaire_is1" = Pretty Good Solitaire version 12.0.0
"Sophos-AntiRootkit" = Sophos Anti-Rootkit 1.5.0
"TreeSize Free_is1" = TreeSize Free V2.1
"WhatColor v3.0e" = WhatColor v3.0e

========== Last 10 Event Log Errors ==========

Error reading Event Logs: The Event Service is not operating properly or the Event Logs are corrupt!

< End of report >


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-27 16:20:28
Windows 6.1.7600
Running: gmer.exe; Driver: C:\Users\DRA4CB~1.CES\AppData\Local\Temp\pwryqpoc.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\Windows\system32\DRIVERS\PavProc.sys ZwTerminateProcess [0x8FA8D4E8]

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83026AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83026104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830263F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8300EFB4
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830261DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83026958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830266F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83026F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830271A8

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs ShlDrv51.sys (PandaShield driver/Panda Security, S.L.)

AttachedDevice \FileSystem\Ntfs \Ntfs av5flt.sys

Device \Driver\ACPI_HAL \Device\00000044 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:1676] 8FB8EF2E

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{7F704741-76B8-40BC-B900-FF24F0B017E1}@LeaseObtainedTime 1264616204
Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{7F704741-76B8-40BC-B900-FF24F0B017E1}@T1 1264616214
Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{7F704741-76B8-40BC-B900-FF24F0B017E1}@T2 1264616221
Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{7F704741-76B8-40BC-B900-FF24F0B017E1}@LeaseTerminatesTime 1264616224

---- EOF - GMER 1.0.15 ----

Edited by Karakal, 27 January 2010 - 03:23 PM.

  • 0

Advertisement


#2
mpascal

mpascal

    Math Nerd

  • Retired Staff
  • 3,644 posts
Hi Karakal,

Welcome to Geeks To Go!

My name is mpascal, and I will be helping you fix your problem.

Before we begin, I would like to make a few things clear so that we can fix your problem as efficiently as possible:
  • Be sure to follow all my instructions carefully! If there is anything you don't understand, don't hesitate to ask.
  • Please do not do anything or perform other steps unless I have asked you to do so.
  • Please make sure you post all logs I ask you to, and make sure that the entire log gets posted.
  • If you are unsure of how to reply, or need help with anything regarding the website, please look here.
I also recommend that you print these instructions as you may be required to boot in safe mode

I'm currently reviewing your logs, I'll get back to you shortly.
  • 0

#3
mpascal

mpascal

    Math Nerd

  • Retired Staff
  • 3,644 posts
What kind of problems are you having?
  • 0

#4
Karakal

Karakal

    New Member

  • Member
  • Pip
  • 9 posts
Hi mpascal.
Thanks for the attention.
My problems are: System unstable, rebooting for no reason. BSOD 2 times in the last 3 or 4 days (I did not take notes of the dump). IE being redirected even if adreess typed (no link clicking). Panda AV probably patched (no recognition of malware). MBAM idem. Log of activities in unexpected places. Impossible to access certain folders or its contents, even running windows explorer as admin and changing properties. Impossible to read some logs ("Access denied. The file is opened in another application"). Basically "just" those problems.
Thanks again for your attention and let me know if any information is missing.
Best regards.
Karakal

Edited by Karakal, 01 February 2010 - 02:13 PM.

  • 0

#5
mpascal

mpascal

    Math Nerd

  • Retired Staff
  • 3,644 posts
Hi Karakal,

STEP 1 - OTL Fix

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following

    :OTL
    O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
    [2010/01/19 15:04:52 | 00,311,312 | ---- | C] (Kaspersky Lab) -- C:\Windows\System32\drivers\7361858.sys
    [2010/01/19 15:04:52 | 00,128,016 | ---- | C] (Kaspersky Lab) -- C:\Windows\System32\drivers\73618581.sys
    [2010/01/19 15:04:52 | 00,037,392 | ---- | C] (Kaspersky Lab) -- C:\Windows\System32\drivers\73618582.sys
    [2010/01/18 19:16:04 | 00,311,312 | ---- | C] (Kaspersky Lab) -- C:\Windows\System32\drivers\7812743.sys
    [2010/01/18 19:16:04 | 00,128,016 | ---- | C] (Kaspersky Lab) -- C:\Windows\System32\drivers\78127431.sys
    [2010/01/18 19:16:04 | 00,037,392 | ---- | C] (Kaspersky Lab) -- C:\Windows\System32\drivers\78127432.sys
    
    :Reg
    [-HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{7F704741-76B8-40BC-B900-FF24F0B017E1}]
    
    :Commands
    [purity]
    [emptytemp]
    [Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Once it has rebooted, there should be a log on your desktop starting with 02012010. Post that log here in your next reply.
STEP 2 - MBAM

Posted Image Please download Malwarebytes' Anti-Malware from here.

Double Click mbam-setup.exe to install the application.
  • Make sure a check mark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

STEP 3 - Kaspersky

Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
STEP 4 - Reply

Please reply with the following:
  • OTL Log
  • MBAM Log
  • Kaspersky Log

Edited by mpascal, 01 February 2010 - 04:13 PM.

  • 0

#6
Karakal

Karakal

    New Member

  • Member
  • Pip
  • 9 posts
Hi mpascal.
Here the requested data.
It was impossible to run Kasperskys´ online scan. Impossible to install the needed Java.

OTL:
All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\WebCheck deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E6FB5E20-DE35-11CF-9C87-00AA005127ED}\ not found.
C:\Windows\System32\drivers\7361858.sys moved successfully.
C:\Windows\System32\drivers\73618581.sys moved successfully.
C:\Windows\System32\drivers\73618582.sys moved successfully.
C:\Windows\System32\drivers\7812743.sys moved successfully.
C:\Windows\System32\drivers\78127431.sys moved successfully.
C:\Windows\System32\drivers\78127432.sys moved successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{7F704741-76B8-40BC-B900-FF24F0B017E1}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7F704741-76B8-40BC-B900-FF24F0B017E1}\ not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrador
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Dr. Cesar
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 79612523 bytes

User: Public

User: Todos os Usuários

User: Usuário Padrão
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 76,00 mb


OTL by OldTimer - Version 3.1.27.0 log created on 02012010_204452

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...



Mbam:
I don´t know if I can trust the download.
Redirected to cnet and then to: http://dw.com.com/re...Dmbam-setup.exe

Log:

Malwarebytes' Anti-Malware 1.44
Versão do banco de dados: 3677
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

02/02/2010 09:12:10
mbam-log-2010-02-02 (09-12-10).txt

Tipo de Verificação: Rápida (fast)
Objetos verificados: 106733
Tempo decorrido: 6 minute(s), 12 second(s)

Processos da Memória infectados: 0 (Infected Memmory Processes)
Módulos de Memória Infectados: 0 (Infected Memmory Modules)
Chaves do Registro infectadas: 0 (Infected Registry Keys)
Valores do Registro infectados: 0 (Infected Registry Values)
Ítens do Registro infectados: 0 (Infected Registry Itens)
Pastas infectadas: 0 (Infected Folders)
Arquivos infectados: 0 (Infected Files)

Processos da Memória infectados:
(Nenhum ítem malicioso foi detectado)

Módulos de Memória Infectados:
(Nenhum ítem malicioso foi detectado)

Chaves do Registro infectadas:
(Nenhum ítem malicioso foi detectado)

Valores do Registro infectados:
(Nenhum ítem malicioso foi detectado)

Ítens do Registro infectados:
(Nenhum ítem malicioso foi detectado)

Pastas infectadas:
(Nenhum ítem malicioso foi detectado)

Arquivos infectados:
(Nenhum ítem malicioso foi detectado)

Translation of some items in (brackets).Error messages of Java attached.
Thanks again for your time and help.
Best regards.

Karakal

Attached Thumbnails

  • Sem_t_tulo.jpg

Edited by Karakal, 02 February 2010 - 05:41 AM.

  • 0

#7
mpascal

mpascal

    Math Nerd

  • Retired Staff
  • 3,644 posts
Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

  • 0

#8
Karakal

Karakal

    New Member

  • Member
  • Pip
  • 9 posts
Hi mpascal.
The log (first running whitout the above command e after with that
"%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v thing)
Thanks.
Karakal



16:58:10:906 3760 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
16:58:10:906 3760 ================================================================================
16:58:10:906 3760 SystemInfo:

16:58:10:906 3760 OS Version: 6.1.7600 ServicePack: 0.0
16:58:10:906 3760 Product type: Workstation
16:58:10:906 3760 ComputerName: CONSULTÓRIO
16:58:10:906 3760 UserName: Dr. Cesar
16:58:10:906 3760 Windows directory: C:\Windows
16:58:10:906 3760 Processor architecture: Intel x86
16:58:10:906 3760 Number of processors: 1
16:58:10:906 3760 Page size: 0x1000
16:58:10:921 3760 Boot type: Normal boot
16:58:10:921 3760 ================================================================================
16:58:10:921 3760 UnloadDriverW: NtUnloadDriver error 2
16:58:10:921 3760 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
16:58:10:921 3760 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
16:58:10:953 3760 UtilityInit: KLMD drop and load success
16:58:10:953 3760 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
16:58:10:953 3760 UtilityInit: KLMD open success
16:58:10:953 3760 UtilityInit: Initialize success
16:58:10:953 3760
16:58:10:953 3760 Scanning Services ...
16:58:10:953 3760 CreateRegParser: Registry parser init started
16:58:10:953 3760 CreateRegParser: DisableWow64Redirection error
16:58:10:953 3760 wfopen_ex: Trying to open file C:\Windows\system32\config\system
16:58:10:953 3760 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\system) returned status C0000043
16:58:10:953 3760 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:58:10:953 3760 wfopen_ex: Trying to KLMD file open
16:58:10:953 3760 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\system
16:58:10:953 3760 wfopen_ex: File opened ok (Flags 2)
16:58:10:968 3760 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\system) init success: 15DD5B0
16:58:10:968 3760 wfopen_ex: Trying to open file C:\Windows\system32\config\software
16:58:10:968 3760 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\software) returned status C0000043
16:58:10:968 3760 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:58:10:968 3760 wfopen_ex: Trying to KLMD file open
16:58:10:968 3760 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\software
16:58:10:968 3760 wfopen_ex: File opened ok (Flags 2)
16:58:10:984 3760 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\software) init success: 15DD5D8
16:58:10:984 3760 CreateRegParser: EnableWow64Redirection error
16:58:10:984 3760 CreateRegParser: RegParser init completed
16:58:11:890 3760 GetAdvancedServicesInfo: Raw services enum returned 443 services
16:58:11:890 3760 fclose_ex: Trying to close file C:\Windows\system32\config\system
16:58:11:906 3760 fclose_ex: Trying to close file C:\Windows\system32\config\software
16:58:11:906 3760
16:58:11:906 3760 Scanning Kernel memory ...
16:58:11:906 3760 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
16:58:11:906 3760 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 859EEAF0
16:58:11:906 3760 DetectCureTDL3: KLMD_GetDeviceObjectList returned 1 DevObjects
16:58:11:906 3760
16:58:11:906 3760 DetectCureTDL3: DEVICE_OBJECT: 859F0AC8
16:58:11:906 3760 KLMD_GetLowerDeviceObject: Trying to get lower device object for 859F0AC8
16:58:11:906 3760 DetectCureTDL3: DEVICE_OBJECT: 85557858
16:58:11:906 3760 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85557858
16:58:11:906 3760 DetectCureTDL3: DEVICE_OBJECT: 85960030
16:58:11:906 3760 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85960030
16:58:11:906 3760 KLMD_ReadMem: Trying to ReadMemory 0x85960030[0x38]
16:58:11:906 3760 DetectCureTDL3: DRIVER_OBJECT: 859433F0
16:58:11:906 3760 KLMD_ReadMem: Trying to ReadMemory 0x859433F0[0xA8]
16:58:11:906 3760 KLMD_ReadMem: Trying to ReadMemory 0x85943F90[0x1A]
16:58:11:906 3760 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
16:58:11:906 3760 DetectCureTDL3: IrpHandler (0) addr: 893598C4
16:58:11:906 3760 DetectCureTDL3: IrpHandler (1) addr: 82CBC359
16:58:11:906 3760 DetectCureTDL3: IrpHandler (2) addr: 893598C4
16:58:11:906 3760 DetectCureTDL3: IrpHandler (3) addr: 82CBC359
16:58:11:906 3760 DetectCureTDL3: IrpHandler (4) addr: 82CBC359
16:58:11:906 3760 DetectCureTDL3: IrpHandler (5) addr: 82CBC359
16:58:11:906 3760 DetectCureTDL3: IrpHandler (6) addr: 82CBC359
16:58:11:906 3760 DetectCureTDL3: IrpHandler (7) addr: 82CBC359
16:58:11:906 3760 DetectCureTDL3: IrpHandler (8) addr: 82CBC359
16:58:11:906 3760 DetectCureTDL3: IrpHandler (9) addr: 82CBC359
16:58:11:906 3760 DetectCureTDL3: IrpHandler (10) addr: 82CBC359
16:58:11:906 3760 DetectCureTDL3: IrpHandler (11) addr: 82CBC359
16:58:11:906 3760 DetectCureTDL3: IrpHandler (12) addr: 82CBC359
16:58:11:906 3760 DetectCureTDL3: IrpHandler (13) addr: 82CBC359
16:58:11:906 3760 DetectCureTDL3: IrpHandler (14) addr: 8934547C
16:58:11:906 3760 DetectCureTDL3: IrpHandler (15) addr: 8934544E
16:58:11:906 3760 DetectCureTDL3: IrpHandler (16) addr: 82CBC359
16:58:11:906 3760 DetectCureTDL3: IrpHandler (17) addr: 82CBC359
16:58:11:906 3760 DetectCureTDL3: IrpHandler (18) addr: 82CBC359
16:58:11:906 3760 DetectCureTDL3: IrpHandler (19) addr: 82CBC359
16:58:11:906 3760 DetectCureTDL3: IrpHandler (20) addr: 82CBC359
16:58:11:906 3760 DetectCureTDL3: IrpHandler (21) addr: 82CBC359
16:58:11:906 3760 DetectCureTDL3: IrpHandler (22) addr: 893454AA
16:58:11:906 3760 DetectCureTDL3: IrpHandler (23) addr: 89354DB2
16:58:11:906 3760 DetectCureTDL3: IrpHandler (24) addr: 82CBC359
16:58:11:906 3760 DetectCureTDL3: IrpHandler (25) addr: 82CBC359
16:58:11:906 3760 DetectCureTDL3: IrpHandler (26) addr: 82CBC359
16:58:11:906 3760 TDL3_FileDetect: Processing driver: atapi
16:58:11:906 3760 TDL3_FileDetect: Processing driver file: C:\Windows\system32\DRIVERS\atapi.sys
16:58:11:906 3760 KLMD_CreateFileW: Trying to open file C:\Windows\system32\DRIVERS\atapi.sys
16:58:11:906 3760 TDL3_FileDetect: C:\Windows\system32\DRIVERS\atapi.sys - Verdict: Clean
16:58:11:906 3760
16:58:11:921 3760 Completed
16:58:11:921 3760
16:58:11:921 3760 Results:
16:58:11:921 3760 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
16:58:11:921 3760 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
16:58:11:921 3760 File objects infected / cured / cured on reboot: 0 / 0 / 0
16:58:11:921 3760
16:58:12:078 3760 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000




16:59:13:484 4016 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
16:59:13:484 4016 ================================================================================
16:59:13:484 4016 SystemInfo:

16:59:13:484 4016 OS Version: 6.1.7600 ServicePack: 0.0
16:59:13:484 4016 Product type: Workstation
16:59:13:484 4016 ComputerName: CONSULTÓRIO
16:59:13:500 4016 UserName: Dr. Cesar
16:59:13:500 4016 Windows directory: C:\Windows
16:59:13:500 4016 Processor architecture: Intel x86
16:59:13:500 4016 Number of processors: 1
16:59:13:500 4016 Page size: 0x1000
16:59:13:500 4016 Boot type: Normal boot
16:59:13:500 4016 ================================================================================
16:59:13:500 4016 UnloadDriverW: NtUnloadDriver error 2
16:59:13:500 4016 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
16:59:13:500 4016 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
16:59:13:515 4016 UtilityInit: KLMD drop and load success
16:59:13:515 4016 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
16:59:13:515 4016 UtilityInit: KLMD open success
16:59:13:515 4016 UtilityInit: Initialize success
16:59:13:515 4016
16:59:13:531 4016 Scanning Services ...
16:59:13:531 4016 CreateRegParser: Registry parser init started
16:59:13:531 4016 CreateRegParser: DisableWow64Redirection error
16:59:13:531 4016 wfopen_ex: Trying to open file C:\Windows\system32\config\system
16:59:13:531 4016 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\system) returned status C0000043
16:59:13:531 4016 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:59:13:531 4016 wfopen_ex: Trying to KLMD file open
16:59:13:531 4016 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\system
16:59:13:531 4016 wfopen_ex: File opened ok (Flags 2)
16:59:13:531 4016 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\system) init success: 162D5D0
16:59:13:531 4016 wfopen_ex: Trying to open file C:\Windows\system32\config\software
16:59:13:531 4016 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\config\software) returned status C0000043
16:59:13:531 4016 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
16:59:13:531 4016 wfopen_ex: Trying to KLMD file open
16:59:13:531 4016 KLMD_CreateFileW: Trying to open file C:\Windows\system32\config\software
16:59:13:531 4016 wfopen_ex: File opened ok (Flags 2)
16:59:13:562 4016 CreateRegParser: HIVE_ADAPTER(C:\Windows\system32\config\software) init success: 162D5F8
16:59:13:562 4016 CreateRegParser: EnableWow64Redirection error
16:59:13:562 4016 CreateRegParser: RegParser init completed
16:59:14:046 4016 GetAdvancedServicesInfo: Raw services enum returned 443 services
16:59:14:046 4016 fclose_ex: Trying to close file C:\Windows\system32\config\system
16:59:14:046 4016 fclose_ex: Trying to close file C:\Windows\system32\config\software
16:59:14:046 4016
16:59:14:046 4016 Scanning Kernel memory ...
16:59:14:046 4016 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
16:59:14:046 4016 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 859EEAF0
16:59:14:046 4016 DetectCureTDL3: KLMD_GetDeviceObjectList returned 1 DevObjects
16:59:14:046 4016
16:59:14:046 4016 DetectCureTDL3: DEVICE_OBJECT: 859F0AC8
16:59:14:046 4016 KLMD_GetLowerDeviceObject: Trying to get lower device object for 859F0AC8
16:59:14:046 4016 DetectCureTDL3: DEVICE_OBJECT: 85557858
16:59:14:046 4016 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85557858
16:59:14:046 4016 DetectCureTDL3: DEVICE_OBJECT: 85960030
16:59:14:046 4016 KLMD_GetLowerDeviceObject: Trying to get lower device object for 85960030
16:59:14:046 4016 KLMD_ReadMem: Trying to ReadMemory 0x85960030[0x38]
16:59:14:046 4016 DetectCureTDL3: DRIVER_OBJECT: 859433F0
16:59:14:046 4016 KLMD_ReadMem: Trying to ReadMemory 0x859433F0[0xA8]
16:59:14:046 4016 KLMD_ReadMem: Trying to ReadMemory 0x85943F90[0x1A]
16:59:14:046 4016 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
16:59:14:046 4016 DetectCureTDL3: IrpHandler (0) addr: 893598C4
16:59:14:046 4016 DetectCureTDL3: IrpHandler (1) addr: 82CBC359
16:59:14:046 4016 DetectCureTDL3: IrpHandler (2) addr: 893598C4
16:59:14:046 4016 DetectCureTDL3: IrpHandler (3) addr: 82CBC359
16:59:14:046 4016 DetectCureTDL3: IrpHandler (4) addr: 82CBC359
16:59:14:046 4016 DetectCureTDL3: IrpHandler (5) addr: 82CBC359
16:59:14:046 4016 DetectCureTDL3: IrpHandler (6) addr: 82CBC359
16:59:14:046 4016 DetectCureTDL3: IrpHandler (7) addr: 82CBC359
16:59:14:046 4016 DetectCureTDL3: IrpHandler (8) addr: 82CBC359
16:59:14:046 4016 DetectCureTDL3: IrpHandler (9) addr: 82CBC359
16:59:14:046 4016 DetectCureTDL3: IrpHandler (10) addr: 82CBC359
16:59:14:046 4016 DetectCureTDL3: IrpHandler (11) addr: 82CBC359
16:59:14:046 4016 DetectCureTDL3: IrpHandler (12) addr: 82CBC359
16:59:14:046 4016 DetectCureTDL3: IrpHandler (13) addr: 82CBC359
16:59:14:046 4016 DetectCureTDL3: IrpHandler (14) addr: 8934547C
16:59:14:046 4016 DetectCureTDL3: IrpHandler (15) addr: 8934544E
16:59:14:046 4016 DetectCureTDL3: IrpHandler (16) addr: 82CBC359
16:59:14:046 4016 DetectCureTDL3: IrpHandler (17) addr: 82CBC359
16:59:14:046 4016 DetectCureTDL3: IrpHandler (18) addr: 82CBC359
16:59:14:046 4016 DetectCureTDL3: IrpHandler (19) addr: 82CBC359
16:59:14:046 4016 DetectCureTDL3: IrpHandler (20) addr: 82CBC359
16:59:14:046 4016 DetectCureTDL3: IrpHandler (21) addr: 82CBC359
16:59:14:046 4016 DetectCureTDL3: IrpHandler (22) addr: 893454AA
16:59:14:046 4016 DetectCureTDL3: IrpHandler (23) addr: 89354DB2
16:59:14:046 4016 DetectCureTDL3: IrpHandler (24) addr: 82CBC359
16:59:14:046 4016 DetectCureTDL3: IrpHandler (25) addr: 82CBC359
16:59:14:046 4016 DetectCureTDL3: IrpHandler (26) addr: 82CBC359
16:59:14:062 4016 TDL3_FileDetect: Processing driver: atapi
16:59:14:062 4016 TDL3_FileDetect: Processing driver file: C:\Windows\system32\DRIVERS\atapi.sys
16:59:14:062 4016 KLMD_CreateFileW: Trying to open file C:\Windows\system32\DRIVERS\atapi.sys
16:59:14:062 4016 TDL3_FileDetect: C:\Windows\system32\DRIVERS\atapi.sys - Verdict: Clean
16:59:14:062 4016
16:59:14:062 4016 Completed
16:59:14:062 4016
16:59:14:062 4016 Results:
16:59:14:062 4016 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
16:59:14:078 4016 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
16:59:14:078 4016 File objects infected / cured / cured on reboot: 0 / 0 / 0
16:59:14:078 4016
16:59:14:687 4016 MyNtCreateFileW: NtCreateFile(\??\C:\Windows\system32\drivers\klmd.sys) returned status 00000000
16:59:14:687 4016 UtilityDeinit: KLMD(ARK) unloaded successfully

16:58:12:078 3760 UtilityDeinit: KLMD(ARK) unloaded successfully

Edited by Karakal, 02 February 2010 - 01:09 PM.

  • 0

#9
mpascal

mpascal

    Math Nerd

  • Retired Staff
  • 3,644 posts
Are you still having redirect issues?
  • 0

#10
Karakal

Karakal

    New Member

  • Member
  • Pip
  • 9 posts
Hi, mpascal.

Unfortunatelly I am having redirect issues yet.
Mainly in av sites and my e-mail service. For instance, I can´t register in rootkit.com, no matter what I do. I even disabled cookie blocking in this site. Or might be that I am only paranoid to the greatest degree.
Yet, I didn´t mention that a week ago Mbam detected my system infected with Rootkit.Agent.H, which is said to have been quarantined and removed. Since this 'cure' the soft (Mbam) did not detect anything else (even after uninstalling, redownloading and reinstalling). And I´ve seen this happening only too much as related in other topics in this very geekstogo.com/forum. But, as said, it could be only paranoia in critical degree. If you think my logs are clear, I may try to accept it, until convinced that my PC is indeed clear or getting harder evidence that it is all but disinfected for good. In this last case, how should I do to reopen the topic ?
Thanks again for your time and effort, which I shall not forget. Best regards.
Karakal
  • 0
<

Advertisement


#11
mpascal

mpascal

    Math Nerd

  • Retired Staff
  • 3,644 posts
OK, there have been a few cases of a "new" redirect virus that have just started coming in here yesterday or so, so I think it would be worth it to do one last final scan to see if we can detect anything else that may be causing the problem.

Download OTS.exe to your Desktop and double-click on it to run it.
  • Make sure you close all other programs and don't use the PC while the scan runs.
  • Under File Age at the top, change it from 30 days to 90 days
  • Under Additional Scans check the boxes beside

    • Reg - ActiveX StubPath
    • Reg - App Paths
    • Reg - Approved Shell Extensions
    • Reg - Desktop Components
    • Reg - Disabled MS Config Items
    • Reg - Drivers32
    • Reg - Ext
    • Reg - File Associations
    • Reg - IE Explorer Bars
    • Reg - NetSvcs
    • Reg - Protocol Filters
    • Reg - Protocol Handlers
    • Reg - SafeBoot Minimal
    • Reg - SafeBoot Network
    • Reg - Session Manager Settings
    • Reg - Winsock2 Catalogs
    • Evnt - EventViewer Logs ( Last 10 Errors )
    • File - Lop Check
    • File - Purity Scan
  • Under the Custom Scans box at the bottom left paste the following in

    %SYSTEMDRIVE%\*.*
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    /md5stop
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %PROGRAMFILES%\*.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BootVerificationProgram /s
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug /s


  • Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
  • When the scan is complete Notepad will open with the report file loaded in it. It is saved in the same position as OTS.exe which should be on your Desktop.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and post the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.


Make sure you attach the report in your reply. If it is too big to upload, then zip the text file and upload it that way
  • 0

#12
Karakal

Karakal

    New Member

  • Member
  • Pip
  • 9 posts
Hi mpascal.
I´ve attached the OTS log as instructed.
Regards
Karakal

Attached Files

  • Attached File  OTS.Txt   236.64KB   469 downloads

  • 0

#13
mpascal

mpascal

    Math Nerd

  • Retired Staff
  • 3,644 posts
Sorry for the delay, I'll be reviewing that log today when I get home, and I'll hopefully have some instructions for you to get this fixed shortly after.
  • 0

#14
mpascal

mpascal

    Math Nerd

  • Retired Staff
  • 3,644 posts
Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Files/Folders - Created Within 90 Days]
NY ->  temp.005 -> C:\Windows\System32\temp.005
NY ->  temp.004 -> C:\Windows\System32\temp.004
NY ->  temp.001 -> C:\Windows\System32\temp.001
NY ->  temp.002 -> C:\Windows\System32\temp.002
NY ->  temp.003 -> C:\Windows\System32\temp.003
NY ->  temp.000 -> C:\Windows\System32\temp.000
[Files - No Company Name]
NY ->  VBRUN100.DLL -> C:\Windows\System32\VBRUN100.DLL

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Once you are done all this, let me know if you are still having any problems.
  • 0

#15
Karakal

Karakal

    New Member

  • Member
  • Pip
  • 9 posts
Hi mpascal.

I closed the log yhinking it was saved.
However I had read it before. I pasted the fix again and had it run and logged.
Where it says "file not found!" was originally "moved successfully" so I changed to obtain:
[Files/Folders - Created Within 90 Days]
File C:\Windows\System32\temp.005 moved successfully!
File C:\Windows\System32\temp.004 moved successfully!
File C:\Windows\System32\temp.001 moved successfully!
File C:\Windows\System32\temp.002 moved successfully!
File C:\Windows\System32\temp.003 moved successfully!
File C:\Windows\System32\temp.000 moved successfully!
[Files - No Company Name]
File C:\Windows\System32\VBRUN100.DLL moved successfully!
< End of fix log >
OTS by OldTimer - Version 3.1.20.1 fix logfile created on 02052010_110159

what I think that is what was writen originally (as I remember).
Whatever else you need, let me know. Thanks again for your attention.
Best regards
Karakal
  • 0

Advertisement



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

featured