Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Don´t know what´s this... Can someone help, please? [RESOLVED]

Started by digitally , Oct 23 2005 11:57 AM

  • This topic is locked This topic is locked

#1
digitally
Posted 23 October 2005 - 11:57 AM

digitally

    New Member

  • Member
  • Pip
  • 5 posts
Greetings.

I´ve done all the steps explained to remove a problem in my computer, the required steps before posting this log. I´ve Norton Firewall e Norton Antivirus updated and active, i´ve scanned my computer with Ad-Aware SE, Spybot S&D, Ewido Security Suite, Trend Housecall, TrojanHunter, Hijack This... Couldn´t run CWShredder, cause it causes an error saying it´s not a valid Win32 application...

But the problem still remains: a kind of annoying pop-up warnings that appear frequently. Some examples of what they say:

"Message from SYSTEM for ALERT in 23-10-2005 13:31:41
Windows has encountered an Internal Error
Your Windows registry is corrupted.
We recommend a complete system scan.
Visit
http://FixTheReg.com
To repair now!"

or

"Message from SYSTEM for ALERT in 23-10-05 17:22:51
Microsoft Windows has encountered an Internal Error
Your Windows registry is corrupted.
We recommend a complete system scan.
Visit
http://CleanRegNow.com
To repair now!"


Next, i post the logfiles required.

>> From AD-Aware:

ArchiveData(auto-quarantine- 2005-10-22 22-06-33.bckp)
Referencefile : SE1R70 12.10.2005
======================================================

MRU LIST
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=MRU FileReference : C:\Documents and Settings\vl\recent\Adobe Type Library.lnk
obj[1]=MRU FileReference : C:\Documents and Settings\vl\recent\cnpi.lnk
obj[2]=MRU FileReference : C:\Documents and Settings\vl\recent\CocasFinal_1_.0001.lnk
obj[3]=MRU FileReference : C:\Documents and Settings\vl\recent\compact_REEL.lnk
obj[4]=MRU FileReference : C:\Documents and Settings\vl\recent\Desert-Meteor.lnk
obj[5]=MRU FileReference : C:\Documents and Settings\vl\recent\dinamarqueses.lnk
obj[6]=MRU FileReference : C:\Documents and Settings\vl\recent\holandeses.lnk
obj[7]=MRU FileReference : C:\Documents and Settings\vl\recent\Humor.lnk
obj[8]=MRU FileReference : C:\Documents and Settings\vl\recent\menteurb(logo)1.lnk
obj[9]=MRU FileReference : C:\Documents and Settings\vl\recent\menteurb(logo1).lnk
obj[10]=MRU FileReference : C:\Documents and Settings\vl\recent\menteurb(logo2).lnk
obj[11]=MRU RegReference : S-1-5-21-583907252-2146915963-839522115-1003\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru\*
obj[12]=MRU RegReference : S-1-5-21-583907252-2146915963-839522115-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.ini
obj[13]=MRU RegReference : S-1-5-21-583907252-2146915963-839522115-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.jpg
obj[14]=MRU RegReference : S-1-5-21-583907252-2146915963-839522115-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.mov
obj[15]=MRU RegReference : S-1-5-21-583907252-2146915963-839522115-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.mpg
obj[16]=MRU RegReference : S-1-5-21-583907252-2146915963-839522115-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.pdf
obj[17]=MRU RegReference : S-1-5-21-583907252-2146915963-839522115-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.pict
obj[18]=MRU RegReference : S-1-5-21-583907252-2146915963-839522115-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.psd
obj[19]=MRU RegReference : S-1-5-21-583907252-2146915963-839522115-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.TTF
obj[20]=MRU RegReference : S-1-5-21-583907252-2146915963-839522115-1003\software\microsoft\windows\currentversion\explorer\recentdocs\.wmv
obj[21]=MRU RegReference : S-1-5-21-583907252-2146915963-839522115-1003\software\microsoft\windows\currentversion\explorer\recentdocs\Folder
obj[22]=MRU FileReference : C:\Documents and Settings\vl\recent\Utilitários.lnk
obj[23]=MRU RegReference : S-1-5-21-583907252-2146915963-839522115-1003\software\microsoft\windows media\wmsdk\general computername
obj[24]=MRU FileReference : C:\Documents and Settings\vl\recent\vodafone.lnk
obj[26]=MRU RegReference : software\microsoft\direct3d\mostrecentapplication name
obj[27]=MRU RegReference : software\microsoft\direct3d\mostrecentapplication name
obj[28]=MRU RegReference : software\microsoft\directdraw\mostrecentapplication name
obj[29]=MRU RegReference : S-1-5-21-583907252-2146915963-839522115-1003\software\microsoft\internet explorer download directory
obj[30]=MRU RegReference : S-1-5-21-583907252-2146915963-839522115-1003\software\microsoft\internet explorer\typedurls
obj[31]=MRU RegReference : S-1-5-21-583907252-2146915963-839522115-1003\software\microsoft\mediaplayer\player\settings saveasdir
obj[32]=MRU RegReference : S-1-5-21-583907252-2146915963-839522115-1003\software\microsoft\mediaplayer\player\settings opendir
obj[33]=MRU RegReference : S-1-5-21-583907252-2146915963-839522115-1003\software\microsoft\mediaplayer\preferences lastplaylistindex
obj[34]=MRU RegReference : S-1-5-21-583907252-2146915963-839522115-1003\software\microsoft\mediaplayer\preferences lastplaylist
obj[35]=MRU RegReference : S-1-5-21-583907252-2146915963-839522115-1003\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru

TRACKING COOKIE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[14]=IECache Entry : Cookie:[email protected]/
obj[15]=IECache Entry : Cookie:[email protected]/
obj[16]=IECache Entry : Cookie:[email protected]/
obj[17]=IECache Entry : Cookie:[email protected]/
obj[18]=IECache Entry : Cookie:[email protected]/
obj[19]=IECache Entry : Cookie:[email protected]/
obj[20]=IECache Entry : Cookie:[email protected]/
obj[21]=IECache Entry : Cookie:[email protected]/
obj[22]=IECache Entry : Cookie:[email protected]/
obj[23]=IECache Entry : Cookie:[email protected]/
obj[24]=IECache Entry : Cookie:[email protected]/
obj[25]=IECache Entry : Cookie:[email protected]/
obj[26]=IECache Entry : Cookie:[email protected]/
obj[27]=IECache Entry : Cookie:[email protected]/
obj[28]=IECache Entry : Cookie:[email protected]/
obj[29]=IECache Entry : Cookie:[email protected]/


>> From Ewido:

---------------------------------------------------------
ewido security suite - Relatório de verificação
---------------------------------------------------------

+ Criado em: 23:00:50, 22-10-2005
+ Relatório-Checksum: 80342A57

+ Resultado da verificação:

C:\Documents and Settings\vl\Cookies\vl@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\vl\Cookies\[email protected][2].txt -> Spyware.Cookie.Itrack : Cleaned with backup
C:\WINDOWS\system32\TFTP1704 -> Backdoor.Rbot : Cleaned with backup


::Fim do Relatório


>> From HiJackThis:

Logfile of HijackThis v1.99.1
Scan saved at 13:04:26, on 23-10-2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\ewido\security suite\ewidoctrl.exe
C:\Programas\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programas\Norton AntiVirus\navapsvc.exe
C:\Programas\Norton Personal Firewall\NISUM.EXE
C:\Programas\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
C:\Programas\Norton Personal Firewall\SymProxySvc.exe
C:\Programas\Norton Personal Firewall\IAMAPP.EXE
C:\Programas\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Gmailnotifier\Gmail Notifier\gnotify.exe
C:\Programas\Norton Personal Firewall\NISSERV.EXE
C:\Programas\Microsoft AntiSpyware\gcasDtServ.exe
C:\Programas\iPod\bin\iPodService.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programas\MSN Messenger\MsnMsgr.Exe
C:\Programas\Norton Personal Firewall\ATRACK.EXE
C:\Programas\Messenger\msmsgs.exe
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Adobe\Photoshop CS\Photoshop.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programas\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programas\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programas\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programas\google\googletoolbar1.dll
O4 - HKLM\..\Run: [ccApp] C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Programas\Ficheiros comuns\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [iamapp] C:\Programas\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MBpatch] C:\program files\Creative\MBsetup\RemoveKey.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Programas\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Programas\Ficheiros comuns\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programas\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Gmailnotifier\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [THGuard] "C:\Programas\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SVCH Service] svch32.pif
O4 - HKCU\..\RunServices: [SVCH Service] svch32.pif
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://C:\Programas\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Programas\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Programas\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Programas\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Programas\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Programas\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\MSMSGS.EXE
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Programas\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Programas\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programas\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programas\Ficheiros comuns\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Programas\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Service (NISSERV) - Symantec Corporation - C:\Programas\Norton Personal Firewall\NISSERV.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - C:\Programas\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Programas\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\FICHEI~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\SNDSrvc.exe
O23 - Service: Norton Personal Firewall Proxy Service (SymProxySvc) - Symantec Corporation - C:\Programas\Norton Personal Firewall\SymProxySvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Programas\Ficheiros comuns\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements

#2
skate_punk_21
Posted 28 October 2005 - 09:47 AM

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
Please print out or save this page to your desktop in order to assist you when carrying out the following instructions.

Boot Into Safe Mode
Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.


View Hidden Files and Folders
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.


Start HijackThis Fix
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

O4 - HKCU\..\Run: [SVCH Service] svch32.pif
O4 - HKCU\..\RunServices: [SVCH Service] svch32.pif

Please remember to close all other windows, including browsers then click Fix checked.


File/Folder Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

svch32.pif <--search for and delete via start || Search


Reboot your system in Normal Mode.

Perform an online scan with Internet Explorer with

Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Standard
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan
  • 0

#3
digitally
Posted 30 October 2005 - 08:10 AM

digitally

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thank you very much for your help.

Anyway, is too late... my PC as failled for once. He was old, and i don´t know if the last problem it had (the one i posted here) was the real cause...

I´ve arranjed a solution to have a new PC, and now seems all fine.

Anyway, thank you very much. :tazz:
  • 0

#4
skate_punk_21
Posted 30 October 2005 - 09:23 AM

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
Sorry to hear that, but new computers are nice too!

here are some measures you can take to help prevent reinfection:

Consider...
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall. Here are 3 free ones available for personal use:Please reply once more so we know you have read these measures.
  • 0

#5
digitally
Posted 30 October 2005 - 11:51 AM

digitally

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Thanks. :)

I´ve Norton Antivirus 2005, and as far as i know (an expert told me so), i don´t need any other security software, like spyware or such.

Indeed, my PC is fine and stable, apparently with no problems... so far. :)

Thanks again. :tazz:
  • 0

#6
skate_punk_21
Posted 31 October 2005 - 06:02 AM

skate_punk_21

    Malware Removal Expert

  • Retired Staff
  • 1,049 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :tazz:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP