1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Win32NTRootKit-B

Discussion in 'Malware and Virus Removal Archive' started by jsamuel52, 2008/02/11.

  1. 2008/02/11
    jsamuel52

    jsamuel52 Inactive Thread Starter

    Joined:
    2008/02/11
    Messages:
    4
    Likes Received:
    0
    Hi, friends!

    I have a problem with this guy (Win32NTRootKit-B)!
    my aVast show me everytime I open my Windows! Please help me with this!

    I will put my Log Files!

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 08:21:45, on 11/2/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
    C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svcd\svchost.exe
    C:\WINDOWS\stsystra.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe
    C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe
    C:\Arquivos de programas\RSSoft\RedSwoosh.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe
    C:\Arquivos de programas\Microsoft ActiveSync\wcescomm.exe
    C:\D-Link\AirPlusG+\AirPlus.exe
    C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe
    C:\ARQUIV~1\MICROS~3\rapimgr.exe
    C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
    C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
    C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
    C:\Arquivos de programas\Mozilla Firefox\firefox.exe
    C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    F3 - REG:win.ini: run= "C:\WINDOWS\system32\winupdate.exe "
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe "
    O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [googletalk] C:\Arquivos de programas\Google\Google Talk\googletalk.exe /autostart
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe "
    O4 - HKCU\..\Run: [Red Swoosh] C:\Arquivos de programas\RSSoft\RedSwoosh.exe /S
    O4 - HKCU\..\Run: [DAEMON Tools] "C:\Arquivos de programas\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Arquivos de programas\Microsoft ActiveSync\wcescomm.exe "
    O4 - Global Startup: D-Link AirPlus G+ Wireless Utility.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\ARQUIV~1\MICROS~3\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARQUIV~1\MICROS~3\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARQUIV~1\MICROS~3\INetRepl.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
    O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178410700484
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Arquivos de programas\WinPcap\rpcapd.exe
    O23 - Service: Security Service (TRXN) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe

    --
    End of file - 7112 bytes

    AND NOW THE DSS....

    Deckard's System Scanner v20071014.68
    Run by Samuel on 2008-02-11 08:29:07
    Computer is in Safe Mode.
    --------------------------------------------------------------------------------

    -- System Restore --------------------------------------------------------------

    Failed to create restore point; computer is in safe mode.


    -- Last 5 Restore Point(s) --
    37: 2008-02-10 00:17:13 UTC - RP176 - Ponto de verificação do sistema
    36: 2008-02-08 21:38:53 UTC - RP175 - Ponto de verificação do sistema
    35: 2008-02-07 19:03:45 UTC - RP174 - Ponto de verificação do sistema
    34: 2008-02-06 14:19:26 UTC - RP173 - Ponto de verificação do sistema
    33: 2008-02-05 00:28:10 UTC - RP172 - Ponto de verificação do sistema


    -- First Restore Point --
    1: 2007-11-12 02:13:33 UTC - RP140 - Ponto de verificação do sistema


    Backed up registry hives.
    Performed disk cleanup.

    System Drive C: has 4.34 GiB (less than 15%) free.


    -- HijackThis (run as Samuel.exe) ----------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 08:30:40, on 11/2/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Safe mode

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Documents and Settings\Samuel\Desktop\Armas contra o Win32NTRootKit-B\dss.exe
    C:\ARQUIV~1\TRENDM~1\HIJACK~1\Samuel.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    F3 - REG:win.ini: run= "C:\WINDOWS\system32\winupdate.exe "
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe "
    O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [googletalk] C:\Arquivos de programas\Google\Google Talk\googletalk.exe /autostart
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe "
    O4 - HKCU\..\Run: [Red Swoosh] C:\Arquivos de programas\RSSoft\RedSwoosh.exe /S
    O4 - HKCU\..\Run: [DAEMON Tools] "C:\Arquivos de programas\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Arquivos de programas\Microsoft ActiveSync\wcescomm.exe "
    O4 - Global Startup: D-Link AirPlus G+ Wireless Utility.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\ARQUIV~1\MICROS~3\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARQUIV~1\MICROS~3\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARQUIV~1\MICROS~3\INetRepl.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
    O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178410700484
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Arquivos de programas\WinPcap\rpcapd.exe
    O23 - Service: Security Service (TRXN) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe

    --
    End of file - 6103 bytes

    -- File Associations -----------------------------------------------------------

    All associations okay.


    -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

    S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>
    S3 catchme - c:\docume~1\samuel\config~1\temp\catchme.sys (file missing)
    S3 NPF (NetGroup Packet Filter Driver) - c:\windows\system32\drivers\npf.sys <Not Verified; CACE Technologies; WinPcap Netgroup Packet Filter Driver>
    S3 ntload (ntload v0.1) - c:\windows\system32\ntload.sys (file missing)
    S3 PCANDIS5 (PCANDIS5 Protocol Driver) - c:\d-link\airplusg+\pcandis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
    S3 TNET1130 (D-Link AirPlus G+ Wireless Adapter) - c:\windows\system32\drivers\gplus.sys <Not Verified; Texas Instruments; TNET1130 WLAN Adapter>


    -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

    S2 TRXN (Security Service) - c:\windows\system32\svcd\svchost.exe
    S3 NBService - c:\arquivos de programas\nero\nero 7\nero backitup\nbservice.exe
    S3 NMIndexingService - "c:\arquivos de programas\arquivos comuns\ahead\lib\nmindexingservice.exe" <Not Verified; Nero AG; Nero Home>
    S3 rpcapd (Remote Packet Capture Protocol v.0 (experimental)) - "c:\arquivos de programas\winpcap\rpcapd.exe" -d -f "c:\arquivos de programas\winpcap\rpcapd.ini" <Not Verified; CACE Technologies; Remote Packet Capture Daemon>


    -- Device Manager: Disabled ----------------------------------------------------

    No disabled devices found.


    -- Files created between 2008-01-11 and 2008-02-11 -----------------------------

    2008-02-11 08:21:29 0 d-------- C:\Arquivos de programas\Trend Micro
    2008-02-10 01:12:41 87040 --a------ C:\WINDOWS\system32\winupdate.exe
    2008-02-10 01:12:20 87040 --a------ C:\WINDOWS\system32\TmpX.exe
    2008-02-10 01:12:09 114 --a------ C:\WINDOWS\system32\url3
    2008-02-10 01:12:09 102 --a------ C:\WINDOWS\system32\url2
    2008-02-10 01:12:09 102 --a------ C:\WINDOWS\system32\url1
    2008-02-10 01:12:09 8 --a------ C:\WINDOWS\system32\CID
    2008-02-10 01:12:08 4 --a------ C:\WINDOWS\system32\SvcNm
    2008-02-10 01:12:08 0 d-------- C:\WINDOWS\system32\svcd
    2008-02-10 01:10:53 34816 --a------ C:\PaDPNW.exe
    2008-01-17 16:34:40 0 d-------- C:\Arquivos de programas\Astraware
    2008-01-15 11:16:08 0 d-------- C:\Arquivos de programas\HP
    2008-01-15 11:13:51 0 d-------- C:\Arquivos de programas\Microsoft ActiveSync
    2008-01-15 11:13:30 0 d-------- C:\WINDOWS\Downloaded Installations


    -- Find3M Report ---------------------------------------------------------------

    2008-02-11 08:25:49 0 d-------- C:\Arquivos de programas\RSSoft
    2008-02-09 11:56:21 0 d-------- C:\Documents and Settings\Samuel\Dados de aplicativos\MegauploadToolbar
    2008-02-06 15:28:23 0 d-------- C:\Documents and Settings\Samuel\Dados de aplicativos\Skype
    2008-02-04 18:20:05 94 --a------ C:\Documents and Settings\Samuel\Dados de aplicativos\AVSDVDPlayer.m3u
    2008-01-27 22:20:53 0 d-------- C:\Arquivos de programas\Warcraft III
    2008-01-26 21:12:26 0 d-------- C:\Documents and Settings\Samuel\Dados de aplicativos\Help
    2008-01-15 11:15:02 2508 --a------ C:\Documents and Settings\Samuel\Dados de aplicativos\$_hpcst$.hpc
    2007-12-14 12:37:36 0 d-------- C:\Arquivos de programas\Windows Live
    2007-12-14 12:37:16 0 d--hs--c- C:\Arquivos de programas\Arquivos comuns\WindowsLiveInstaller
    2007-12-14 12:27:49 0 d-------- C:\Arquivos de programas\Arquivos comuns
    2007-11-22 14:30:17 425072 --a------ C:\WINDOWS\system32\perfh016.dat
    2007-11-22 14:30:17 67232 --a------ C:\WINDOWS\system32\perfc016.dat


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SigmatelSysTrayApp "= "stsystra.exe" [22/03/2005 18:20 C:\WINDOWS\stsystra.exe]
    "igfxtray "= "C:\WINDOWS\system32\igfxtray.exe" [14/10/2005 16:49]
    "igfxhkcmd "= "C:\WINDOWS\system32\hkcmd.exe" [14/10/2005 16:46]
    "igfxpers "= "C:\WINDOWS\system32\igfxpers.exe" [14/10/2005 16:50]
    "SunJavaUpdateSched "= "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 02:11]
    "avast! "= "C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [04/12/2007 11:00]
    "QuickTime Task "= "C:\Arquivos de programas\QuickTime\qttask.exe" [27/04/2007 10:41]
    "NeroFilterCheck "= "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe" [12/01/2006 16:40]
    "Adobe Reader Speed Launcher "= "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [10/10/2007 20:51]
    "googletalk "= "C:\Arquivos de programas\Google\Google Talk\googletalk.exe" [01/01/2007 20:54]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe" [15/01/2007 17:14]
    "Red Swoosh "= "C:\Arquivos de programas\RSSoft\RedSwoosh.exe" [21/04/2007 00:11]
    "DAEMON Tools "= "C:\Arquivos de programas\DAEMON Tools\daemon.exe" [03/04/2007 20:29]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 10:00]
    "MsnMsgr "= "C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 11:34]
    "H/PC Connection Agent "= "C:\Arquivos de programas\Microsoft ActiveSync\wcescomm.exe" [15/11/2005 19:44]

    C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\
    D-Link AirPlus G+ Wireless Utility.lnk - C:\D-Link\AirPlusG+\AirPlus.exe [5/5/2007 22:00:43]
    Microsoft Office.lnk - C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE [13/2/2001 10:01:04]


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
    AutoRun\command- G:\LaunchU3.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b14f1d5e-d01b-11dc-bcac-00119564afce}]
    AutoRun\command- G:\LaunchU3.exe




    -- End of Deckard's System Scanner: finished at 2008-02-11 08:31:18 ------------




    Thanks for your attention, I hope you can help me fix that!
     
    jsamuel52,
    #1
  2. 2008/02/11
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi jsamuel52
    Welcome to Windowsbbs. :)

    Please run tools in safe mode only if instructed to do so.
    Thanks.

    Download ComboFix from [color= "Red"]Here[/color] to your Desktop.
    It's best to disable realtime protection applications as they sometimes interfere with the tool. Check this link for any applicable programs you may have.
    • Close all open programs and windows
    • Double click combofix.exe and follow the prompts.
    • Vista users right click Combofix.exe and select Run As Administrator.
    • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall

    Please post the Combofix log.

    Thanks
    Geri
     
    Geri,
    #2


  3. to hide this advert.

  4. 2008/02/12
    jsamuel52

    jsamuel52 Inactive Thread Starter

    Joined:
    2008/02/11
    Messages:
    4
    Likes Received:
    0
    Combo + Hijackthis

    Thanks for the help

    COMBO LOG

    ComboFix 08-02-12.1 - Samuel 2008-02-12 8:18:47.2 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1046.18.1093 [GMT -2:00]
    Executando de: C:\Documents and Settings\Samuel\Desktop\ComboFix.exe
    * Criado um novo ponto de restauro

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr0.dat
    C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr1.dat
    C:\WINDOWS\system32\NTOSKRNL.VHCleaner
    C:\WINDOWS\system32\winupdate.exe

    ----- BITS: Possible infected sites -----

    hxxp://www.download.windowsupdate.com
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_ODDYSEE
    -------\ntload


    ((((((((((((((((((((((( Ficheiros criados de 2008-01-12 to 2008-02-12 ))))))))))))))))))))))))))))))))
    .

    2008-02-11 23:28 . 2007-09-12 23:38 1,485,491 --a------ C:\ComboFix.exe
    2008-02-11 23:28 . 2008-02-11 07:38 1,307,458 --a------ C:\SDFix.exe
    2008-02-11 15:37 . 2008-02-11 15:37 <DIR> d-------- C:\Arquivos de programas\Free Audio Pack
    2008-02-11 08:22 . 2008-02-11 08:22 <DIR> d-------- C:\Deckard
    2008-02-11 08:21 . 2008-02-11 08:21 <DIR> d-------- C:\Arquivos de programas\Trend Micro
    2008-02-10 01:12 . 2008-02-10 01:12 <DIR> d-------- C:\WINDOWS\system32\svcd
    2008-02-10 01:12 . 2008-02-10 01:12 87,040 --a------ C:\WINDOWS\system32\TmpX.exe
    2008-02-10 01:12 . 2008-02-12 07:59 114 --a------ C:\WINDOWS\system32\url3
    2008-02-10 01:12 . 2008-02-12 07:59 102 --a------ C:\WINDOWS\system32\url2
    2008-02-10 01:12 . 2008-02-12 07:59 102 --a------ C:\WINDOWS\system32\url1
    2008-02-10 01:12 . 2008-02-12 07:59 8 --a------ C:\WINDOWS\system32\CID
    2008-02-10 01:12 . 2008-02-10 01:12 4 --a------ C:\WINDOWS\system32\SvcNm
    2008-02-10 01:10 . 2008-02-10 01:11 34,816 --a------ C:\PaDPNW.exe
    2008-02-04 15:56 . 2008-02-04 15:56 268 --ah----- C:\sqmdata18.sqm
    2008-02-04 15:56 . 2008-02-04 15:56 244 --ah----- C:\sqmnoopt18.sqm
    2008-01-29 22:49 . 2008-01-29 22:49 268 --ah----- C:\sqmdata17.sqm
    2008-01-29 22:49 . 2008-01-29 22:49 244 --ah----- C:\sqmnoopt17.sqm
    2008-01-29 18:52 . 2008-01-29 18:52 268 --ah----- C:\sqmdata16.sqm
    2008-01-29 18:52 . 2008-01-29 18:52 244 --ah----- C:\sqmnoopt16.sqm
    2008-01-22 17:04 . 2008-01-22 17:04 268 --ah----- C:\sqmdata15.sqm
    2008-01-22 17:04 . 2008-01-22 17:04 244 --ah----- C:\sqmnoopt15.sqm
    2008-01-20 19:31 . 2008-01-20 19:31 268 --ah----- C:\sqmdata14.sqm
    2008-01-20 19:31 . 2008-01-20 19:31 244 --ah----- C:\sqmnoopt14.sqm
    2008-01-19 19:26 . 2008-01-19 19:26 268 --ah----- C:\sqmdata13.sqm
    2008-01-19 19:26 . 2008-01-19 19:26 244 --ah----- C:\sqmnoopt13.sqm
    2008-01-18 12:05 . 2008-01-18 12:05 268 --ah----- C:\sqmdata12.sqm
    2008-01-18 12:05 . 2008-01-18 12:05 244 --ah----- C:\sqmnoopt12.sqm
    2008-01-18 07:38 . 2008-01-18 07:38 268 --ah----- C:\sqmdata11.sqm
    2008-01-18 07:38 . 2008-01-18 07:38 244 --ah----- C:\sqmnoopt11.sqm
    2008-01-17 16:34 . 2008-01-17 16:34 <DIR> d-------- C:\Arquivos de programas\Astraware
    2008-01-16 22:25 . 2008-01-16 22:25 268 --ah----- C:\sqmdata10.sqm
    2008-01-16 22:25 . 2008-01-16 22:25 244 --ah----- C:\sqmnoopt10.sqm
    2008-01-16 18:12 . 2008-01-16 18:12 268 --ah----- C:\sqmdata09.sqm
    2008-01-16 18:12 . 2008-01-16 18:12 244 --ah----- C:\sqmnoopt09.sqm
    2008-01-15 11:20 . 2008-01-15 11:20 0 --a------ C:\WINDOWS\CompanionApp.INI
    2008-01-15 11:16 . 2008-01-15 11:16 <DIR> d-------- C:\Arquivos de programas\HP
    2008-01-15 11:13 . 2008-01-15 11:13 <DIR> d-------- C:\WINDOWS\Downloaded Installations
    2008-01-15 11:13 . 2008-02-11 18:26 <DIR> d-------- C:\Arquivos de programas\Microsoft ActiveSync
    2008-01-15 11:13 . 2005-10-20 23:47 30,592 --------- C:\WINDOWS\system32\drivers\rndismpx.sys
    2008-01-15 11:13 . 2005-10-20 23:47 12,800 --------- C:\WINDOWS\system32\drivers\usb8023x.sys
    2008-01-15 10:50 . 2008-01-15 10:50 268 --ah----- C:\sqmdata08.sqm
    2008-01-15 10:50 . 2008-01-15 10:50 244 --ah----- C:\sqmnoopt08.sqm

    .
    ((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-02-12 10:22 --------- d-----w C:\Arquivos de programas\RSSoft
    2008-02-12 01:30 --------- d-----w C:\Documents and Settings\Samuel\Dados de aplicativos\Skype
    2008-02-11 14:11 --------- d-----w C:\Documents and Settings\Samuel\Dados de aplicativos\MegauploadToolbar
    2008-01-28 00:20 --------- d-----w C:\Arquivos de programas\Warcraft III
    2007-12-14 14:37 --------- dcsh--w C:\Arquivos de programas\Arquivos comuns\WindowsLiveInstaller
    2007-12-14 14:37 --------- d-----w C:\Arquivos de programas\Windows Live
    2007-12-14 14:27 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\WLInstaller
    2007-10-05 14:17 42,584 ----a-w C:\Documents and Settings\Samuel\Dados de aplicativos\GDIPFONTCACHEV1.DAT
    .

    (((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
    .
    .
    REGEDIT4
    *Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe" [2007-01-15 17:14 147456]
    "Red Swoosh "= "C:\Arquivos de programas\RSSoft\RedSwoosh.exe" [2007-04-21 00:11 62436]
    "DAEMON Tools "= "C:\Arquivos de programas\DAEMON Tools\daemon.exe" [2007-04-03 20:29 165784]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:00 15360]
    "MsnMsgr "= "C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
    "H/PC Connection Agent "= "C:\Arquivos de programas\Microsoft ActiveSync\wcescomm.exe" [2005-11-15 19:44 1200128]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SigmatelSysTrayApp "= "stsystra.exe" [2005-03-22 18:20 339968 C:\WINDOWS\stsystra.exe]
    "igfxtray "= "C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 16:49 94208]
    "igfxhkcmd "= "C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 16:46 77824]
    "igfxpers "= "C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 16:50 114688]
    "SunJavaUpdateSched "= "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
    "avast! "= "C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 11:00 79224]
    "QuickTime Task "= "C:\Arquivos de programas\QuickTime\qttask.exe" [2007-04-27 10:41 282624]
    "NeroFilterCheck "= "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40 155648]
    "Adobe Reader Speed Launcher "= "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
    "googletalk "= "C:\Arquivos de programas\Google\Google Talk\googletalk.exe" [2007-01-01 20:54 3735552]

    C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\
    D-Link AirPlus G+ Wireless Utility.lnk - C:\D-Link\AirPlusG+\AirPlus.exe [2007-05-05 22:00:43 487424]
    Microsoft Office.lnk - C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE [2001-02-13 10:01:04 83360]

    R2 TRXN;Security Service;C:\WINDOWS\system32\svcd\svchost.exe [2008-02-10 01:11]
    R3 odysseyIM3;Odyssey Network Services Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM3.sys [2004-03-11 22:16]
    R3 TNET1130;D-Link AirPlus G+ Wireless Adapter;C:\WINDOWS\system32\DRIVERS\GPLUS.sys [2004-10-25 13:38]
    S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys [2005-08-03 03:10]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
    \Shell\AutoRun\command - G:\LaunchU3.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b14f1d5e-d01b-11dc-bcac-00119564afce}]
    \Shell\AutoRun\command - G:\LaunchU3.exe

    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-02-12 08:22:05
    Windows 5.1.2600 Service Pack 2 NTFS

    Procurando processos ocultos ...

    Procurando entradas auto inicializ veis ocultas ...

    Procurando ficheiros ocultos ...

    Varredura completada com sucesso
    Ficheiros ocultos: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
    C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
    C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
    C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
    C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe
    C:\ARQUIV~1\MICROS~3\rapimgr.exe
    C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
    C:\WINDOWS\System32\rundll32.exe
    .
    **************************************************************************
    .
    Tempo para conclusÆo: 2008-02-12 8:23:38 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-02-12 10:23:34
    ComboFix2.txt 2007-09-13 01:49:43
    .
    2008-01-14 03:37:19 --- E O F ---



    HIJACKTHIS LOG

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 08:27:31, on 12/2/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
    C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svcd\svchost.exe
    C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
    C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\stsystra.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe
    C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Arquivos de programas\QuickTime\qttask.exe
    C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe
    C:\Arquivos de programas\RSSoft\RedSwoosh.exe
    C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe
    C:\Arquivos de programas\Microsoft ActiveSync\wcescomm.exe
    C:\D-Link\AirPlusG+\AirPlus.exe
    C:\ARQUIV~1\MICROS~3\rapimgr.exe
    C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Arquivos de programas\Windows Live\Messenger\usnsvc.exe
    C:\Arquivos de programas\Mozilla Firefox\firefox.exe
    C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe "
    O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [googletalk] C:\Arquivos de programas\Google\Google Talk\googletalk.exe /autostart
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe "
    O4 - HKCU\..\Run: [Red Swoosh] C:\Arquivos de programas\RSSoft\RedSwoosh.exe /S
    O4 - HKCU\..\Run: [DAEMON Tools] "C:\Arquivos de programas\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Arquivos de programas\Microsoft ActiveSync\wcescomm.exe "
    O4 - Global Startup: D-Link AirPlus G+ Wireless Utility.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\ARQUIV~1\MICROS~3\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARQUIV~1\MICROS~3\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARQUIV~1\MICROS~3\INetRepl.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
    O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178410700484
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Arquivos de programas\WinPcap\rpcapd.exe
    O23 - Service: Security Service (TRXN) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe

    --
    End of file - 7259 bytes

    I wait for your awnser! Thanks a lot
     
    jsamuel52,
    #3
  5. 2008/02/12
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi jsamuel52

    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    • Finally paste the contents of the Report.txt

    Please post the log.

    Thanks
    Geri
     
    Geri,
    #4
  6. 2008/02/13
    jsamuel52

    jsamuel52 Inactive Thread Starter

    Joined:
    2008/02/11
    Messages:
    4
    Likes Received:
    0
    Sdfix

    Here we go... the SDFIX lof file


    SDFix: Version 1.141

    Run by Samuel on qua 13/02/2008 at 12:51

    Microsoft Windows XP [versão 5.1.2600]

    Running From: C:\SDFix

    Safe Mode:
    Checking Services:


    Restoring Windows Registry Values
    Restoring Windows Default Hosts File

    Rebooting...


    Normal Mode:
    Checking Files:

    Trojan Files Found:

    C:\WINDOWS\system32\CID - Deleted
    C:\WINDOWS\system32\svcd\svchost.exe - Deleted
    C:\WINDOWS\system32\SvcNm - Deleted
    C:\WINDOWS\system32\TmpX.exe - Deleted
    C:\WINDOWS\system32\upds.log - Deleted
    C:\WINDOWS\system32\url1 - Deleted
    C:\WINDOWS\system32\url2 - Deleted
    C:\WINDOWS\system32\url3 - Deleted



    Folder C:\WINDOWS\system32\svcd - Removed


    Removing Temp Files...

    ADS Check:



    Final Check:

    catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-02-13 12:57:21
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden services & system hive ...

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
    "s1 "=dword:2df9c43f
    "s2 "=dword:110480d0
    "h0 "=dword:00000001

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
    "p0 "= "C:\Arquivos de programas\DAEMON Tools\ "
    "h0 "=dword:00000000
    "khjeh "=hex:de,68,c0,92,c2,fe,21,9c,35,36,08,a7,b9,e5,23,38,6e,64,c6,1f,24,..

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
    "a0 "=hex:20,01,00,00,aa,da,65,30,f3,f4,66,3c,fe,54,38,ad,da,81,68,84,8c,..
    "khjeh "=hex:46,b1,1a,44,61,9b,98,ce,e9,4b,f9,c6,6c,d3,16,5a,06,c0,c4,8f,43,..

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
    "khjeh "=hex:61,59,62,d4,8d,ba,8b,f0,1e,85,29,cd,a6,96,45,4b,e2,9d,26,a5,b9,..
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4]
    "p0 "= "C:\Arquivos de programas\DAEMON Tools\ "
    "h0 "=dword:00000000
    "khjeh "=hex:de,68,c0,92,c2,fe,21,9c,35,36,08,a7,b9,e5,23,38,6e,64,c6,1f,24,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001]
    "a0 "=hex:20,01,00,00,aa,da,65,30,f3,f4,66,3c,fe,54,38,ad,da,81,68,84,8c,..
    "khjeh "=hex:46,b1,1a,44,61,9b,98,ce,e9,4b,f9,c6,6c,d3,16,5a,06,c0,c4,8f,43,..

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40]
    "khjeh "=hex:61,59,62,d4,8d,ba,8b,f0,1e,85,29,cd,a6,96,45,4b,e2,9d,26,a5,b9,..

    scanning hidden registry entries ...

    scanning hidden files ...


    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 18


    Remaining Services:
    ------------------



    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
    "C:\\Arquivos de programas\\RSSoft\\RedSwoosh.exe "= "C:\\Arquivos de programas\\RSSoft\\RedSwoosh.exe:*:Disabled:RedSwoosh "
    "C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe "= "C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger "
    "C:\\Arquivos de programas\\Microsoft ActiveSync\\rapimgr.exe "= "C:\\Arquivos de programas\\Microsoft ActiveSync\\rapimgr.exe:*:Enabled:ActiveSync RAPI Manager "

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

    Remaining Files:
    ---------------

    File Backups: - C:\SDFix\backups\backups.zip

    Files with Hidden Attributes:

    Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Arquivos de programas\Messenger\msmsgs.exe "
    Thu 3 Aug 2006 70,656 ..SHR --- "C:\Arquivos de programas\Makayama Interactive\Easy WiFi Radar\Setup.exe "
    Sat 5 May 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp "
    Fri 31 Aug 2007 1,123,200 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1f75a8ad2ee20cedf33dd46d709f2f0e\BIT29.tmp "
    Tue 12 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\BIT6.tmp "

    Finished!


    The aVAST stop doing that alert messages, I wonder know if there are more errors or trojans or anything else in my computer that i have to clean...

    Thank for your help!
     
    jsamuel52,
    #5
  7. 2008/02/13
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi jsamuel52

    OK we need to scan a couple files.

    Jotti File Submission:
    • Please go to Jotti's malware scan
    • Copy and paste the following file path into the "File to upload & scan "box on the top of the page: one at a time.
      • C:\PaDPNW.exe
        C:\sqmdata18.sqm
    • Click on the submit button
    • Please post the results in your next reply.

    Please post the Jotti results and a New HJT log.

    Thanks
    Geri
     
    Geri,
    #6
  8. 2008/02/14
    jsamuel52

    jsamuel52 Inactive Thread Starter

    Joined:
    2008/02/11
    Messages:
    4
    Likes Received:
    0
    Jotti and HJT!

    Here we go... Jottis Log file
    C:\PaDPNW.exe

    Scan taken on 14 Feb 2008 09:03:12 (GMT)
    A-Squared Found nothing
    AntiVir Found nothing
    ArcaVir Found nothing
    Avast Found nothing
    AVG Antivirus Found nothing
    BitDefender Found Packer.Malware.Crypter.A
    ClamAV Found nothing
    CPsecure Found Troj.Proxy.W32.Fackemo.j
    Dr.Web Found nothing
    F-Prot Antivirus Found nothing
    F-Secure Anti-Virus Found Trojan-Proxy.Win32.Fackemo.m
    Fortinet Found nothing
    Ikarus Found Packer.Malware.Crypter.A
    Kaspersky Anti-Virus Found Trojan-Proxy.Win32.Fackemo.m
    NOD32 Found Win32/TrojanProxy.Fackemo.B
    Norman Virus Control Found nothing
    Panda Antivirus Found nothing
    Rising Antivirus Found nothing
    Sophos Antivirus Found Mal/Generic-A
    VirusBuster Found nothing
    VBA32 Found Trojan-Proxy.Win32.Fackemo.e

    C:\sqmdata18.sqm

    Scan taken on 14 Feb 2008 09:08:23 (GMT)
    A-Squared Found nothing
    AntiVir Found nothing
    ArcaVir Found nothing
    Avast Found nothing
    AVG Antivirus Found nothing
    BitDefender Found nothing
    ClamAV Found nothing
    CPsecure Found nothing
    Dr.Web Found nothing
    F-Prot Antivirus Found nothing
    F-Secure Anti-Virus Found nothing
    Fortinet Found nothing
    Ikarus Found nothing
    Kaspersky Anti-Virus Found nothing
    NOD32 Found nothing
    Norman Virus Control Found nothing
    Panda Antivirus Found nothing
    Rising Antivirus Found nothing
    Sophos Antivirus Found nothing
    VirusBuster Found nothing
    VBA32 Found nothing


    HJT LOG FILE

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 07:12:20, on 14/2/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
    C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\stsystra.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe
    C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
    C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
    C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe
    C:\Arquivos de programas\RSSoft\RedSwoosh.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Arquivos de programas\Microsoft ActiveSync\wcescomm.exe
    C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
    C:\D-Link\AirPlusG+\AirPlus.exe
    C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexStoreSvr.exe
    C:\ARQUIV~1\MICROS~3\rapimgr.exe
    C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Arquivos de programas\Windows Live\Messenger\usnsvc.exe
    C:\Arquivos de programas\Mozilla Firefox\firefox.exe
    C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe "
    O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe "
    O4 - HKLM\..\Run: [googletalk] C:\Arquivos de programas\Google\Google Talk\googletalk.exe /autostart
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe "
    O4 - HKCU\..\Run: [Red Swoosh] C:\Arquivos de programas\RSSoft\RedSwoosh.exe /S
    O4 - HKCU\..\Run: [DAEMON Tools] "C:\Arquivos de programas\DAEMON Tools\daemon.exe" -lang 1033
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Arquivos de programas\Microsoft ActiveSync\wcescomm.exe "
    O4 - Global Startup: D-Link AirPlus G+ Wireless Utility.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\ARQUIV~1\MICROS~3\INetRepl.dll
    O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARQUIV~1\MICROS~3\INetRepl.dll
    O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\ARQUIV~1\MICROS~3\INetRepl.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
    O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
    O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178410700484
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
    O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Arquivos de programas\WinPcap\rpcapd.exe
    O23 - Service: Security Service (TRXN) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe (file missing)

    --
    End of file - 7062 bytes


    That is all... I hope that this log file show us a way to clean this CPU!

    Thanks!
     
    jsamuel52,
    #7
  9. 2008/02/14
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi jsamuel52

    Do you use this? If not fix it with HJT below.
    Megaupload Toolbar


    Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

    O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\ARQUIV~1\MEGAUP~1\MEGAUP~1.DLL
    O23 - Service: Security Service (TRXN) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe (file missing)


    Now close all windows other than HiJackThis, then click Fix Checked.

    Close HJT.

    Using Windows Explorer (to get there right-click your Start button and go to "Explore "), please delete these files (if present):

    C:\PaDPNW.exe

    After that, Reboot.

    Please post a new HJT log.

    Let me know if you still get the warning from aVast

    Thanks
    Geri
     
    Geri,
    #8

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...