Jump to content


Photo

Help on analysis hijackthis.log


  • Please log in to reply
4 replies to this topic

#1 nmhc

nmhc

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 25 June 2007 - 06:21 PM

Hello to all, 3 weeks ago I noticed that was infected with trojan "...Bancos...", since that time I already did some cleaning. Anyway I still notice that the computer is slower than usual. I would apreciate somedy with experience to take a look on the log file from hijackthis. Is it normal to have nine (nine) svchost.exe?
Thanks in advance for your support. (Win XP SP2)
Nuno.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 23:56:05, on 25-06-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Windows Defender\MsMpEng.exe
C:\Programas\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe
C:\Programas\Panda Software\Panda Antivirus + Firewall 2007\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programas\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programas\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programas\Panda Software\Panda Antivirus + Firewall 2007\PsCtrls.exe
C:\Programas\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
C:\Programas\Ficheiros comuns\Panda Software\PavShld\pavprsrv.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
c:\programas\panda software\panda antivirus + firewall 2007\firewall\PSHOST.EXE
C:\Programas\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\Programas\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Programas\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programas\HPQ\Quick Launch Buttons\EabServr.exe
C:\Programas\Apoint2K\Apntex.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\HotfixQ0306270.exe
C:\Programas\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programas\Microsoft Office\Office12\GrooveMonitor.exe
C:\Programas\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Programas\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Programas\Microsoft Office\Office12\ONENOTEM.EXE
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Nuno\Ambiente de trabalho\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....cid={SUB_CLCID}
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?linkid=54834
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Programas\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programas\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [PLFFAP] C:\WINDOWS\system32\HotfixQ0306270.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Programas\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programas\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programas\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Programas\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [APVXDWIN] "C:\Programas\Panda Software\Panda Antivirus + Firewall 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [ppfw] "C:\Programas\Panda Software\Panda Antivirus + Firewall 2007\Firewall\PPFW.exe" PPFW.exe /cmd:allowpandarules /mod:7 /prod:titanium /dest:"C:\Programas\Panda Software\Panda Antivirus + Firewall 2007\Firewall" /flg:2 /ver:6.01.00
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programas\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Iniciação Rápida do Microsoft Office OneNote 2007.lnk = C:\Programas\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Criar Favorito Móvel... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {0D9392CD-A784-4FCA-9342-0F75F7D7C8CB} (Corporate Language Training Interface) - http://www.cltnet.de...in/dplaunch.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://mail.mahle.pt:81/iNotes6W.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Daemon da cache de categorias dos componentes - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programas\Ficheiros comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Programas\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programas\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LEC TranslateDotNet Server - Unknown owner - C:\Programas\Power Translator\LogoMedia TranslateDotNet Server.exe (file missing)
O23 - Service: Panda Software Controller - Panda Software International - C:\Programas\Panda Software\Panda Antivirus + Firewall 2007\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Unknown owner - C:\Programas\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Programas\Ficheiros comuns\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Programas\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Panda Host Service (PSHost) - Unknown owner - c:\programas\panda software\panda antivirus + firewall 2007\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Programas\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programas\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programas\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Programas\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe

--
End of file - 13099 bytes

Edited by nmhc, 25 June 2007 - 06:28 PM.


#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,520 posts

Posted 28 June 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 04 July 2007 - 09:47 PM

Hi nmhc,

Welcome to SpywareInfo! :wave:

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

OK, let’s do this first.

We need to disable your Windows Defender real-time protection as it may interfere with the fixes that we need to make.

To disable Windows Defender:
  • Open Windows Defender.
  • Click on Tools -> General Settings.
  • Scroll down and uncheck "Turn on real-time protection (recommended)".
  • After you uncheck this, click on the "Save" button and close Windows Defender.

NEXT:

Please download CCleaner (freeware) and save it to your desktop:
  • Run the CCleaner installer.
  • During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
  • Once installed, run CCleaner and click the "Windows" tab.
  • Select the following:
    • Check everything under the "Internet Explorer" section.
    • Check everything under the "Windows Explorer" section.
    • Check everything under the "System" section.
    • Check ONLY "Old Prefetch data" under the "Advanced" section.
  • Then, click the "Applications" tab:
    • CHECK everything there.
  • Next, click the "Options" button in the left pane, then click the "Advanced" button:
    • UNCHECK : "Only delete files in Windows Temp folders older than 48 hours".
  • Next, click the "Cleaner" button in the left pane, then click the "Run Cleaner" button (bottom right), click "OK" at the prompt.
  • When done, please exit CCleaner.
CAUTION: Please do NOT use the "Issues" button in the left pane. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.


NEXT:

Please download ComboFix by sUBs:

NOTE: In the event you already have ComboFix, this is a new version that I need you to download.
  • Save it to your desktop.
  • Double-click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Please do NOT mouse-click ComboFix's window while it is running. That may cause it to stall. Also, please do NOT adjust your time format while ComboFix is running.


NEXT:

Please download Dr.Web CureIt and save it to your desktop:
  • Double-click the cureit.exe file, select "Start", and allow it to run the "Express Scan".
  • This will scan the files currently running in memory and when something is found, click the "Yes" button when it asks you if you want to cure it. This is only a short scan.
  • It could be possible it displays a pop up to buy Dr.Web, or to buy at a 50% discount. Just close that pop up.
  • Once the short scan has finished, click Options -> Change settings.
  • Select the "Actions" tab, and choose "Rename" under all the "Malware" issues (Adware, Dialers, Jokes, Riskware, and Hacktools). Then click "OK".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives; a red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • If the file "process.exe" was found - uncheck it. This is because this file is related with some of our cleaning tools and the tools need it. Most scanners do flag this file as a bad tool, but there's nothing wrong with it.
  • Then, click "Yes to all" if Dr.Web CureIt asks if you want to cure/move any infected files, and it will after this automatically fix what is found.
  • Please do NOT cure/move/delete any files that were detected as suspicious or probably infected. These are just indications of possible infections and are not definitive infections.
  • After the scan, go to the "View" menu -> "Report list".
  • Then go to the "File" menu -> "Save report list".
  • Save the report to your desktop. The report will be called DrWeb.csv.
  • Close Dr.Web CureIt.
  • If you receive the prompt "No operations performed with some objects in list. Exit program?", click "Yes".
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, please post the contents of the DrWeb.csv log in your next reply.


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:
  • The log from the ComboFix scan.
  • The log from the Dr.Web CureIt scan.
  • A new HijackThis log.
(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#4 nmhc

nmhc

    Member

  • Full Member
  • Pip
  • 2 posts

Posted 08 July 2007 - 06:04 PM

Hello Sempurna, thanks in advance for your support.
Below the results from the procedure you ask to do.
Lets see if it will stay everything ok this time with the computer.

"Nuno" - 2007-07-08 16:28:55 - ComboFix 07-07-07.3 - Service Pack 2


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\nm


((((((((((((((((((((((((( Files Created from 2007-06-08 to 2007-07-08 )))))))))))))))))))))))))))))))


2007-07-08 16:28 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-08 16:10 <DIR> d-------- C:\Programas\CCleaner
2007-06-21 00:02 <DIR> d-------- C:\Programas\Lavasoft
2007-06-21 00:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-20 23:57 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-20 23:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-20 23:19 240 --a------ C:\WINDOWS\system32\drivers\wnmsav.dat
2007-06-20 21:10 <DIR> d-------- C:\LinhaDefensiva
2007-06-20 19:42 16,488 --a------ C:\WINDOWS\system32\drivers\APPFCONT.DAT
2007-06-20 19:34 71,680 --a------ C:\WINDOWS\system32\drivers\pavdrv51.sys
2007-06-20 19:34 49,968 --a------ C:\WINDOWS\system32\drivers\dsaflt.sys
2007-06-20 19:34 36,016 --a------ C:\WINDOWS\system32\drivers\smsflt.sys
2007-06-20 19:34 29,360 --a------ C:\WINDOWS\system32\drivers\wnmflt.sys
2007-06-20 19:34 273 --a------ C:\WINDOWS\system32\PavCPL.dat
2007-06-20 19:34 190,640 --a------ C:\WINDOWS\system32\drivers\idsflt.sys
2007-06-20 19:33 58,800 --a------ C:\WINDOWS\system32\drivers\APPFLT.SYS
2007-06-20 19:33 15,792 --a------ C:\WINDOWS\system32\drivers\fnetmon.sys
2007-06-20 19:33 121,392 --a------ C:\WINDOWS\system32\drivers\NETFLTDI.SYS
2007-06-20 19:33 <DIR> d-------- C:\WINDOWS\system32\PAV
2007-06-20 19:32 63,024 --a------ C:\WINDOWS\system32\pavipc.dll
2007-06-20 19:32 50,736 --a------ C:\WINDOWS\system32\avldr.dll
2007-06-20 19:32 292,400 --a------ C:\WINDOWS\system32\PavSHook.dll
2007-06-20 19:32 17,792 --a------ C:\WINDOWS\system32\drivers\cpoint.sys
2007-06-20 19:32 161,328 --a------ C:\WINDOWS\system32\TpUtil.dll
2007-06-20 19:32 141,872 --a------ C:\WINDOWS\system32\drivers\netimflt.sys
2007-06-20 19:32 101,888 --a------ C:\WINDOWS\system32\SYSTOOLS.DLL
2007-06-20 19:32 <DIR> d-------- C:\Programas\Panda Software
2007-06-20 19:27 31,104 --a------ C:\WINDOWS\system32\drivers\ShlDrv51.sys
2007-06-20 19:27 170,800 --a------ C:\WINDOWS\system32\drivers\PavProc.sys
2007-06-16 00:12 <DIR> d-------- C:\Programas\SopCast
2007-06-16 00:12 <DIR> d-------- C:\DOCUME~1\Nuno\APPLIC~1\SopCast
2007-06-11 03:05 <DIR> d-------- C:\Programas\Ficheiros comuns\Panda Software
2007-06-11 01:16 <DIR> d-------- C:\Programas\Dnote Software
2007-06-10 16:44 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-06-10 02:32 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-06-10 00:08 <DIR> d-------- C:\DOCUME~1\Nuno\.housecall6.6
2007-06-09 15:04 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-06-08 21:12 354,080 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-06-08 21:12 16,783,904 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-06-08 21:08 <DIR> d-------- C:\DOCUME~1\Nuno\APPLIC~1\MSN6
2007-06-08 21:08 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MSN6


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-06 18:13:32 12 ----a-w C:\WINDOWS\bthservsdp.dat
2007-07-06 14:32:25 -------- d-----w C:\Programas\eMule
2007-07-02 21:37:32 -------- d-----w C:\Programas\BTuga Revolution
2007-07-01 20:29:49 74,346 ----a-w C:\WINDOWS\system32\perfc016.dat
2007-07-01 20:29:49 451,584 ----a-w C:\WINDOWS\system32\perfh016.dat
2007-06-20 23:00:45 -------- d-----w C:\Programas\Ficheiros comuns\Wise Installation Wizard
2007-06-20 18:32:09 -------- d--h--w C:\Programas\InstallShield Installation Information
2007-06-17 18:20:28 -------- d-----w C:\Programas\Windows Defender
2007-06-17 18:19:12 -------- d-----w C:\Programas\Windows Desktop Search
2007-06-17 18:19:01 -------- d-----w C:\Programas\PC Connectivity Solution
2007-06-17 18:18:48 -------- d-----w C:\Programas\Apoint2K
2007-06-17 18:18:21 -------- d-----w C:\Programas\Microsoft ActiveSync
2007-06-10 18:27:55 -------- d-----w C:\Programas\Maxthon
2007-06-10 14:00:26 -------- d-----w C:\Programas\EPANET2
2007-06-10 11:33:44 -------- d-----w C:\Programas\TuneUp Utilities 2007
2007-06-09 23:04:12 -------- d-----w C:\Programas\USB 2.0 Flash Drive Utility
2007-06-08 20:17:45 -------- d-----w C:\Programas\Google
2007-06-08 20:12:16 -------- d-----w C:\Programas\Kaspersky Lab
2007-06-04 21:54:30 469,461 ----a-w C:\WINDOWS\system32\imagens1.exe
2007-06-04 21:53:45 390,894 ----a-w C:\WINDOWS\system32\imagens2.exe
2007-06-04 14:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 14:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 14:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-06-03 14:15:41 -------- d-----w C:\DOCUME~1\Nuno\APPLIC~1\VoipCheapCom
2007-05-30 23:31:11 -------- d-----w C:\Programas\VoipCheapCom
2007-05-25 23:01:33 -------- d-----w C:\Programas\SolidWorks SolidNetWork License Manager
2007-05-25 22:57:00 -------- d-----w C:\Programas\SolidWorks
2007-05-24 00:30:02 -------- d-----w C:\Programas\SKTools
2007-05-22 21:20:25 -------- d-----w C:\DOCUME~1\Nuno\APPLIC~1\Google
2007-05-22 20:53:47 796,672 ----a-w C:\WINDOWS\GPInstall.exe
2007-05-21 21:36:44 -------- d-----w C:\DOCUME~1\Nuno\APPLIC~1\Image Zone Express
2007-05-16 15:13:54 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-09 21:28:42 -------- d-----w C:\Programas\Microsoft CAPICOM 2.1.0.2
2007-04-25 14:22:27 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:14:21 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 21:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 21:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 21:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 21:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 21:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 21:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 21:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 21:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 21:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-16 21:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-13 14:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
2006-10-27 01:48 2210608 --a------ C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2005-11-10 14:22 184423 --a------ C:\Programas\Java\jre1.5.0_06\bin\ssv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Programas\Apoint2K\Apoint.exe" [2003-10-08 04:40]
"AGRSMMSG"="AGRSMMSG.exe" [2003-10-30 14:40 C:\WINDOWS\AGRSMMSG.exe]
"ATIModeChange"="Ati2mdxx.exe" [2003-12-08 05:17 C:\WINDOWS\system32\Ati2mdxx.exe]
"eabconfg.cpl"="C:\Programas\HPQ\Quick Launch Buttons\EabServr.exe" [2003-11-18 09:31]
"GSICONEXE"="GSICON.EXE" [2002-05-31 12:03 C:\WINDOWS\system32\gsicon.exe]
"Windows Defender"="C:\Programas\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 08:57 C:\WINDOWS\system32\bthprops.cpl]
"GrooveMonitor"="C:\Programas\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 01:47]
"Adobe Photo Downloader"="C:\Programas\Adobe\Photoshop Elements 5.0\apdproxy.exe" [2006-09-14 07:55]
"Acrobat Assistant 8.0"="C:\Programas\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-10 22:46]
"!AVG Anti-Spyware"="C:\Programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25]
"HP Software Update"="C:\Programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]
"H/PC Connection Agent"="C:\Programas\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 15:25]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"PcSync"=C:\Programas\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
"DWQueuedReporting"="C:\PROGRA~1\FICHEI~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL" [2006-10-27 01:48]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"="C:\Programas\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 16:39]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Programas\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 13:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"CTFMON.EXE"=C:\WINDOWS\system32\ctfmon.exe
"MSMSGS"="C:\Programas\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"NeroFilterCheck"=C:\WINDOWS\system32\NeroCheck.exe
"Sunkist2k"=C:\Programas\Multimedia Card Reader\shwicon2k.exe
"ATIPTA"=C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
"HP Component Manager"="C:\Programas\HP\hpcoretech\hpcmpmgr.exe"
"HP Software Update"=C:\Programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
"HPDJ Taskbar Utility"=C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
"SunJavaUpdateSched"=C:\Programas\Java\jre1.5.0_06\bin\jusched.exe
"Adobe Photo Downloader"="C:\Programas\Adobe\Photoshop Elements 5.0\apdproxy.exe"
"Alt-Tab Thingy"="C:\Programas\Alt-Tab Thingy v3\attmain.exe"
"BTSETBOOTKEY"=BTSetBootKey.exe
"BTUSRBDG"=BtUsrBdg.exe
"Cpqset"=C:\Programas\HPQ\Default Settings\cpqset.exe
"DSLAGENTEXE"=dslagent.exe USB
"GrooveMonitor"="C:\Programas\Microsoft Office\Office12\GrooveMonitor.exe"
"CamMonitor"=C:\Programas\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
"HPHmon05"=C:\WINDOWS\System32\hphmon05.exe
"HPHUPD05"=C:\Programas\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
"PCSuiteTrayApplication"=C:\Programas\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs
UxTuneUp


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1e60f6d4-9d64-11da-bcad-00023f23a4bc}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
Open(0)\command- F:\Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4c00cfa0-1179-11da-bc78-00023f23a4bc}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycled\ctfmon.exe
Open(0)\command- Recycled\ctfmon.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c2be7932-00c3-11dc-b638-00023f23a4bc}]
AutoRun\command- F:\setup.exe


Contents of the 'Scheduled Tasks' folder
2007-07-06 16:20:04 C:\WINDOWS\tasks\1-Click Maintenance.job
2007-07-05 11:25:14 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-07-08 15:00:00 C:\WINDOWS\tasks\HPpromotions journeysoftware.job
2007-07-08 15:41:36 C:\WINDOWS\tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-08 16:40:06
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwEnumerateKey, ZwClose, ZwEnumerateValueKey, ZwQueryValueKey, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ShldDrv]
"ImagePath"="\??\C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys"
"ImagePath"="C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys"

Completion time: 2007-07-08 16:48:25 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-08 16:48

--- E O F ---




Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 23:49:59, on 08-07-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Windows Defender\MsMpEng.exe
C:\Programas\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe
C:\Programas\Panda Software\Panda Antivirus + Firewall 2007\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Programas\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programas\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Programas\Panda Software\Panda Antivirus + Firewall 2007\PsCtrls.exe
C:\Programas\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
C:\Programas\Ficheiros comuns\Panda Software\PavShld\pavprsrv.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
c:\programas\panda software\panda antivirus + firewall 2007\firewall\PSHOST.EXE
C:\Programas\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Programas\Apoint2K\Apoint.exe
C:\WINDOWS\System32\snmp.exe
C:\Programas\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Panda Software\Panda Antivirus + Firewall 2007\ApvxdWin.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programas\Apoint2K\Apntex.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Programas\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\GSICON.EXE
C:\Programas\Canon\CAL\CALMAIN.exe
C:\Programas\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programas\Microsoft Office\Office12\GrooveMonitor.exe
C:\Programas\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Programas\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Microsoft ActiveSync\wcescomm.exe
C:\Programas\Microsoft Office\Office12\ONENOTEM.EXE
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Nuno\Ambiente de trabalho\HiJackThis_v2.exe
C:\Programas\Panda Software\Panda Antivirus + Firewall 2007\psimreal.exe
C:\Programas\Panda Software\Panda Antivirus + Firewall 2007\avciman.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?linkid=54834
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Apoint] C:\Programas\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programas\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Programas\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programas\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Programas\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Programas\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [HP Software Update] C:\Programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programas\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Iniciação Rápida do Microsoft Office OneNote 2007.lnk = C:\Programas\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: Append to existing PDF - res://C:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Programas\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Criar Favorito Móvel... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {0D9392CD-A784-4FCA-9342-0F75F7D7C8CB} (Corporate Language Training Interface) - http://www.cltnet.de...in/dplaunch.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.h...staller_gmn.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://mail.mahle.pt:81/iNotes6W.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitd...can8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Daemon da cache de categorias dos componentes - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programas\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programas\Ficheiros comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Programas\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Programas\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Programas\Ficheiros comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LEC TranslateDotNet Server - Unknown owner - C:\Programas\Power Translator\LogoMedia TranslateDotNet Server.exe (file missing)
O23 - Service: Panda Software Controller - Panda Software International - C:\Programas\Panda Software\Panda Antivirus + Firewall 2007\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Unknown owner - C:\Programas\Panda Software\Panda Antivirus + Firewall 2007\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Programas\Ficheiros comuns\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Programas\Panda Software\Panda Antivirus + Firewall 2007\pavsrv51.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Panda Host Service (PSHost) - Unknown owner - c:\programas\panda software\panda antivirus + firewall 2007\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Programas\Panda Software\Panda Antivirus + Firewall 2007\PsImSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Programas\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programas\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Programas\Panda Software\Panda Antivirus + Firewall 2007\TPSrv.exe

--
End of file - 12930 bytes


CSV File

autorun.inf C:\Documents and Settings\Nuno\Ambiente de trabalho\pen Trojan.Recycle Eliminado.
Process.exe C:\Documents and Settings\Nuno\Ambiente de trabalho\SmitfraudFix Tool.Prockill Renomeado.
DELLTH.TXT C:\i386\COMPDATA Modificação de IRC.Sleeper Movido.
Brandit.exe C:\Swsetup\BrandIT\Disk1 Provavelmente STPAGE.Trojan

#5 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 08 July 2007 - 11:44 PM

Hi nmhc, :wave:

You’re most welcome, nmhc. :)

You’ve done a great job so far. Well done, and keep up the good work! :thumbsup:

OK, let’s do this next.

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =



Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.


NEXT:

Please download Flash_Disinfector.exe by sUBs and save it to your desktop:

NOTE: In the event you already have Flash_Disinfector, this is a new version that I need you to download.
  • Double-click Flash_Disinfector.exe to run it.
  • Follow any prompts that may appear.
  • Your desktop will vanish for a while, and then reappear. This is normal.
  • Wait until the program has finished scanning, then please exit the program.

NEXT:

For this next step, please ensure that ComboFix.exe is on your desktop:
  • Then, please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
    (start copying from "File::")


    File::
    C:\WINDOWS\GPInstall.exe
    F:\Recycled\ctfmon.exe
    
    Registry::
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1e60f6d4-9d64-11da-bcad-00023f23a4bc}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4c00cfa0-1179-11da-bc78-00023f23a4bc}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c2be7932-00c3-11dc-b638-00023f23a4bc}]
    

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


    Posted Image


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION:
Please do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do NOT adjust your time format while ComboFix is running.


NEXT:

Please go to: VirusTotal
  • At the top of the page you'll find a "Browse" button. Click the "Browse" button and browse to next file:

    C:\WINDOWS\system32\imagens1.exe

  • Click "Open".
  • Then click the "Send" button at the top of the VirusTotal page.
  • This will scan the file (the green status box in the top right corner will show "STATUS: SCANNING"). Please be patient.
  • Once scanned (the status box will display "STATUS: FINISHED"), copy and paste the results in your next reply.
Then please do the same as above for the following files:

C:\WINDOWS\system32\imagens2.exe


NEXT:

BEFORE BEGINNING, Please read completely through the instructions below. Please also print these instructions or copy them to Notepad (or another word processor), and save it for easier reference. This is because we will be in Safe Mode during the fix and you won’t be able to access the Internet to view these instructions.

Please download SDFix by AndyManchesta and save it to your desktop.

Double-click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix).

Please then reboot your computer into Safe Mode by doing the following:
  • Restart your computer.
  • After hearing your computer beep once during startup, but just before the Windows icon appears, tap the F8 key continually.
  • Instead of Windows loading as normal, a menu with options should appear.
  • Select the first option, to run Windows in "Safe Mode", then press "Enter".
  • Choose your usual account.
Once in Safe Mode, please do the following:
  • Open the extracted C:\SDFix folder and double-click on RunThis.bat to start the script.
  • Type "Y" to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found, then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process, then display "Finished", press any key to end the script and load your desktop icons.
  • Once the desktop icons load, the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally, copy and paste the contents of the results file Report.txt back onto the forum.

NEXT:

Please download CCleaner (freeware) and save it to your desktop:
  • Run the CCleaner installer.
  • During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
  • Once installed, run CCleaner and click the "Windows" tab.
  • Select the following:
    • Check everything under the "Internet Explorer" section.
    • Check everything under the "Windows Explorer" section.
    • Check everything under the "System" section.
    • Check ONLY "Old Prefetch data" under the "Advanced" section.
  • Then, click the "Applications" tab:
    • CHECK everything there.
  • Next, click the "Options" button in the left pane, then click the "Advanced" button:
    • UNCHECK : "Only delete files in Windows Temp folders older than 48 hours".
  • Next, click the "Cleaner" button in the left pane, then click the "Run Cleaner" button (bottom right), click "OK" at the prompt.
  • When done, please exit CCleaner.
CAUTION: Please do NOT use the "Issues" button in the left pane. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.


NEXT:

Let's run an online scan to make sure we're not leaving anything behind.

Please do an online scan with Kaspersky Online Scanner using Internet Explorer (this online scanner only works with IE):
  • Click on "Kaspersky Online Scanner".
  • You will be prompted to install an ActiveX component from Kaspersky, click "Yes".
  • The program will launch and then begin downloading the latest definition files.
  • Once the files have been downloaded click on "Next".
  • Now click on "Scan Settings".
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended
    • Scan Options:
      Scan Archives
      Scan Mail Bases
  • Click "OK".
  • Now under select a target to scan:
    • Select "My Computer".
  • This program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the "Save Report As" button.
    • In the "File name:" field, type kavscan.
    • In the "Save as type:" field, select "Text file (*.txt)".
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:
  • The log from the ComboFix scan located at C:\ComboFix.txt.
  • The reports from VirusTotal.
  • The log from the SDFix scan.
  • The log from the Kaspersky scan.
  • A new HijackThis log.
(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).

How are things running now? Any persistent problem I should know about?

Edited by Sempurna, 08 July 2007 - 11:48 PM.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button