Jump to content


Photo

Help please i dont't know what to do more


  • Please log in to reply
6 replies to this topic

#1 tiagoludovice

tiagoludovice

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 12 January 2007 - 06:47 PM

Hi,

I don´t know what happened but i got some kind of spyware that i can´t get ridd of , it keeps openig very strange chinese pop-ups , i blocked some of the sites that open, these ones:

265dm.com
21cnyl.com
xpha.com
42.db.la/s.asp
hohomm.com/


i think it was when i was buying stuff in ebay i opened a chinese page of mp3 players
i did the cleaning whit ad-aware and it didn´t resolved my problem, i don´t know what to do.
I hope some one can help me.
Sorry the english if there are some mistakes, i´m portuguese.
this is my ad-aware log


Ad-Aware SE Build 1.06r1
Logfile Created on:sexta-feira, 12 de Janeiro de 2007 17:14:00
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R143 08.01.2007
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):15 total references
Tracking Cookie(TAC index:3):6 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


12-01-2007 17:14:00 - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\mar de copias\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office


MRU List Object Recognized!
Location: : C:\Documents and Settings\mar de copias\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-1280042623-4220892230-1406903070-1005\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : S-1-5-21-1280042623-4220892230-1406903070-1005\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : S-1-5-21-1280042623-4220892230-1406903070-1005\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-1280042623-4220892230-1406903070-1005\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-1280042623-4220892230-1406903070-1005\software\microsoft\office\11.0\powerpoint\recent file list
Description : list of recent files used by microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-1280042623-4220892230-1406903070-1005\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant


MRU List Object Recognized!
Location: : S-1-5-21-1280042623-4220892230-1406903070-1005\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-1280042623-4220892230-1406903070-1005\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-1280042623-4220892230-1406903070-1005\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-1280042623-4220892230-1406903070-1005\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 472
ThreadCreationTime : 12-01-2007 9:44:56
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 520
ThreadCreationTime : 12-01-2007 9:44:58
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 544
ThreadCreationTime : 12-01-2007 9:44:59
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 588
ThreadCreationTime : 12-01-2007 9:44:59
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Sistema operativo Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Aplicação de serviços e controlo
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. Todos os direitos reservados.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 600
ThreadCreationTime : 12-01-2007 9:44:59
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [ati2evxx.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 748
ThreadCreationTime : 12-01-2007 9:45:02
BasePriority : Normal


#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 760
ThreadCreationTime : 12-01-2007 9:45:02
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 832
ThreadCreationTime : 12-01-2007 9:45:02
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 952
ThreadCreationTime : 12-01-2007 9:45:02
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 992
ThreadCreationTime : 12-01-2007 9:45:02
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1060
ThreadCreationTime : 12-01-2007 9:45:03
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:12 [ati2evxx.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1320
ThreadCreationTime : 12-01-2007 9:45:04
BasePriority : Normal


#:13 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1440
ThreadCreationTime : 12-01-2007 9:45:05
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:14 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1488
ThreadCreationTime : 12-01-2007 9:45:06
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Sistema operativo Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Explorador do Windows
InternalName : explorer
LegalCopyright : © Microsoft Corporation. Todos os direitos reservados.
OriginalFilename : EXPLORER.EXE

#:15 [rundll32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1744
ThreadCreationTime : 12-01-2007 9:45:10
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Sistema operativo Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Executar uma DLL como uma aplicação
InternalName : rundll
LegalCopyright : © Microsoft Corporation. Todos os direitos reservados.
OriginalFilename : RUNDLL.EXE

#:16 [atiptaxx.exe]
FilePath : C:\windows\ATI Technologies\ATI Control Panel\
ProcessID : 1756
ThreadCreationTime : 12-01-2007 9:45:10
BasePriority : Normal
FileVersion : 6.14.10.5071
ProductVersion : 6.14.10.5071
ProductName : ATI Desktop Component
CompanyName : ATI Technologies, Inc.
FileDescription : ATI Desktop Control Panel
InternalName : Atiptaxx.exe
LegalCopyright : Copyright © 1998-2002 ATI Technologies Inc.
OriginalFilename : Atiptaxx.exe

#:17 [dragdiag.exe]
FilePath : C:\Programas\Alcatel\SpeedTouch USB\
ProcessID : 1764
ThreadCreationTime : 12-01-2007 9:45:10
BasePriority : Normal
FileVersion : 200.7.0.0
ProductVersion : 200.7.0.0
ProductName : SpeedTouch USB
CompanyName : THOMSON multimedia
FileDescription : SpeedTouch Statistics
LegalCopyright : Copyright© THOMSON multimedia 1999-2002

#:18 [jusched.exe]
FilePath : C:\Programas\Java\jre1.5.0_09\bin\
ProcessID : 1788
ThreadCreationTime : 12-01-2007 9:45:10
BasePriority : Normal


#:19 [qttask.exe]
FilePath : C:\Programas\QuickTime\
ProcessID : 1820
ThreadCreationTime : 12-01-2007 9:45:11
BasePriority : Normal
FileVersion : 6.4
ProductVersion : QuickTime 6.4
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2003
OriginalFilename : QTTask.exe

#:20 [msascui.exe]
FilePath : C:\Programas\Windows Defender\
ProcessID : 1832
ThreadCreationTime : 12-01-2007 9:45:11
BasePriority : Normal
FileVersion : 1.1.1593.0
ProductVersion : 1.1.1593.0
ProductName : Windows Defender
CompanyName : Microsoft Corporation
FileDescription : Windows Defender User Interface
InternalName : MSASCUI
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : MSASCUI.exe

#:21 [msnmsgr.exe]
FilePath : C:\Programas\MSN Messenger\
ProcessID : 1840
ThreadCreationTime : 12-01-2007 9:45:11
BasePriority : Normal
FileVersion : 7.5.0311
ProductVersion : 7.5.0311
ProductName : MSN Messenger
CompanyName : Microsoft Corporation
FileDescription : MSN Messenger
InternalName : msnmsgr
LegalCopyright : Copyright © Microsoft Corporation 1997-2004
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msnmsgr.exe

#:22 [drvmon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1852
ThreadCreationTime : 12-01-2007 9:45:11
BasePriority : Normal
FileVersion : 1, 0, 0, 9
ProductVersion : 1, 0, 0, 9
ProductName : Alcor Micro, Corp. Drive Monitor
CompanyName : Alcor Micro, Corp.
FileDescription : Drive Monitor
InternalName : Drive Monitor
LegalCopyright : Copyright c 2003 Alcor Micro, Corp.
OriginalFilename : Monitor.exe

#:23 [ctfmon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1868
ThreadCreationTime : 12-01-2007 9:45:11
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:24 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 184
ThreadCreationTime : 12-01-2007 9:45:14
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:25 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 236
ThreadCreationTime : 12-01-2007 9:45:14
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:26 [wdfmgr.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 276
ThreadCreationTime : 12-01-2007 9:45:15
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:27 [lsass.exe]
FilePath : C:\WINDOWS\system32\com\
ProcessID : 344
ThreadCreationTime : 12-01-2007 9:45:15
BasePriority : Normal


#:28 [smss.exe]
FilePath : C:\WINDOWS\system32\com\
ProcessID : 300
ThreadCreationTime : 12-01-2007 9:45:16
BasePriority : Normal
FileVersion : 1.00
ProductVersion : 1.00
ProductName : smss
InternalName : smss
OriginalFilename : smss.exe

#:29 [winamp.exe]
FilePath : C:\Programas\Winamp\
ProcessID : 2424
ThreadCreationTime : 12-01-2007 10:09:03
BasePriority : Normal
FileVersion : 5.02
ProductVersion : 5.02
ProductName : Winamp
CompanyName : Nullsoft
FileDescription : Winamp
InternalName : WINAMP
LegalCopyright : Copyright © 1997-2004, Nullsoft, Inc.
LegalTrademarks : Nullsoft and Winamp are trademarks of Nullsoft, Inc.
OriginalFilename : Winamp.exe
Comments : Visit http://www.winamp.com/ for updates.

#:30 [iexplore.exe]
FilePath : C:\Programas\Internet Explorer\
ProcessID : 2660
ThreadCreationTime : 12-01-2007 15:35:28
BasePriority : Normal
FileVersion : 7.00.5450.4 (winmain(wmbla).060623-0309)
ProductVersion : 7.00.5450.4
ProductName : Windows® Internet Explorer
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

#:31 [msmpeng.exe]
FilePath : C:\Programas\Windows Defender\
ProcessID : 2380
ThreadCreationTime : 12-01-2007 16:20:19
BasePriority : Normal
FileVersion : 1.1.1593.0
ProductVersion : 1.1.1593.0
ProductName : Windows Defender
CompanyName : Microsoft Corporation
FileDescription : Service Executable
InternalName : MsMpEng.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : MsMpEng.exe

#:32 [hpqthb08.exe]
FilePath : C:\Programas\Hewlett-Packard\Digital Imaging\bin\
ProcessID : 2276
ThreadCreationTime : 12-01-2007 16:31:55
BasePriority : Normal
FileVersion : 4.2.0.138
ProductVersion : 002.000.000.138
ProductName : hp digital imaging - hp all-in-one series
CompanyName : Hewlett-Packard Co.
FileDescription : HP Photo & Imaging Gallery
InternalName : HPOTHB08
LegalCopyright : Copyright © Hewlett-Packard Co. 1995-2001
OriginalFilename : HPOTHB08.EXE
Comments : HP Photo & Imaging Gallery

#:33 [wisptis.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 2356
ThreadCreationTime : 12-01-2007 16:35:38
BasePriority : High
FileVersion : 1.0.2201.0 (xpsp1.020820-1800)
ProductVersion : 1.0.2201.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Microsoft Tablet PC Platform Component
InternalName : WISPTIS.EXE
LegalCopyright : Copyright © 1998-2002 Microsoft Corporation.
OriginalFilename : WISPTIS.EXE

#:34 [winword.exe]
FilePath : C:\Program Files\Office\OFFICE11\
ProcessID : 1904
ThreadCreationTime : 12-01-2007 16:50:10
BasePriority : Normal


#:35 [ad-aware.exe]
FilePath : C:\Programas\Lavasoft\Ad-Aware SE Personal\
ProcessID : 3296
ThreadCreationTime : 12-01-2007 17:11:29
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : mar_de_copias@weborama[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:11
Value : Cookie:mar de copias@weborama.fr/
Expires : 11-01-2009 10:25:00
LastSync : Hits:11
UseCount : 0
Hits : 11

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : mar_de_copias@atdmt[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:mar de copias@atdmt.com/
Expires : 11-01-2012
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : mar_de_copias@mediaplex[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:mar de copias@mediaplex.com/
Expires : 22-06-2009
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : mar_de_copias@betandwinwebbeta.122.2o7[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:3
Value : Cookie:mar de copias@betandwinwebbeta.122.2o7.net/
Expires : 11-01-2012 9:56:40
LastSync : Hits:3
UseCount : 0
Hits : 3

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : mar_de_copias@doubleclick[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:6
Value : Cookie:mar de copias@doubleclick.net/
Expires : 11-01-2010 10:24:56
LastSync : Hits:6
UseCount : 0
Hits : 6

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : mar_de_copias@adserv.sapo[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:10
Value : Cookie:mar de copias@adserv.sapo.pt/
Expires : 30-12-2037 16:00:00
LastSync : Hits:10
UseCount : 0
Hits : 10

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 6
Objects found so far: 21



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 21


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 21




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 21

17:40:47 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:26:46.630
Objects scanned:243307
Objects identified:6
Objects ignored:0
New critical objects:6

Thanks for your help

#2 HJThis

HJThis

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 4076 posts

Posted 13 January 2007 - 04:37 AM

Hello,tiagoludovice & Welcome

May we have a look at HijackThis logfile please.

Gogo ;)
Die Hijacker Die

Member of
ALLIANCE OF SECURITY ANALYSIS PROFESSIONALS

Since 2004

Warning My killer dog at work.

QUOTE

#3 tiagoludovice

tiagoludovice

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 16 January 2007 - 12:30 PM

Sorry i Forgot the hijackthis log

So this is my new ad-aware log and may hijackthis log, thanks a lot for your help.


Ad-Aware SE Build 1.06r1
Logfile Created on:terça-feira, 16 de Janeiro de 2007 10:57:44
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R144 15.01.2007
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):15 total references
Tracking Cookie(TAC index:3):13 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


16-01-2007 10:57:44 - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\mar de copias\Application Data\microsoft\office\recent
Description : list of recently opened documents using microsoft office


MRU List Object Recognized!
Location: : C:\Documents and Settings\mar de copias\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-1280042623-4220892230-1406903070-1005\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : S-1-5-21-1280042623-4220892230-1406903070-1005\software\microsoft\directinput\mostrecentapplication
Description : most recent application to use microsoft directinput


MRU List Object Recognized!
Location: : S-1-5-21-1280042623-4220892230-1406903070-1005\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-1280042623-4220892230-1406903070-1005\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-1280042623-4220892230-1406903070-1005\software\microsoft\office\11.0\powerpoint\recent file list
Description : list of recent files used by microsoft powerpoint


MRU List Object Recognized!
Location: : S-1-5-21-1280042623-4220892230-1406903070-1005\software\microsoft\search assistant\acmru
Description : list of recent search terms used with the search assistant


MRU List Object Recognized!
Location: : S-1-5-21-1280042623-4220892230-1406903070-1005\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-1280042623-4220892230-1406903070-1005\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-1280042623-4220892230-1406903070-1005\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : S-1-5-21-1280042623-4220892230-1406903070-1005\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 472
ThreadCreationTime : 16-01-2007 9:41:00
BasePriority : Normal


#:2 [csrss.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 520
ThreadCreationTime : 16-01-2007 9:41:02
BasePriority : Normal


#:3 [winlogon.exe]
FilePath : \??\C:\WINDOWS\system32\
ProcessID : 544
ThreadCreationTime : 16-01-2007 9:41:03
BasePriority : High


#:4 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 588
ThreadCreationTime : 16-01-2007 9:41:03
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Sistema operativo Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Aplicação de serviços e controlo
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. Todos os direitos reservados.
OriginalFilename : services.exe

#:5 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 600
ThreadCreationTime : 16-01-2007 9:41:03
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [ati2evxx.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 752
ThreadCreationTime : 16-01-2007 9:41:06
BasePriority : Normal


#:7 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 764
ThreadCreationTime : 16-01-2007 9:41:06
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 824
ThreadCreationTime : 16-01-2007 9:41:06
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [msmpeng.exe]
FilePath : C:\Programas\Windows Defender\
ProcessID : 904
ThreadCreationTime : 16-01-2007 9:41:06
BasePriority : Normal
FileVersion : 1.1.1593.0
ProductVersion : 1.1.1593.0
ProductName : Windows Defender
CompanyName : Microsoft Corporation
FileDescription : Service Executable
InternalName : MsMpEng.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : MsMpEng.exe

#:10 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 944
ThreadCreationTime : 16-01-2007 9:41:06
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 980
ThreadCreationTime : 16-01-2007 9:41:07
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:12 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1140
ThreadCreationTime : 16-01-2007 9:41:07
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:13 [ati2evxx.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1300
ThreadCreationTime : 16-01-2007 9:41:08
BasePriority : Normal


#:14 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1436
ThreadCreationTime : 16-01-2007 9:41:09
BasePriority : Normal
FileVersion : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
ProductVersion : 5.1.2600.2696
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe

#:15 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 1496
ThreadCreationTime : 16-01-2007 9:41:10
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Sistema operativo Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Explorador do Windows
InternalName : explorer
LegalCopyright : © Microsoft Corporation. Todos os direitos reservados.
OriginalFilename : EXPLORER.EXE

#:16 [rundll32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1748
ThreadCreationTime : 16-01-2007 9:41:14
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Sistema operativo Microsoft® Windows®
CompanyName : Microsoft Corporation
FileDescription : Executar uma DLL como uma aplicação
InternalName : rundll
LegalCopyright : © Microsoft Corporation. Todos os direitos reservados.
OriginalFilename : RUNDLL.EXE

#:17 [atiptaxx.exe]
FilePath : C:\windows\ATI Technologies\ATI Control Panel\
ProcessID : 1756
ThreadCreationTime : 16-01-2007 9:41:14
BasePriority : Normal
FileVersion : 6.14.10.5071
ProductVersion : 6.14.10.5071
ProductName : ATI Desktop Component
CompanyName : ATI Technologies, Inc.
FileDescription : ATI Desktop Control Panel
InternalName : Atiptaxx.exe
LegalCopyright : Copyright © 1998-2002 ATI Technologies Inc.
OriginalFilename : Atiptaxx.exe

#:18 [dragdiag.exe]
FilePath : C:\Programas\Alcatel\SpeedTouch USB\
ProcessID : 1764
ThreadCreationTime : 16-01-2007 9:41:14
BasePriority : Normal
FileVersion : 200.7.0.0
ProductVersion : 200.7.0.0
ProductName : SpeedTouch USB
CompanyName : THOMSON multimedia
FileDescription : SpeedTouch Statistics
LegalCopyright : Copyright© THOMSON multimedia 1999-2002

#:19 [jusched.exe]
FilePath : C:\Programas\Java\jre1.5.0_09\bin\
ProcessID : 1796
ThreadCreationTime : 16-01-2007 9:41:14
BasePriority : Normal


#:20 [qttask.exe]
FilePath : C:\Programas\QuickTime\
ProcessID : 1804
ThreadCreationTime : 16-01-2007 9:41:14
BasePriority : Normal
FileVersion : 6.4
ProductVersion : QuickTime 6.4
ProductName : QuickTime
CompanyName : Apple Computer, Inc.
InternalName : QuickTime Task
LegalCopyright : © Apple Computer, Inc. 2001-2003
OriginalFilename : QTTask.exe

#:21 [msascui.exe]
FilePath : C:\Programas\Windows Defender\
ProcessID : 1828
ThreadCreationTime : 16-01-2007 9:41:15
BasePriority : Normal
FileVersion : 1.1.1593.0
ProductVersion : 1.1.1593.0
ProductName : Windows Defender
CompanyName : Microsoft Corporation
FileDescription : Windows Defender User Interface
InternalName : MSASCUI
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : MSASCUI.exe

#:22 [msnmsgr.exe]
FilePath : C:\Programas\MSN Messenger\
ProcessID : 1840
ThreadCreationTime : 16-01-2007 9:41:15
BasePriority : Normal
FileVersion : 7.5.0311
ProductVersion : 7.5.0311
ProductName : MSN Messenger
CompanyName : Microsoft Corporation
FileDescription : MSN Messenger
InternalName : msnmsgr
LegalCopyright : Copyright © Microsoft Corporation 1997-2004
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msnmsgr.exe

#:23 [drvmon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1860
ThreadCreationTime : 16-01-2007 9:41:15
BasePriority : Normal
FileVersion : 1, 0, 0, 9
ProductVersion : 1, 0, 0, 9
ProductName : Alcor Micro, Corp. Drive Monitor
CompanyName : Alcor Micro, Corp.
FileDescription : Drive Monitor
InternalName : Drive Monitor
LegalCopyright : Copyright c 2003 Alcor Micro, Corp.
OriginalFilename : Monitor.exe

#:24 [ctfmon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1872
ThreadCreationTime : 16-01-2007 9:41:15
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:25 [lsass.exe]
FilePath : C:\WINDOWS\system32\com\
ProcessID : 164
ThreadCreationTime : 16-01-2007 9:41:18
BasePriority : Normal


#:26 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 196
ThreadCreationTime : 16-01-2007 9:41:18
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:27 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 252
ThreadCreationTime : 16-01-2007 9:41:19
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:28 [wdfmgr.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 356
ThreadCreationTime : 16-01-2007 9:41:19
BasePriority : Normal
FileVersion : 5.2.3790.1230 built by: DNSRV(bld4act)
ProductVersion : 5.2.3790.1230
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows User Mode Driver Manager
InternalName : WdfMgr
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : WdfMgr.exe

#:29 [smss.exe]
FilePath : C:\WINDOWS\system32\com\
ProcessID : 880
ThreadCreationTime : 16-01-2007 9:41:22
BasePriority : Normal
FileVersion : 1.00
ProductVersion : 1.00
ProductName : smss
InternalName : smss
OriginalFilename : smss.exe

#:30 [iexplore.exe]
FilePath : C:\Programas\Internet Explorer\
ProcessID : 2508
ThreadCreationTime : 16-01-2007 10:54:27
BasePriority : Normal
FileVersion : 7.00.5450.4 (winmain(wmbla).060623-0309)
ProductVersion : 7.00.5450.4
ProductName : Windows® Internet Explorer
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

#:31 [ad-aware.exe]
FilePath : C:\Programas\Lavasoft\Ad-Aware SE Personal\
ProcessID : 3216
ThreadCreationTime : 16-01-2007 10:55:16
BasePriority : Normal
FileVersion : 6.2.0.236
ProductVersion : SE 106
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft AB Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking Cookie Object Recognized!
Type : IECache Entry
Data : mar_de_copias@weborama[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:8
Value : Cookie:mar de copias@weborama.fr/
Expires : 11-01-2009 21:26:34
LastSync : Hits:8
UseCount : 0
Hits : 8

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : mar_de_copias@media.fastclick[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:mar de copias@media.fastclick.net/
Expires : 13-01-2007 18:12:26
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : mar_de_copias@atdmt[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:9
Value : Cookie:mar de copias@atdmt.com/
Expires : 12-01-2012
LastSync : Hits:9
UseCount : 0
Hits : 9

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : mar_de_copias@betandwinwebbeta.122.2o7[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:4
Value : Cookie:mar de copias@betandwinwebbeta.122.2o7.net/
Expires : 12-01-2012 15:01:06
LastSync : Hits:4
UseCount : 0
Hits : 4

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : mar_de_copias@mediaplex[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:mar de copias@mediaplex.com/
Expires : 22-06-2009
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : mar_de_copias@2o7[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:25
Value : Cookie:mar de copias@2o7.net/
Expires : 12-01-2012 17:36:34
LastSync : Hits:25
UseCount : 0
Hits : 25

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : mar_de_copias@doubleclick[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:17
Value : Cookie:mar de copias@doubleclick.net/
Expires : 11-01-2010 21:24:56
LastSync : Hits:17
UseCount : 0
Hits : 17

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : mar_de_copias@adopt.euroclick[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:5
Value : Cookie:mar de copias@adopt.euroclick.com/
Expires : 12-01-2017 15:02:28
LastSync : Hits:5
UseCount : 0
Hits : 5

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : mar_de_copias@fastclick[2].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:2
Value : Cookie:mar de copias@fastclick.net/
Expires : 12-01-2009 17:09:36
LastSync : Hits:2
UseCount : 0
Hits : 2

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : mar_de_copias@fl01.ct2.comclick[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:5
Value : Cookie:mar de copias@fl01.ct2.comclick.com/
Expires : 10-01-2029
LastSync : Hits:5
UseCount : 0
Hits : 5

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : mar_de_copias@videoegg.adbureau[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:mar de copias@videoegg.adbureau.net/
Expires : 28-02-2008
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : mar_de_copias@estat[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:1
Value : Cookie:mar de copias@estat.com/
Expires : 13-01-2017 10:48:56
LastSync : Hits:1
UseCount : 0
Hits : 1

Tracking Cookie Object Recognized!
Type : IECache Entry
Data : mar_de_copias@adserv.sapo[1].txt
TAC Rating : 3
Category : Data Miner
Comment : Hits:23
Value : Cookie:mar de copias@adserv.sapo.pt/
Expires : 30-12-2037 16:00:00
LastSync : Hits:23
UseCount : 0
Hits : 23

Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 13
Objects found so far: 28



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 28


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 28




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 28

11:21:47 Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:24:03.95
Objects scanned:245965
Objects identified:13
Objects ignored:0
New critical objects:13

Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:37:46, on 16-01-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\windows\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programas\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Programas\Java\jre1.5.0_09\bin\jusched.exe
C:\Programas\QuickTime\qttask.exe
C:\Programas\Windows Defender\MSASCui.exe
C:\Programas\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\DrvMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\com\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\com\smss.exe
C:\Programas\Internet Explorer\iexplore.exe
C:\Program Files\Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\mar de copias\Os meus documentos\downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sapo.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....cid={SUB_CLCID}
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\windows\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programas\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Programas\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Programas\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: ~(2).pif = ?
O8 - Extra context menu item: &Search - http://kc.bar.need2f...earch.html?p=KC
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\Office\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\Office\OFFICE11\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.citydesk.pt
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/z...s/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{75FA91C8-1BB4-4181-ACF4-E4810D9894B1}: NameServer = 195.23.129.126 194.79.69.222
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programas\Ficheiros comuns\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programas\Ficheiros comuns\Macromedia Shared\Service\Macromedia Licensing.exe



Thanks for your help

#4 HJThis

HJThis

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 4076 posts

Posted 16 January 2007 - 07:49 PM

Hi,tiagoludovice


Download The Avenger Copyright © Swandog46
You must extract avenger.exe to your desktop, before you run it.

CLOSE ALL WINDOWS (even this one) AND PROGRAMS!!!!


Copy all the text contained in the code box below to your Clipboard.
NOTE: don't copy the word quote

Files to delete:
C:\WINDOWS\system32\com\lsass.exe
C:\WINDOWS\system32\com\smss.exe


The above script is for this user only, if you need help please start your own thread.

Start the Avenger.
Under "Script file to execute" choose "Input Script Manually".
Click on the Magnifying Glass icon which will open a new window titled "View/edit script".
Paste the entire text in into this window.
Click done, now click on the Green Light
Answer "Yes" twice when prompted.
Your computer shoud reboot, and briefly open a black command window on your desktop, this is normal.

After the restart, it will create a log file that should open.
This log file will be located at C:\avenger.txt

Paste the contents of C:\avenger.txt into your reply along with a fresh HijackThis! log.

Also: Avenger has made backups of all the files, etc., that you asked it to delete, located at C:\avenger\backup.zip.


================

Please download ComboFix and save it to your desktop.

Double click combofix.exe and follow the prompts.

When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Gogo ;)
Die Hijacker Die

Member of
ALLIANCE OF SECURITY ANALYSIS PROFESSIONALS

Since 2004

Warning My killer dog at work.

QUOTE

#5 tiagoludovice

tiagoludovice

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 17 January 2007 - 06:03 PM

thanks for your help,
I did all the procedures and this are the 3 logs from hijackthis, avenger and combofix

HIJACKTHIS:

Logfile of HijackThis v1.99.1
Scan saved at 15:48:47, on 17-01-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\windows\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Programas\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Programas\Java\jre1.5.0_09\bin\jusched.exe
C:\Programas\QuickTime\qttask.exe
C:\Programas\Windows Defender\MSASCui.exe
C:\Programas\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\DrvMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\com\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\com\smss.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programas\Internet Explorer\iexplore.exe
C:\Documents and Settings\mar de copias\Ambiente de trabalho\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sapo.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ATIPTA] C:\windows\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programas\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Programas\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Programas\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - Startup: ~(2).pif = ?
O8 - Extra context menu item: &Search - http://kc.bar.need2f...earch.html?p=KC
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\Office\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\Office\OFFICE11\REFIEBAR.DLL
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.citydesk.pt
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} - http://fdl.msn.com/z...s/heartbeat.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{75FA91C8-1BB4-4181-ACF4-E4810D9894B1}: NameServer = 195.23.129.126 194.79.69.222
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Programas\Ficheiros comuns\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programas\Ficheiros comuns\Macromedia Shared\Service\Macromedia Licensing.exe


AVENGER:


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\slvcevpi

*******************

Script file located at: \??\C:\WINDOWS\system32\vhbqmvxl.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\com\lsass.exe deleted successfully.
File C:\WINDOWS\system32\com\smss.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


COMBOFIX


"mar de copias" - 07-01-17 15:33:51 Service Pack 2
ComboFix 07-01-16.2 - Running from: "C:\Documents and Settings\mar de copias\Ambiente de trabalho"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


c:\pagefile.pif
C:\autorun.inf
C:\pagefile.pif


((((((((((((((((((((((((((((((( Files Created from 2006-12-17 to 2007-01-17 ))))))))))))))))))))))))))))))))))


2007-01-17 15:32 <DIR> d-------- C:\avenger
2007-01-11 18:41 <DIR> d-------- C:\Programas\Lavasoft
2007-01-11 18:41 <DIR> d-------- C:\DOCUME~1\MARDEC~1\Application Data\Lavasoft


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-16 19:39 -------- d-------- C:\DOCUME~1\MARDEC~1\Application Data\u3
2007-01-11 19:06 -------- d-a------ C:\Programas\common files
2006-12-30 17:40 -------- d---s---- C:\DOCUME~1\MARDEC~1\Application Data\microsoft
2006-12-26 19:26 -------- d-------- C:\Programas\pop art studio
2006-12-12 18:27 -------- d-------- C:\DOCUME~1\MARDEC~1\Application Data\adobeum
2006-12-07 06:40 2362184 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-12-06 21:56 -------- d-------- C:\Programas\windows defender
2006-12-06 09:31 -------- d-------- C:\Programas\google
2006-12-05 21:48 -------- d-------- C:\DOCUME~1\MARDEC~1\Application Data\skype
2006-12-05 13:45 -------- d-------- C:\Programas\skype
2006-12-04 17:20 10368 --a------ C:\WINDOWS\system32\drivers\pfc.sys
2006-11-24 18:38 -------- d-------- C:\Programas\quicktime
2006-11-17 11:04 -------- d-------- C:\DOCUME~1\MARDEC~1\Application Data\ksol
2006-11-08 05:07 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-10-20 01:37 715264 --a------ C:\WINDOWS\system32\sxs.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"msnmsgr"="\"C:\\Programas\\MSN Messenger\\msnmsgr.exe\" /background"
"DrvMon.exe"="C:\\WINDOWS\\system32\\DrvMon.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"updateMgr"="\"C:\\Programas\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8 -reboot 1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"ATIPTA"="C:\\windows\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"SpeedTouch USB Diagnostics"="\"C:\\Programas\\Alcatel\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SunJavaUpdateSched"="\"C:\\Programas\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"QuickTime Task"="\"C:\\Programas\\QuickTime\\qttask.exe\" -atboottime"
"Windows Defender"="\"C:\\Programas\\Windows Defender\\MSASCui.exe\" -hide"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"RegisterDropHandler"="C:\\PROGRA~1\\TEXTBR~1.0\\Bin\\REGIST~1.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menu Iniciar\\Programas\\Arranque\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~4.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^GStartup.lnk]
"path"="C:\\Documents and Settings\\All Users\\Menu Iniciar\\Programas\\Arranque\\GStartup.lnk"
"backup"="C:\\WINDOWS\\pss\\GStartup.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\FICHEI~1\\GMT\\GMT.exe /startup"
"item"="GStartup"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AltnetPointsManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="points manager"
"hkey"="HKLM"
"command"="c:\\program files\\altnet\\points manager\\points manager.exe -s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anti-Virus Update Scheduler V1.39.12R]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winxp"
"hkey"="HKLM"
"command"="C:\\winxp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cmrss]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cmrss"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\cmrss.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InstaFinderK]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="InstaFinderK_inst"
"hkey"="HKLM"
"command"="C:\\Programas\\INSTAFINK\\InstaFinderK_inst.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InstantAccess]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="INSTAN~1"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\TEXTBR~1.0\\Bin\\INSTAN~1.EXE /h"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KAZAA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kazaa"
"hkey"="HKLM"
"command"="C:\\Programas\\Kazaa\\kazaa.exe /SYSTRAY"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="lxbkbmgr"
"hkey"="HKLM"
"command"="\"C:\\Programas\\Lexmark X1100 Series\\lxbkbmgr.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsgPlus"
"hkey"="HKLM"
"command"="\"C:\\Programas\\Messenger Plus! 2\\MsgPlus.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WkUFind"
"hkey"="HKLM"
"command"="C:\\Programas\\Ficheiros comuns\\Microsoft Shared\\Works Shared\\WkUFind.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="P2P Networking"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\P2P Networking\\P2P Networking.exe /AUTOSTART"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Programas\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegisterDropHandler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="REGIST~1"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\TEXTBR~1.0\\Bin\\REGIST~1.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SAPO Messenger]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sapoim"
"hkey"="HKCU"
"command"="\"C:\\Programas\\SAPO Messenger\\sapoim.exe\" /silent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpgs2wnd"
"hkey"="HKLM"
"command"="C:\\Programas\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Skype"
"hkey"="HKCU"
"command"="\"C:\\Programas\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\taskmgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msbcs"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\msbcs.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Programas\\Ficheiros comuns\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeUpdateManager"
"hkey"="HKCU"
"command"="C:\\Programas\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_0"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows AdStatus]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WinStat"
"hkey"="HKLM"
"command"="C:\\Program Files\\Windows AdStatus\\WinStat.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{553858A7-4922-4e7e-B1C1-97140C1C16EF}"="IE Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\FICHEI~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\FICHEI~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
bthsvcs REG_MULTI_SZ BthServ\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
Shell\AutoRun\command F:\LaunchU3.exe -a

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0089ae4c-6011-11da-9347-0090d077dfad}]
Shell\AutoRun\command E:\JDSecure\Windows\JDSecure20.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{11f18716-8a91-11db-9525-0090d077dfad}]
Shell\Auto\command pagefile.pif
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL pagefile.pif

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{28f26482-a223-11db-9542-0090d077dfad}]
Shell\Auto\command E:\pagefile.pif
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL pagefile.pif

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2d445208-a2c8-11da-93b5-0090d077dfad}]
Shell\AutoRun\command J:\loader.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2f37b2e3-a49f-11db-9546-0090d077dfad}]
Shell\Auto\command E:\pagefile.pif
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL pagefile.pif

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{319ecd10-eef5-11da-9431-0090d077dfad}]
shell\play\Command "C:\Programas\Windows Media Player\wmplayer.exe" /prefetch:4 /device:DVD "%L"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3b8d2c83-2078-11db-947f-0090d077dfad}]
Shell\Auto\command F:\pagefile.pif
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL pagefile.pif

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3de8ae5f-5605-11db-94d0-0090d077dfad}]
Shell\AutoRun\command F:\LaunchU3.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4d9b7007-efd8-11da-9434-0090d077dfad}]
Shell\Auto\command E:\pagefile.pif
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL pagefile.pif

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{538b61e0-a60f-11db-9548-0090d077dfad}]
Shell\Auto\command E:\pagefile.pif
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL pagefile.pif

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5736f310-b7c7-11d9-9226-0090d077dfad}]
Shell\AutoRun\command .\MigWiz\migsetup.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6b5eeac8-a554-11db-9547-0090d077dfad}]
Shell\AutoRun\command F:\LaunchU3.exe -a

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6b5eeac9-a554-11db-9547-0090d077dfad}]
Shell\Auto\command K:\pagefile.pif
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL pagefile.pif

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{96681d80-a471-11db-9545-0090d077dfad}]
Shell\Auto\command E:\pagefile.pif
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL pagefile.pif

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9f7c5e90-808c-11db-9517-0090d077dfad}]
Shell\AutoRun\command E:\setupSNK.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a605e590-11f2-11d9-9127-0090d077dfad}]
Shell\Auto\command pagefile.pif
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL pagefile.pif

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{a7919426-805a-11db-9516-0090d077dfad}]
Shell\Auto\command E:\pagefile.pif
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL pagefile.pif

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c79b1382-83c1-11db-951b-0090d077dfad}]
Shell\Auto\command E:\pagefile.pif
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL pagefile.pif

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d55ccad5-7bab-11db-950f-0090d077dfad}]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e4689ee4-5843-11db-94d3-0090d077dfad}]
Shell\Auto\command E:\pagefile.pif
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL pagefile.pif

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e6a66340-dc2f-11da-9413-0090d077dfad}]
Shell\Auto\command E:\pagefile.pif
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL pagefile.pif

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e8b43331-86aa-11db-9521-0090d077dfad}]
Shell\AutoRun\command K:\LaunchU3.exe


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 07-01-17 15:43:08


Thanks again for your support

#6 tiagoludovice

tiagoludovice

    Newbie

  • Members
  • Pip
  • 6 posts

Posted 25 January 2007 - 05:16 PM

please help i'm still whit this problem

#7 HJThis

HJThis

    Advanced Member

  • Volunteer Security Advisor
  • PipPipPip
  • 4076 posts

Posted 25 January 2007 - 05:48 PM

Hi,tiagoludovice

Ok lit's try this now it's the first time im using it this way

Download this file - combofix.exe

and save it to your desktop. Also save the below command in Notepad as a text file so that you can copy/paste in safe mode.

"%userprofile%\desktop\combofix.exe" /wow


Boot into safe mode by tapping the F8 key just before Windows starts to load.

go to start --> run and copy/paste in the following:


"%userprofile%\desktop\combofix.exe" /wow


When finished, it shall produce a log for you. Save it and post that log in your next reply.

Note:

Do not mouseclick combofix's window whilst it's running. That may cause it to stall

==========

Then come back here with a new HijackThis logfile and also the ComboFix log


Gogo :D
Die Hijacker Die

Member of
ALLIANCE OF SECURITY ANALYSIS PROFESSIONALS

Since 2004

Warning My killer dog at work.

QUOTE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users