Vundo Trouble

artaloytia · 12-22-2007, 05:04 PM

McAfee VirusScan Enterprise 8.0 detected a Vundo virus a few days ago. I followed instrucions on a TSF post in order to clean the virus. However,the computer and the internet connection has been a lot slower since then and there are several malware/ spyware that my Anti virus does not detect but Panda did. I would appreciate your help very much. Tks!.

Deckard's System Scanner v20071014.68
Run by Augusto Artaloytia on 2007-12-22 23:24:05
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
55: 2007-12-22 23:24:23 UTC - RP395 - Deckard's System Scanner Restore Point
54: 2007-12-22 22:33:46 UTC - RP394 - Software Distribution Service 3.0
53: 2007-12-22 22:24:33 UTC - RP393 - Software Distribution Service 3.0
52: 2007-12-22 17:21:42 UTC - RP392 - Removido SIFOXDeal v2
51: 2007-12-22 17:21:04 UTC - RP391 - Removed Reuters Messaging 4

-- First Restore Point --
1: 2007-12-19 01:17:28 UTC - RP341 - Ponto de verificação do sistema

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Augusto Artaloytia.exe) ---------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:28:29, on 22-12-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programas\Software WIDCOMM\Bluetooth\bin\btwdins.exe
C:\Programas\Network Associates\Common Framework\FrameworkService.exe
C:\Programas\Network Associates\VirusScan\Mcshield.exe
C:\Programas\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Programas\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Java\j2re1.4.2_03\bin\jusched.exe
C:\Programas\Synaptics\SynTP\SynTPLpr.exe
C:\Programas\Synaptics\SynTP\SynTPEnh.exe
C:\Programas\Microsoft Works\WksSb.exe
C:\Programas\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Programas\HP\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Programas\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe
C:\Programas\Network Associates\VirusScan\SHSTAT.EXE
C:\Programas\Network Associates\Common Framework\UpdaterUI.exe
C:\Programas\Ficheiros comuns\Network Associates\TalkBack\TBMon.exe
C:\Programas\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Programas\Windows Defender\MSASCui.exe
C:\Programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe
C:\Programas\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Software WIDCOMM\Bluetooth\BTTray.exe
C:\Programas\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Programas\iPod\bin\iPodService.exe
C:\Programas\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
C:\Documents and Settings\Augusto Artaloytia\Ambiente de trabalho\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Augusto Artaloytia.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programas\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programas\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programas\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programas\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Programas\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programas\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programas\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Programas\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programas\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Programas\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programas\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ShStatEXE] "C:\Programas\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programas\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Programas\Ficheiros comuns\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Programas\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [HP Software Update] C:\Programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programas\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [WinFixer 2005] "C:\Programas\WinFixer 2005\WFX5.exe" /scan
O4 - HKCU\..\Run: [VoipBuster] "C:\Programas\VoipBuster.com\VoipBuster\VoipBuster.exe" -nosplash -minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\FICHEI~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\FICHEI~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programas\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Inicialização rápida do HP Image Zone.lnk = C:\Programas\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Lembretes do calendário do Microsoft Works.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Programas\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Enviar para &Bluetooth - C:\Programas\Software WIDCOMM\Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programas\Software WIDCOMM\Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programas\Software WIDCOMM\Bluetooth\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Programas\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {410A8B3C-7CCB-40E8-8B11-28B099E5C488} (Trend Micro Security Services Control) - http://tmss.trendmicro.com/Dashboard...MSSReportW.CAB
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1110715811535
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/s...wserPlugin.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games – Hearts) - http://zone.msn.com/bingame/zpagames...z.cab67031.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames...e.cab60231.cab
O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} - http://advnt01.com/dialer/internazionale_ver4.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B7E76C25-791F-432E-BDB7-748D01A93FC2} - http://advnt01.com/dialer/int_ver30.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab
O16 - DPF: {FF3C5A9F-5A91-4930-80E8-4709194C2AD3} (CheckersZPA Object) - http://zone.msn.com/bingame/zpagames...A.cab55579.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHEI~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: gebxwur - gebxwur.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programas\Software WIDCOMM\Bluetooth\bin\btwdins.exe
O23 - Service: GoogleDesktopManager - Google - C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: iPod Service - Apple Inc. - C:\Programas\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Programas\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Programas\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Programas\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programas\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 11921 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 NaiAvTdi1 - c:\windows\system32\drivers\mvstdi5x.sys <Not Verified; Network Associates, Inc.; VirusScan>
R2 BTSERIAL (Bluetooth Serial Driver) - c:\windows\system32\drivers\btserial.sys
R2 BTSLBCSP (Bluetooth Port Client Driver) - c:\windows\system32\drivers\btslbcsp.sys <Not Verified; WIDCOMM, Inc.; Bluetooth Software 1.4.2 Build 19 SP1>
R3 EntDrv51 - c:\windows\system32\drivers\entdrv51.sys <Not Verified; Network Associates, Inc; Virus Scan Enterprise, Entercept>
R3 NaiAvFilter1 - c:\windows\system32\drivers\naiavf5x.sys <Not Verified; Network Associates, Inc.; VirusScan (Enterprise, ASaP & Retail.)>
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>

S3 catchme - c:\docume~1\august~1\defini~1\temp\catchme.sys (file missing)
S3 vsdatant - c:\windows\system32\vsdatant.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\programas\ficheiros comuns\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 McAfeeFramework (McAfee Framework Service) - c:\programas\network associates\common framework\frameworkservice.exe /servicestart <Not Verified; Network Associates, Inc.; McAfee Common Framework>
R2 McTaskManager (Network Associates Task Manager) - "c:\programas\network associates\virusscan\vstskmgr.exe" <Not Verified; Network Associates, Inc.; VirusScan Enterprise>

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\4A0051C523F45
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\4A0051C523F45
Service: NIC1394

-- Scheduled Tasks -------------------------------------------------------------

2007-12-22 23:19:32 322 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2007-12-22 22:43:01 362 --a------ C:\WINDOWS\Tasks\HP Usg Daily.job
2007-12-10 16:05:09 340 --a------ C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#7200#CN43N3C3NXP4.job
2007-12-08 00:17:20 276 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2007-11-22 and 2007-12-22 -----------------------------

2007-12-22 22:46:13 0 d-------- C:\Programas\MSXML 6.0
2007-12-22 22:43:27 0 d-------- C:\Programas\MSBuild
2007-12-22 22:39:21 0 d-------- C:\WINDOWS\system32\XPSViewer
2007-12-22 22:38:05 0 d-------- C:\Programas\Reference Assemblies
2007-12-22 22:35:48 0 d-------- C:\dc692a0d9fff942351bda284f2
2007-12-22 21:56:44 0 d-------- C:\ie-spyad_zo
2007-12-22 21:44:18 0 d-------- C:\Programas\SpywareBlaster
2007-12-22 17:53:41 8576 --a------ C:\WINDOWS\system32\drivers\gstdjuxjllxx.sys <Not Verified; Panda Software International; RKPavProc Driver>
2007-12-22 17:26:38 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-12-19 19:20:48 0 d-------- C:\Programas\PokerStars.NET
2007-12-19 18:21:15 0 d-------- C:\Documents and Settings\NetworkService\Definiþ§es locais
2007-12-19 18:21:15 0 d-------- C:\Documents and Settings\LocalService\Definiþ§es locais
2007-12-19 18:21:15 0 d-------- C:\Documents and Settings\Joana Ramalho\Definiþ§es locais
2007-12-19 18:21:15 0 d-------- C:\Documents and Settings\Convidado\Definiþ§es locais
2007-12-19 18:21:15 0 d-------- C:\Documents and Settings\Augusto Artaloytia\Definiþ§es locais
2007-12-19 01:11:54 0 d-------- C:\WINDOWS\system32\ineWc01
2007-12-19 01:11:53 0 d-------- C:\Temp
2007-12-13 21:23:00 0 d-------- C:\Programas\Trend Micro
2007-12-10 21:24:22 1142 --a------ C:\WINDOWS\mozver.dat
2007-12-10 21:17:28 0 d-------- C:\Documents and Settings\All Users\Application Data\Google
2007-12-10 21:13:26 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-10 21:13:13 0 d-------- C:\Documents and Settings\Augusto Artaloytia\Application Data\Mozilla
2007-12-08 00:51:26 0 d-------- C:\Programas\DivX
2007-12-06 20:00:29 487424 -----n--- C:\WINDOWS\Setup1.exe <Not Verified; EIPC; EIPC Program Setup>
2007-12-06 20:00:23 73216 --a------ C:\WINDOWS\ST6UNST.EXE <Not Verified; Microsoft Corporation; Microsoft® Visual Basic for Windows>
2007-11-28 18:46:23 0 d-------- C:\Programas\SopCast
2007-11-28 18:44:51 0 d-------- C:\Programas\Octoshape Streaming Services
2007-11-28 18:44:18 0 d-------- C:\Documents and Settings\Augusto Artaloytia\Application Data\TVU Networks
2007-11-27 20:21:06 0 d-------- C:\WINDOWS\system32\pt-pt
2007-11-27 20:12:15 0 d-------- C:\WINDOWS\network diagnostic

-- Find3M Report ---------------------------------------------------------------

2007-12-22 22:51:22 489602 --a------ C:\WINDOWS\system32\perfh016.dat
2007-12-22 22:51:22 82684 --a------ C:\WINDOWS\system32\perfc016.dat
2007-12-22 21:18:41 0 d-------- C:\Documents and Settings\Augusto Artaloytia\Application Data\Skype
2007-12-22 20:12:18 0 d-------- C:\Programas\Windows Defender
2007-12-22 20:03:54 0 d-------- C:\Programas\Microsoft Works
2007-12-22 20:00:27 0 d-------- C:\Programas\iTunes
2007-12-22 17:21:52 0 d-------- C:\Programas\SIFOXDeal v2
2007-12-22 17:18:36 0 d--h----- C:\Programas\InstallShield Installation Information
2007-12-22 17:16:05 0 d-------- C:\Programas\Florikey V4.4 Beta
2007-12-22 17:13:26 0 d-------- C:\Programas\Ficheiros comuns
2007-12-10 21:24:30 0 d-------- C:\Documents and Settings\Augusto Artaloytia\Application Data\Adobe
2007-12-08 20:30:54 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-12-08 00:17:09 0 d-------- C:\Programas\Apple Software Update
2007-11-28 18:44:15 0 d-------- C:\Programas\TVU Player
2007-11-04 21:46:30 0 d-------- C:\Programas\Windows Media Connect 2
2007-10-25 19:42:56 0 d-------- C:\Programas\HP

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [04-09-2001 16:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"Cpqset"="C:\Programas\HPQ\Default Settings\cpqset.exe" [17-07-2003 13:50]
"SunJavaUpdateSched"="C:\Programas\Java\j2re1.4.2_03\bin\jusched.exe" [04-03-2004 16:05]
"ATIPTA"="C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe" [13-11-2003 21:10]
"SynTPLpr"="C:\Programas\Synaptics\SynTP\SynTPLpr.exe" [02-02-2005 20:12]
"SynTPEnh"="C:\Programas\Synaptics\SynTP\SynTPEnh.exe" [02-02-2005 20:11]
"WorksFUD"="C:\Programas\Microsoft Works\wkfud.exe" [12-07-2000 06:59]
"Microsoft Works Portfolio"="C:\Programas\Microsoft Works\WksSb.exe" [12-07-2000 07:14]
"Microsoft Works Update Detection"="C:\Programas\Microsoft Works\WkDetect.exe" [08-11-2000 12:33]
"CamMonitor"="C:\Programas\HP\Digital Imaging\Unload\hpqcmon.exe" [07-10-2002 00:23]
"Share-to-Web Namespace Daemon"="C:\Programas\HP\HP Share-to-Web\hpgs2wnd.exe" [17-04-2002 10:42]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe" [08-03-2005 04:42]
"HPHUPD05"="C:\Programas\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe" [12-11-2003 22:12]
"HP Component Manager"="C:\Programas\HP\hpcoretech\hpcmpmgr.exe" [12-01-2005 14:54]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [02-02-2004 19:47]
"AGRSMMSG"="AGRSMMSG.exe" [04-03-2005 14:01 C:\WINDOWS\AGRSMMSG.exe]
"Google Desktop Search"="C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe" [23-08-2007 21:26]
"ShStatEXE"="C:\Programas\Network Associates\VirusScan\SHSTAT.exe" [22-09-2004 20:00]
"McAfeeUpdaterUI"="C:\Programas\Network Associates\Common Framework\UpdaterUI.exe" [06-08-2004 03:50]
"Network Associates Error Reporting Service"="C:\Programas\Ficheiros comuns\Network Associates\TalkBack\TBMon.exe" [07-10-2003 09:48]
"Windows Defender"="C:\Programas\Windows Defender\MSASCui.exe" [03-11-2006 18:20]
"HP Software Update"="C:\Programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [08-05-2007 15:24]
"QuickTime Task"="C:\Programas\QuickTime\qttask.exe" [29-06-2007 05:24]
"iTunesHelper"="C:\Programas\iTunes\iTunesHelper.exe" [10-07-2007 08:18]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecordNow!"="" []
"WinFixer 2005"="C:\Programas\WinFixer 2005\WFX5.exe" []
"VoipBuster"="C:\Programas\VoipBuster.com\VoipBuster\VoipBuster.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04-08-2004 07:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\FICHEI~1\MICROS~1\DW\dwtrig20.exe" -t

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\
Adobe Reader Speed Launch.lnk - C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23-09-2005 22:05:26]
BTTray.lnk - C:\Programas\Software WIDCOMM\Bluetooth\BTTray.exe [12-09-2003 11:42:00]
HP Digital Imaging Monitor.lnk - C:\Programas\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [11-05-2005 22:23:26]
Inicializa‡Æo r*pida do HP Image Zone.lnk - C:\Programas\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe [11-05-2005 23:49:24]
Lembretes do calend*rio do Microsoft Works.lnk - C:\Programas\Ficheiros comuns\Microsoft Shared\Works Shared\wkcalrem.exe [12-07-2000 7:14:38]
Microsoft Office.lnk - C:\Programas\Microsoft Office\Office10\OSA.EXE [13-02-2001 10:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebxwur]
gebxwur.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a0dcf00-2120-11dc-8d20-00023f23bc9c}]
AutoRun\command- F:\InstallTomTomHOME.exe

*Newly Created Service* - ENTDRV51

-- End of Deckard's System Scanner: finished at 2007-12-22 23:29:45 ------------

artaloytia · 12-26-2007, 12:45 PM

Bump Tks

Ried · 12-26-2007, 09:59 PM

Hello artaloytia,

This will require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Disconnect from the internet.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on ComboFix.exe & follow the prompts.

When finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a new HijackThis log so we can continue cleaning the system.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

artaloytia · 12-27-2007, 04:49 PM

Thank you for your help.
I attached the logs.

ComboFix 07-12-28.1 - Augusto Artaloytia 2007-12-27 23:24:45.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.2070.18.616 [GMT 0:00]
Executando de: C:\Documents and Settings\Augusto Artaloytia\Ambiente de trabalho\ComboFix.exe
* Criado um novo ponto de restauro
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\tpBe12
C:\WINDOWS\system32\ineWc01

.
((((((((((((((((((((((( Ficheiros criados de 2007-11-28 to 2007-12-28 ))))))))))))))))))))))))))))))))
.

2007-12-27 21:26 . 2007-12-27 21:26 <DIR> d-------- C:\Documents and Settings\Augusto Artaloytia\WINDOWS
2007-12-27 21:26 . 1997-01-18 10:40 299,520 --a------ C:\WINDOWS\uninst.exe
2007-12-26 19:28 . 2007-12-26 19:28 <DIR> d-------- C:\Documents and Settings\Augusto Artaloytia\Application Data\DivX
2007-12-26 19:27 . 2007-12-11 22:34 129,784 --------- C:\WINDOWS\system32\pxafs.dll
2007-12-26 19:27 . 2007-12-11 22:34 120,056 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-12-26 19:27 . 2007-12-11 22:34 118,520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-12-26 19:27 . 2007-12-11 22:34 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-26 19:27 . 2007-12-11 22:34 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-22 23:23 . 2007-12-22 23:23 <DIR> d-------- C:\Deckard
2007-12-22 22:46 . 2007-12-22 22:46 <DIR> d-------- C:\Programas\MSXML 6.0
2007-12-22 22:43 . 2007-12-22 22:43 <DIR> d-------- C:\Programas\MSBuild
2007-12-22 22:39 . 2007-12-22 22:39 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2007-12-22 22:38 . 2007-12-22 22:38 <DIR> d-------- C:\Programas\Reference Assemblies
2007-12-22 22:36 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2007-12-22 22:35 . 2007-12-22 22:35 <DIR> d-------- C:\dc692a0d9fff942351bda284f2
2007-12-22 21:56 . 2007-12-22 21:56 <DIR> d-------- C:\ie-spyad_zo
2007-12-22 21:44 . 2007-12-22 21:48 <DIR> d-------- C:\Programas\SpywareBlaster
2007-12-22 17:53 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\gstdjuxjllxx.sys
2007-12-22 17:26 . 2007-12-22 21:07 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-22 17:26 . 2007-12-22 18:50 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-22 17:26 . 2007-12-22 18:50 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-22 17:26 . 2007-12-22 18:50 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-19 19:20 . 2007-12-22 20:07 <DIR> d-------- C:\Programas\PokerStars.NET
2007-12-19 18:21 . 2007-12-19 18:21 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Definiþ§es locais
2007-12-19 18:21 . 2007-12-19 18:21 <DIR> d-------- C:\Documents and Settings\NetworkService\Definiþ§es locais
2007-12-19 18:21 . 2007-12-19 18:21 <DIR> d-------- C:\Documents and Settings\LocalService\Definiþ§es locais
2007-12-19 18:21 . 2007-12-19 18:21 <DIR> d-------- C:\Documents and Settings\Joana Ramalho\Definiþ§es locais
2007-12-19 18:21 . 2007-12-19 18:21 <DIR> d-------- C:\Documents and Settings\Convidado\Definiþ§es locais
2007-12-19 18:21 . 2007-12-19 18:21 <DIR> d-------- C:\Documents and Settings\Augusto Artaloytia\Definiþ§es locais
2007-12-19 01:11 . 2007-12-28 23:30 <DIR> d-------- C:\Temp
2007-12-15 18:45 . 2004-08-04 07:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-12-15 18:45 . 2004-08-04 07:56 21,504 --a------ C:\WINDOWS\system32\dllcache\hidserv.dll
2007-12-13 21:23 . 2007-12-22 23:27 <DIR> d-------- C:\Programas\Trend Micro
2007-12-11 22:35 . 2007-12-11 22:35 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-12-11 22:35 . 2007-12-11 22:35 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2007-12-11 22:34 . 2007-12-11 22:34 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-12-11 22:34 . 2007-12-11 22:34 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-12-11 22:34 . 2007-12-11 22:34 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-12-11 22:32 . 2007-12-11 22:32 352,401 --a------ C:\WINDOWS\system32\DivXMedia.ax
2007-12-11 22:32 . 2007-12-11 22:32 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-12-11 22:32 . 2007-12-11 22:32 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-10 21:24 . 2007-12-10 21:24 1,142 --a------ C:\WINDOWS\mozver.dat
2007-12-10 21:13 . 2007-12-10 21:13 0 --a------ C:\WINDOWS\nsreg.dat
2007-12-08 00:51 . 2007-12-26 19:27 <DIR> d-------- C:\Programas\DivX
2007-12-06 20:00 . 2007-12-06 20:00 487,424 --------- C:\WINDOWS\Setup1.exe
2007-12-06 20:00 . 2007-12-06 20:00 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2007-11-28 18:46 . 2007-11-28 18:46 <DIR> d-------- C:\Programas\SopCast
2007-11-28 18:44 . 2007-12-19 18:26 <DIR> d-------- C:\Programas\Octoshape Streaming Services
2007-11-28 18:44 . 2007-11-28 18:44 <DIR> d-------- C:\Documents and Settings\Augusto Artaloytia\Application Data\TVU Networks

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-22 21:18 --------- d-----w C:\Documents and Settings\Augusto Artaloytia\Application Data\Skype
2007-12-22 20:12 --------- d-----w C:\Programas\Windows Defender
2007-12-22 20:03 --------- d-----w C:\Programas\Microsoft Works
2007-12-22 20:00 --------- d-----w C:\Programas\iTunes
2007-12-22 17:21 --------- d-----w C:\Programas\SIFOXDeal v2
2007-12-22 17:18 --------- d--h--w C:\Programas\InstallShield Installation Information
2007-12-22 17:16 --------- d-----w C:\Programas\Florikey V4.4 Beta
2007-12-11 22:34 43,528 ------w C:\WINDOWS\system32\drivers\pxhelp20.sys
2007-12-11 22:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-12-11 22:33 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-12-11 22:33 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-12-11 22:33 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-12-11 22:33 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2007-12-11 22:33 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-12-11 22:33 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-12-11 22:33 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-12-11 22:33 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-12-11 22:33 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-12-11 22:33 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-12-11 22:33 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-12-08 00:17 --------- d-----w C:\Programas\Apple Software Update
2007-11-28 18:44 --------- d-----w C:\Programas\TVU Player
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-04 21:46 --------- d-----w C:\Programas\Windows Media Connect 2
2007-10-30 23:23 3,590,656 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,294,336 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,294,336 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-25 16:43 8,501,248 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-25 09:28 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-25 09:28 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-24 01:47 96,760 ----a-w C:\WINDOWS\system32\dfshim.dll
2007-10-24 01:47 84,480 ----a-w C:\WINDOWS\system32\mscories.dll
2007-10-24 01:47 282,112 ----a-w C:\WINDOWS\system32\mscoree.dll
2007-10-24 01:47 158,720 ----a-w C:\WINDOWS\system32\mscorier.dll
2007-10-10 23:49 824,832 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:49 671,232 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:49 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:49 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:49 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:49 478,208 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:49 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:49 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:49 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:49 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:49 27,648 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:49 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:49 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:49 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:49 214,528 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:49 193,024 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:49 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:49 132,608 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:49 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 23:49 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:49 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 23:49 1,159,680 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 11:03 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 11:03 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-04-25 20:19 38,784 ----a-w C:\Documents and Settings\Augusto Artaloytia\Application Data\GDIPFONTCACHEV1.DAT
2006-01-17 12:21 421,212 ----a-w C:\Programas\LJC420998.inl
2005-05-11 22:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2005-04-10 21:42 0 ---ha-w C:\Documents and Settings\LocalService\hpothb07.dat
.

((((((((((((((((((((((((((((( snapshot@2007-12-19_18.20.15.43 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-20 12:09:03 68,608 ----a-w C:\WINDOWS\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2007-12-22 22:50:39 69,120 ----a-w C:\WINDOWS\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2007-11-20 12:09:20 72,192 ----a-w C:\WINDOWS\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2007-12-22 22:50:50 72,192 ----a-w C:\WINDOWS\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2007-12-22 22:38:08 151,552 ----a-w C:\WINDOWS\assembly\GAC_32\Microsoft.Transactions.Bridge.Dtc\3.0.0.0__b03f5f7f11d50a3a\Microsoft.Transactions.Bridge.Dtc.dll
- 2007-11-20 12:09:20 4,308,992 ----a-w C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2007-12-22 22:49:37 4,444,160 ----a-w C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll

**edited out numerous snapshot entries--too many characters++

-- Snapshot reset to current date --
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vazias & legítimas por defeito não são mostradas.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecordNow!"="" []
"WinFixer 2005"="C:\Programas\WinFixer 2005\WFX5.exe" []
"VoipBuster"="C:\Programas\VoipBuster.com\VoipBuster\VoipBuster.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 16:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"Cpqset"="C:\Programas\HPQ\Default Settings\cpqset.exe" [2003-07-17 13:50]
"SunJavaUpdateSched"="C:\Programas\Java\j2re1.4.2_03\bin\jusched.exe" [2004-03-04 16:05]
"ATIPTA"="C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-13 21:10]
"SynTPLpr"="C:\Programas\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 20:12]
"SynTPEnh"="C:\Programas\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 20:11]
"WorksFUD"="C:\Programas\Microsoft Works\wkfud.exe" [2000-07-12 06:59]
"Microsoft Works Portfolio"="C:\Programas\Microsoft Works\WksSb.exe" [2000-07-12 07:14]
"Microsoft Works Update Detection"="C:\Programas\Microsoft Works\WkDetect.exe" [2000-11-08 12:33]
"CamMonitor"="C:\Programas\HP\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 00:23]
"Share-to-Web Namespace Daemon"="C:\Programas\HP\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 10:42]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe" [2005-03-08 04:42]
"HPHUPD05"="C:\Programas\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe" [2003-11-12 22:12]
"HP Component Manager"="C:\Programas\HP\hpcoretech\hpcmpmgr.exe" [2005-01-12 14:54]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2004-02-02 19:47]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 14:01 C:\WINDOWS\AGRSMMSG.exe]
"Google Desktop Search"="C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-23 21:26]
"ShStatEXE"="C:\Programas\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 20:00]
"McAfeeUpdaterUI"="C:\Programas\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 03:50]
"Network Associates Error Reporting Service"="C:\Programas\Ficheiros comuns\Network Associates\TalkBack\TBMon.exe" [2003-10-07 09:48]
"Windows Defender"="C:\Programas\Windows Defender\MSASCui.exe" [2006-11-03 18:20]
"HP Software Update"="C:\Programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 15:24]
"QuickTime Task"="C:\Programas\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Programas\iTunes\iTunesHelper.exe" [2007-07-10 08:18]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\FICHEI~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 15:38]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\
Adobe Reader Speed Launch.lnk - C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
BTTray.lnk - C:\Programas\Software WIDCOMM\Bluetooth\BTTray.exe [2003-09-12 11:42:00]
HP Digital Imaging Monitor.lnk - C:\Programas\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe [2005-05-11 22:23:26]
Inicializa‡Æo r*pida do HP Image Zone.lnk - C:\Programas\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe [2005-05-11 23:49:24]
Lembretes do calend*rio do Microsoft Works.lnk - C:\Programas\Ficheiros comuns\Microsoft Shared\Works Shared\wkcalrem.exe [2000-07-12 07:14:38]
Microsoft Office.lnk - C:\Programas\Microsoft Office\Office10\OSA.EXE [2001-02-13 10:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebxwur]
gebxwur.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

R3 WBSD;Winbond Secure Digital Storage (SD/MMC) Device Driver;C:\WINDOWS\system32\Drivers\WBSD.SYS [2003-03-20 17:24]
S3 usbscan;Controlador de scanner USB;C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-04 05:58]
S3 USBSTOR;Controlador de armazenamento de massa USB;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-04 06:08]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a0dcf00-2120-11dc-8d20-00023f23bc9c}]
\Shell\AutoRun\command - F:\InstallTomTomHOME.exe

.
Conteúdo da pasta 'Tarefas Agendadas'
"2007-12-08 00:17:20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programas\Apple Software Update\SoftwareUpdate.exe
"2007-12-10 16:05:09 C:\WINDOWS\Tasks\HP DArC Task #Hewlett-Packard#7200#CN43N3C3NXP4.job"
- C:\Programas\HP\hpcoretech\comp\hpdarc.exe$/#Hewlett-Packard#7200#CN43N3C3NXP4
"2007-12-27 22:43:04 C:\WINDOWS\Tasks\HP Usg Daily.job"
- C:\Programas\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\pexpress\hphped05.exe
"2007-12-27 13:56:19 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Programas\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-28 23:31:00
Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Programas\HPQ\Default Settings\cpqset.exe????????????4?0?6?9??????? ?deB???????????????B????????

Procurando ficheiros ocultos ...

Varredura completada com sucesso
Ficheiros ocultos: 0

**************************************************************************
.
Tempo para conclusão: 2007-12-28 23:31:46
C:\ComboFix2.txt ... 2007-12-19 18:21
.
2007-12-24 13:52:04 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:35:06, on 28-12-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Programas\Software WIDCOMM\Bluetooth\bin\btwdins.exe
C:\Programas\Network Associates\Common Framework\FrameworkService.exe
C:\Programas\Network Associates\VirusScan\Mcshield.exe
C:\Programas\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Programas\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Java\j2re1.4.2_03\bin\jusched.exe
C:\Programas\Synaptics\SynTP\SynTPLpr.exe
C:\Programas\Synaptics\SynTP\SynTPEnh.exe
C:\Programas\Microsoft Works\WksSb.exe
C:\Programas\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Programas\HP\HP Share-to-Web\hpgs2wnd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Programas\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe
C:\Programas\Network Associates\VirusScan\SHSTAT.EXE
C:\Programas\Network Associates\Common Framework\UpdaterUI.exe
C:\Programas\Ficheiros comuns\Network Associates\TalkBack\TBMon.exe
C:\Programas\Windows Defender\MSASCui.exe
C:\Programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Programas\HP\HP Share-to-Web\hpgs2wnf.exe
C:\Programas\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe
C:\Programas\Software WIDCOMM\Bluetooth\BTTray.exe
C:\Programas\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Programas\iPod\bin\iPodService.exe
C:\Programas\Hewlett-Packard\Digital Imaging\bin\hpqimzone.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Programas\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programas\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programas\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programas\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programas\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Programas\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Programas\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Programas\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Programas\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Programas\HP\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Programas\Hewlett-Packard\{D946675D-1D6C-4dc8-9E0D-B4B8EAA30EAA}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Programas\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ShStatEXE] "C:\Programas\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Programas\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Programas\Ficheiros comuns\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Programas\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [HP Software Update] C:\Programas\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programas\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [WinFixer 2005] "C:\Programas\WinFixer 2005\WFX5.exe" /scan
O4 - HKCU\..\Run: [VoipBuster] "C:\Programas\VoipBuster.com\VoipBuster\VoipBuster.exe" -nosplash -minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\FICHEI~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\FICHEI~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programas\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Inicialização rápida do HP Image Zone.lnk = C:\Programas\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Lembretes do calendário do Microsoft Works.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &eBay Search - res://C:\Programas\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Enviar para &Bluetooth - C:\Programas\Software WIDCOMM\Bluetooth\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programas\Software WIDCOMM\Bluetooth\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Programas\Software WIDCOMM\Bluetooth\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Programas\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10...y.cab55579.cab
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} - http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {410A8B3C-7CCB-40E8-8B11-28B099E5C488} (Trend Micro Security Services Control) - http://tmss.trendmicro.com/Dashboard...MSSReportW.CAB
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1110715811535
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/webplayer/s...wserPlugin.cab
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (MSN Games – Hearts) - http://zone.msn.com/bingame/zpagames...z.cab67031.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (MSN Games – Texas Holdem Poker) - http://zone.msn.com/bingame/zpagames...e.cab60231.cab
O16 - DPF: {9E98E84C-79E1-49C3-82EB-798FCD552EFB} - http://advnt01.com/dialer/internazionale_ver4.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B7E76C25-791F-432E-BDB7-748D01A93FC2} - http://advnt01.com/dialer/int_ver30.CAB
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramewor...o.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10...y.cab55579.cab
O16 - DPF: {FF3C5A9F-5A91-4930-80E8-4709194C2AD3} (CheckersZPA Object) - http://zone.msn.com/bingame/zpagames...A.cab55579.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHEI~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: gebxwur - gebxwur.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Programas\Ficheiros comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Programas\Software WIDCOMM\Bluetooth\bin\btwdins.exe
O23 - Service: GoogleDesktopManager - Google - C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: iPod Service - Apple Inc. - C:\Programas\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Programas\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Programas\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Programas\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Programas\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 11908 bytes

Ried · 12-27-2007, 08:24 PM

You're welcome.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

***************************************************

Close any open browsers.

--------------------------------------------------------------------

Disable Windows Defender as it may interfere with the fixes below:

Open Windows Defender.
Click on Tools, Options.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

--------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entries:

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O4 - HKCU\..\Run: [WinFixer 2005] "C:\Programas\WinFixer 2005\WFX5.exe" /scan
O16 - DPF: {B7E76C25-791F-432E-BDB7-748D01A93FC2} - http://advnt01.com/dialer/int_ver30.CAB
O20 - Winlogon Notify: gebxwur - gebxwur.dll (file missing)

Click 'Fix Checked' and close HijackThis.

--------------------------------------------------------------------

Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------------------

Run a new scan with HijackThis and save the log.

---------------------------------------------------------------

Please include the following in your next reply:

Kaspersky results
New HijackThis log
Update on system behavior

artaloytia · 12-30-2007, 01:35 PM

Thank you for your help.
I attach the report files.
The computer seems to be a little more stable and quicker.

Happy new year!

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, December 31, 2007 8:18:25 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 30/12/2007
Kaspersky Anti-Virus database records: 500302
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 91480
Number of viruses found: 28
Number of infected objects: 44
Number of suspicious objects: 0
Duration of the scan process: 02:01:30

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-03092007-181316.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Works\Portfolio\Exemplo.wsb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20071231_Time-143042882_EnterceptExceptions.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20071231_Time-143042882_EnterceptRules.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_ARTALOYTIA.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_ARTALOYTIA.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\ApplicationHistory\hpqimzone.exe.7a91f615.ini.inuse Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\Google\Google Desktop\c3c873dd0359\dbc2e.ht1 Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\Google\Google Desktop\c3c873dd0359\dbdam Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\Google\Google Desktop\c3c873dd0359\dbdao Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\Google\Google Desktop\c3c873dd0359\dbeam Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\Google\Google Desktop\c3c873dd0359\dbeao Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\Google\Google Desktop\c3c873dd0359\dbm Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\Google\Google Desktop\c3c873dd0359\dbu2d.ht1 Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\Google\Google Desktop\c3c873dd0359\dbvm.cf1 Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\Google\Google Desktop\c3c873dd0359\dbvmh.ht1 Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\Google\Google Desktop\c3c873dd0359\fii.cf1 Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\Google\Google Desktop\c3c873dd0359\fiih.ht1 Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\Google\Google Desktop\c3c873dd0359\hp Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\Google\Google Desktop\c3c873dd0359\hpt2i.ht1 Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\Google\Google Desktop\c3c873dd0359\rpm.cf1 Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\Google\Google Desktop\c3c873dd0359\rpm1m.cf1 Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\Google\Google Desktop\c3c873dd0359\rpm1mh.ht1 Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\Google\Google Desktop\c3c873dd0359\rpmh.ht1 Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\Google\Google Desktop\c3c873dd0359\safeweb\goog-black-enchashm.cf1 Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\Google\Google Desktop\c3c873dd0359\safeweb\goog-black-enchashmh.ht1 Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\Google\Google Desktop\c3c873dd0359\safeweb\goog-black-urlm.cf1 Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\Google\Google Desktop\c3c873dd0359\safeweb\goog-black-urlmh.ht1 Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\Google\Google Desktop\c3c873dd0359\safeweb\goog-malware-domainm.cf1 Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\Google\Google Desktop\c3c873dd0359\safeweb\goog-malware-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\Google\Google Desktop\c3c873dd0359\safeweb\goog-white-domainm.cf1 Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\Google\Google Desktop\c3c873dd0359\safeweb\goog-white-domainmh.ht1 Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\HP\Digital Imaging\db\propertiesTable.cdx Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\HP\Digital Imaging\db\propertiesTable.dbf Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Temp\ mon006.log Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Temp\~DF79C8.tmp Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Temp\~DF9513.tmp Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Definições locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\Internet Optimizer\update\actalert.exe Infected: Trojan-Downloader.Win32.Dyfuca.ez skipped
C:\Documents and Settings\Augusto Artaloytia\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Augusto Artaloytia\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Temporary Internet Files\Conte

12-26-2007, 12:45 PM	#2 (permalink)
artaloytia Registered User Join Date: Dec 2007 Posts: 6 OS: windows XP	Vundo Trouble Bump Tks

12-26-2007, 09:59 PM	#3 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 20,048 OS: WinXP and Vista	Re: Vundo Trouble Hello artaloytia, This will require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate. Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. It's IMPORTANT to carry out the instructions in the sequence listed below. ************************************************* Download Combofix from any of the links below, and save it to your desktop. Link 1 Link 2 Link 3 Note: It is important that it is saved directly to your desktop -------------------------------------------------------------------- 1. Disconnect from the internet. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. -------------------------------------------------------------------- Double click on ComboFix.exe & follow the prompts. When finished, it will produce a report for you. Please post the C:\ComboFix.txt along with a new HijackThis log** so we can continue cleaning the system. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

12-27-2007, 08:24 PM	#5 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 20,048 OS: WinXP and Vista	Re: Vundo Trouble You're welcome. Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. Also be sure to carry out the instructions in the sequence listed below. ************************************************* Close any open browsers. -------------------------------------------------------------------- Disable Windows Defender as it may interfere with the fixes below: Open Windows Defender. Click on Tools, Options. Scroll down and uncheck Turn on real-time protection (recommended). After you uncheck this, click on the Save button and close Windows Defender. -------------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entries: R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file) O4 - HKCU\..\Run: [WinFixer 2005] "C:\Programas\WinFixer 2005\WFX5.exe" /scan O16 - DPF: {B7E76C25-791F-432E-BDB7-748D01A93FC2} - http://advnt01.com/dialer/int_ver30.CAB O20 - Winlogon Notify: gebxwur - gebxwur.dll (file missing) Click 'Fix Checked' and close HijackThis. -------------------------------------------------------------------- Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course: Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400 Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text** button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan --------------------------------------------------------------- Run a new scan with HijackThis and save the log. --------------------------------------------------------------- Please include the following in your next reply: Kaspersky results New HijackThis log Update on system behavior __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."