Help - Search - Members - Calendar
Full Version: paypopup problem. log here
Gladiator Security Forum > Malware Help Forum > HELP! Think you are Infected?
natanaelcd
Nov 27 2007, 11:04 PM
I´m having troube in firefox.
sometimes many types of popup show in the screen.
I think they are from paypopup.com

I have run a adaware 7 complete scan and spybot scan too. and the problem is not fixed.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:01:42, on 27/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS.0\Explorer.EXE
C:\WINDOWS.0\system32\spoolsv.exe
C:\Arquivos de programas\AntiVir\avguard.exe
C:\Arquivos de programas\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS.0\RTHDCPL.EXE
C:\Arquivos de programas\Google\Gmail Notifier\gnotify.exe
C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe
C:\Arquivos de programas\AntiVir\avgnt.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\Arquivos de programas\DAEMON Tools\daemon.exe
C:\Arquivos de programas\TaskSwitchXP\TaskSwitchXP.exe
C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe
C:\Arquivos de programas\uTorrent\utorrent.exe
C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
C:\Arquivos de programas\Winamp\winamp.exe
C:\Arquivos de programas\SpeedFan\speedfan.exe
C:\Arquivos de programas\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Arquivos de programas\AntiVir\sched.exe
C:\Arquivos de programas\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS.0\system32\bgsvcgen.exe
C:\Arquivos de programas\Bonjour\mDNSResponder.exe
C:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS.0\system32\nvsvc32.exe
C:\Arquivos de programas\Raxco\PerfectDisk\PDAgent.exe
C:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS.0\system32\PnkBstrA.exe
C:\Arquivos de programas\Sygate\SPF\smc.exe
C:\WINDOWS.0\system32\svchost.exe
C:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Arquivos de programas\Raxco\PerfectDisk\PDEngine.exe
C:\Arquivos de programas\Last.fm\LastFM.exe
C:\Arquivos de programas\Last.fm\LastFMHelper.exe
C:\Arquivos de programas\MSN Messenger\usnsvc.exe
C:\WINDOWS.0\system32\NOTEPAD.EXE
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Temp\h\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: 38.113.174.32 www.google-analytics.com
O1 - Hosts: 38.113.170.200 ads1.msn.com
O1 - Hosts: 38.113.170.200 ads.sup.com
O1 - Hosts: 38.113.174.32 dehp.myspace.com
O1 - Hosts: 38.113.174.32 demr.myspace.com
O1 - Hosts: 38.113.174.32 desk.myspace.com
O1 - Hosts: 38.113.174.32 delb.myspace.com
O1 - Hosts: 38.113.174.32 delb2.myspace.com
O1 - Hosts: 38.113.174.32 debr.myspace.com
O1 - Hosts: 38.113.174.32 view.atdmt.com
O1 - Hosts: 38.113.170.200 themis.geocities.yahoo.com
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SmcService] C:\ARQUIV~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.0\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Arquivos de programas\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\AntiVir\avgnt.exe" /min
O4 - HKLM\..\Run: [WinampAgent] C:\Arquivos de programas\Winamp\wianmpa.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Arquivos de programas\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Arquivos de programas\TaskSwitchXP\TaskSwitchXP.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [uTorrent] "C:\Arquivos de programas\uTorrent\utorrent.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: musica.lnk = C:\2.m3u
O4 - Startup: SpeedFan.lnk = C:\Arquivos de programas\SpeedFan\speedfan.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Internet TV by Endicosoft.com - {1D958E09-3112-7f0e-9723-5C1321C57B27} - C:\Arquivos de programas\Internet TV 2050\InternetTV.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{864B39D2-E112-4A39-AF21-B23AB08FC958}: NameServer = 192.168.0.1
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Arquivos de programas\AntiVir\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\AntiVir\avguard.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Arquivos de programas\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS.0\system32\bgsvcgen.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Arquivos de programas\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Arquivos de programas\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS.0\system32\PnkBstrA.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Arquivos de programas\SiSoftware\SiSoftware Sandra Lite XI.SP4a\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Arquivos de programas\SiSoftware\SiSoftware Sandra Lite XI.SP4a\RpcSandraSrv.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Arquivos de programas\Sygate\SPF\smc.exe

--
End of file - 10714 bytes
LoPhatPhuud
Nov 28 2007, 04:12 AM
Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
natanaelcd
Nov 29 2007, 02:11 AM
ComboFix 07-11-29.3 - Administrador 2007-11-29 0:04:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.552 [GMT -3:00]
Executando de: C:\Documents and Settings\Administrador.ROCKER69\Desktop\ComboFix.exe
* Criado um novo ponto de restauro
.

((((((((((((((((((((((( Ficheiros criados de 2007-10-28 to 2007-11-29 ))))))))))))))))))))))))))))))))
.

2007-11-27 23:03 . 2007-11-27 23:03 164 --a------ C:\install.dat
2007-11-27 22:35 . 2007-11-27 23:02 <DIR> d-------- C:\Documents and Settings\Administrador.ROCKER69\Dados de aplicativos\GetRightToGo
2007-11-27 21:00 . 2007-11-28 04:06 <DIR> d-------- C:\Temp\h
2007-11-27 07:32 . 2007-11-27 07:32 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.0\Dados de aplicativos\Lavasoft
2007-11-27 04:09 . 2007-11-27 04:39 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.0\Dados de aplicativos\Spybot - Search & Destroy
2007-11-27 04:03 . 2007-11-27 04:03 <DIR> d-------- C:\Arquivos de programas\Lavasoft
2007-11-27 00:08 . 2007-11-27 00:08 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Native Instruments
2007-11-27 00:07 . 2007-11-27 00:07 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Digidesign
2007-11-26 23:42 . 2007-11-26 23:42 <DIR> d-------- C:\Arquivos de programas\Steinberg
2007-11-26 23:42 . 2007-11-26 23:42 <DIR> d-------- C:\Arquivos de programas\Alien Connections
2007-11-26 23:37 . 2007-11-26 23:37 <DIR> d-------- C:\Arquivos de programas\GuitarFX 3
2007-11-26 22:25 . 2007-11-26 22:25 <DIR> d-------- C:\Arquivos de programas\Audacity
2007-11-26 22:20 . 2007-11-27 00:05 <DIR> d-------- C:\Arquivos de programas\Native Instruments
2007-11-26 22:14 . 2004-08-03 23:07 59,264 --a------ C:\WINDOWS.0\system32\drivers\USBAUDIO.sys
2007-11-26 22:14 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS.0\system32\drivers\usbccgp.sys
2007-11-15 02:18 . 2007-11-15 02:20 <DIR> d-------- C:\Arquivos de programas\oscar
2007-11-14 13:40 . 2007-11-14 13:40 <DIR> d-------- C:\Arquivos de programas\GVT
2007-11-14 03:59 . 2007-11-14 03:59 <DIR> d-------- C:\Arquivos de programas\SmartFTP Client 2.5 Setup Files
2007-11-14 03:12 . 2007-11-14 03:12 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.0\Dados de aplicativos\FLEXnet
2007-11-14 02:57 . 2007-11-14 02:57 <DIR> d-------- C:\Arquivos de programas\Bonjour
2007-11-14 02:40 . 2007-11-14 02:40 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\Macrovision Shared
2007-11-07 22:54 . 2007-11-07 22:54 <DIR> d-------- C:\Arquivos de programas\Guitar Pro 5
2007-11-06 00:17 . 2007-11-06 00:17 <DIR> d-------- C:\Arquivos de programas\legenda
2007-11-03 06:58 . 2007-11-03 06:59 <DIR> d-------- C:\Documents and Settings\Administrador.ROCKER69\Dados de aplicativos\Media Player Classic
2007-11-03 06:58 . 2007-11-03 06:58 <DIR> d-------- C:\Arquivos de programas\K-Lite Codec Pack
2007-11-03 06:58 . 2007-09-28 18:07 3,596,288 --a------ C:\WINDOWS.0\system32\qt-dx331.dll
2007-11-03 06:58 . 2007-09-04 18:56 164,352 --a------ C:\WINDOWS.0\system32\unrar.dll
2007-10-31 04:40 . 2007-10-31 04:40 <DIR> d-------- C:\Documents and Settings\Administrador.ROCKER69\Dados de aplicativos\Lionhead Studios
2007-10-31 04:28 . 2007-10-31 04:28 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS.0\Dados de aplicativos\Lionhead Studios
2007-10-31 04:25 . 2007-10-31 04:25 <DIR> d--hs---- C:\WINDOWS.0\ftpcache

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-29 03:06 --------- d-----w C:\Documents and Settings\Administrador.ROCKER69\Dados de aplicativos\uTorrent
2007-11-28 22:43 --------- d-----w C:\Arquivos de programas\AntiVir
2007-11-28 17:01 --------- d-----w C:\Arquivos de programas\SpeedFan
2007-11-27 10:31 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Wise Installation Wizard
2007-11-27 07:10 --------- d-----w C:\Arquivos de programas\SpywareBlaster
2007-11-14 06:59 --------- d--h--w C:\Arquivos de programas\InstallShield Installation Information
2007-11-14 06:59 --------- d-----w C:\Arquivos de programas\SmartFTP Client
2007-11-14 05:57 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Adobe
2007-11-01 06:50 --------- d-----w C:\Arquivos de programas\Steam
2007-10-16 08:49 --------- d-----w C:\Arquivos de programas\Winamp
2007-10-15 09:35 843,034 ----a-w C:\WINDOWS.0\system32\Ugly Duckling Saver.scr
2007-10-15 09:35 --------- d-----w C:\Arquivos de programas\Ugly Duckling Saver
2007-10-15 02:44 22,328 ----a-w C:\WINDOWS.0\system32\drivers\PnkBstrK.sys
2007-10-15 02:44 103,736 ----a-w C:\WINDOWS.0\system32\PnkBstrB.exe
2007-10-09 04:08 --------- d-----w C:\Arquivos de programas\EvilLyrics
2007-09-28 21:05 81,920 ----a-w C:\WINDOWS.0\system32\dpl100.dll
2007-09-28 21:05 739,840 ----a-w C:\WINDOWS.0\system32\divx.dll
2007-09-15 11:05 66,872 ----a-w C:\WINDOWS.0\system32\PnkBstrA.exe
2007-09-12 08:30 583 ----a-w C:\Arquivos de programas\Atalho para MPEG4Modifier.exe.lnk
2007-09-12 08:30 578 ----a-w C:\Arquivos de programas\Atalho para SubtitleTool.exe.lnk
2007-09-12 08:30 573 ----a-w C:\Arquivos de programas\Atalho para VobSubStrip.exe.lnk
2007-09-02 07:58 53,248 ----a-w C:\WINDOWS.0\system32\GenSvcInst.exe
2007-09-02 07:58 118,784 ----a-w C:\WINDOWS.0\system32\bgsvcgen.exe
2007-08-13 05:18 111 ----a-w C:\Arquivos de programas\VobSubStrip.ini
2007-08-09 07:00 66,484 ----a-w C:\Documents and Settings\All Users.WINDOWS.0\Dados de aplicativos\firstlsp.reg.dat
2006-11-06 04:06 81,920 ----a-w C:\Arquivos de programas\MPEG4Modifier.exe
2006-01-12 19:47 3,819 ----a-w C:\Arquivos de programas\2.txt
2005-11-22 02:45 16,896 ----a-w C:\Arquivos de programas\InactivityTimer.dll
2002-10-15 23:58 22,528 ----a-w C:\Arquivos de programas\VobSubStrip.exe
2002-05-27 12:24 289,792 ----a-w C:\Arquivos de programas\SubtitleTool.exe
2001-12-27 21:03 293 ----a-w C:\Arquivos de programas\file_id.diz
2001-12-27 20:07 660,992 ----a-w C:\Arquivos de programas\FontViewer.exe
2001-12-27 20:04 6,872 ----a-w C:\Arquivos de programas\Leeme.txt
2001-12-27 20:04 6,268 ----a-w C:\Arquivos de programas\Readme.txt
2001-12-18 03:32 33,792 ----a-w C:\Arquivos de programas\esp.dll
2001-12-17 15:01 1,600 ----a-w C:\Arquivos de programas\Cambios.txt
2001-12-17 15:01 1,402 ----a-w C:\Arquivos de programas\Changes.txt
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias & legítimas por defeito não são mostradas.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS.0\system32\ctfmon.exe" [2004-08-04 00:45]
"DAEMON Tools"="C:\Arquivos de programas\DAEMON Tools\daemon.exe" [2007-04-03 19:29]
"TaskSwitchXP"="C:\Arquivos de programas\TaskSwitchXP\TaskSwitchXP.exe" [2006-08-04 19:29]
"MsnMsgr"="C:\Arquivos de programas\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"uTorrent"="C:\Arquivos de programas\uTorrent\utorrent.exe" [2007-09-18 17:13]
"SpybotSD TeaTimer"="C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SkyTel"="SkyTel.EXE" [2007-06-15 16:45 C:\WINDOWS.0\SkyTel.exe]
"SmcService"="C:\ARQUIV~1\Sygate\SPF\smc.exe" [2005-09-27 12:16]
"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 00:45 C:\WINDOWS.0\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2006-08-16 04:35 C:\WINDOWS.0\system32\nwiz.exe]
"NvMediaCenter"="RunDLL32.exe" [2004-08-04 00:45 C:\WINDOWS.0\system32\rundll32.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 16:08 C:\WINDOWS.0\RTHDCPL.exe]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\Arquivos de programas\Google\Gmail Notifier\gnotify.exe" [2005-07-15 18:48]
"ISUSPM Startup"="C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" [2005-08-11 16:30]
"ISUSScheduler"="C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" [2005-08-11 16:30]
"avgnt"="C:\Arquivos de programas\AntiVir\avgnt.exe" [2007-10-10 22:19]
"WinampAgent"="C:\Arquivos de programas\Winamp\wianmpa.exe" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS.0\system32\CTFMON.EXE" [2004-08-04 00:45]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" [2007-08-20 07:01 C:\WINDOWS.0\system32\advpack.dll]

C:\Documents and Settings\Administrador.ROCKER69\Menu Iniciar\Programas\Inicializar\
musica.lnk - C:\2.m3u [2007-08-05 16:02:10]
SpeedFan.lnk - C:\Arquivos de programas\SpeedFan\speedfan.exe [2007-02-28 15:28:02]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoResolveSearch"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)

R0 AmdAcpi;AmdAcpi Bus Filter Driver;C:\WINDOWS.0\system32\DRIVERS\AmdAcpi.sys
R3 amdtools;AMD Special Tools Driver;C:\WINDOWS.0\system32\DRIVERS\amdtools.sys
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS.0\system32\Drivers\StMp3Rec.sys

*Newly Created Service* - CATCHME
*Newly Created Service* - PROCEXP90
.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-29 00:08:07
Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros ocultos ...

**************************************************************************
.
Tempo para conclusão: 2007-11-29 0:09:10
.
--- E O F ---
natanaelcd
Nov 29 2007, 02:12 AM
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:11:37, on 29/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\Arquivos de programas\AntiVir\avguard.exe
C:\Arquivos de programas\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS.0\RTHDCPL.EXE
C:\Arquivos de programas\Google\Gmail Notifier\gnotify.exe
C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe
C:\Arquivos de programas\AntiVir\avgnt.exe
C:\WINDOWS.0\system32\ctfmon.exe
C:\Arquivos de programas\DAEMON Tools\daemon.exe
C:\Arquivos de programas\TaskSwitchXP\TaskSwitchXP.exe
C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe
C:\Arquivos de programas\uTorrent\utorrent.exe
C:\Arquivos de programas\SpeedFan\speedfan.exe
C:\Arquivos de programas\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Arquivos de programas\AntiVir\sched.exe
C:\Arquivos de programas\APC\APC PowerChute Personal Edition\mainserv.exe
C:\WINDOWS.0\system32\bgsvcgen.exe
C:\Arquivos de programas\Bonjour\mDNSResponder.exe
C:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS.0\system32\nvsvc32.exe
C:\Arquivos de programas\Raxco\PerfectDisk\PDAgent.exe
C:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS.0\system32\PnkBstrA.exe
C:\Arquivos de programas\Sygate\SPF\smc.exe
C:\WINDOWS.0\system32\svchost.exe
C:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Arquivos de programas\Raxco\PerfectDisk\PDEngine.exe
C:\Arquivos de programas\Last.fm\LastFM.exe
C:\Arquivos de programas\Last.fm\LastFMHelper.exe
C:\Arquivos de programas\MSN Messenger\usnsvc.exe
C:\WINDOWS.0\system32\calc.exe
C:\WINDOWS.0\explorer.exe
C:\WINDOWS.0\system32\NOTEPAD.EXE
C:\Temp\h\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SmcService] "C:\ARQUIV~1\Sygate\SPF\smc.exe" -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS.0\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RunDLL32.exe" NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] "C:\Arquivos de programas\Google\Gmail Notifier\gnotify.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\AntiVir\avgnt.exe" /min
O4 - HKLM\..\Run: [WinampAgent] C:\Arquivos de programas\Winamp\wianmpa.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Arquivos de programas\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [TaskSwitchXP] "C:\Arquivos de programas\TaskSwitchXP\TaskSwitchXP.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [uTorrent] "C:\Arquivos de programas\uTorrent\utorrent.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS.0\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: musica.lnk = C:\2.m3u
O4 - Startup: SpeedFan.lnk = C:\Arquivos de programas\SpeedFan\speedfan.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Internet TV by Endicosoft.com - {1D958E09-3112-7f0e-9723-5C1321C57B27} - C:\Arquivos de programas\Internet TV 2050\InternetTV.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS.0\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{864B39D2-E112-4A39-AF21-B23AB08FC958}: NameServer = 192.168.0.1
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Arquivos de programas\AntiVir\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\AntiVir\avguard.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Arquivos de programas\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS.0\system32\bgsvcgen.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS.0\system32\nvsvc32.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Arquivos de programas\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Arquivos de programas\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS.0\system32\PnkBstrA.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Arquivos de programas\SiSoftware\SiSoftware Sandra Lite XI.SP4a\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Arquivos de programas\SiSoftware\SiSoftware Sandra Lite XI.SP4a\RpcSandraSrv.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Arquivos de programas\Sygate\SPF\smc.exe

--
End of file - 9941 bytes
LoPhatPhuud
Nov 29 2007, 02:25 AM
That seems to have removed the obvious garbage. Are you still experiencing any problems?
natanaelcd
Nov 29 2007, 04:54 AM
I removed some things, based on other topics here.
Today my firefox is normal.
thanks.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.