Jump to content

MS Juan and MS Track System


Cat
 Share

Recommended Posts

Hello everyone, recently I've been plagued by a certain Malware (Rapid Anti-Virus) and after Malwarebytes got rid of it there was still a MS Juan and a MS Track System that when ever it got deleted it just came right back. I read that it's caused by a Trojan that morphs it self and that I should post a HiJack log os that you guys can find it.

For the moment, the only annoying thing that they are doing is a pop-up, that's harmless right now, but I'm scared that it might download the malware again, hope you guys can help.

Logfile of HijackThis v1.99.1

Scan saved at 11:46:03, on 15/10/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\E_S00RP1.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\D-Tools\daemon.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4T1.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe

C:\ARQUIVOS DE PROGRAMAS\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://200.165.104.28/home

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {81CE65E0-77F6-4C28-B2D2-FA74DB732742} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\ARQUIV~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll

O2 - BHO: {841254df-05e8-871a-9b84-a8ce42709e6c} - {c6e90724-ec8a-48b9-a178-8e50fd452148} - C:\WINDOWS\system32\fzcvoc.dll

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Arquivos de programas\D-Tools\daemon.exe" -lang 1033

O4 - HKCU\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4T1.EXE /P23 "EPSON Stylus C45 Series" /M "Stylus C45" /EF "HKCU"

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\j2re1.4.1_01\bin\npjpi141_01.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\j2re1.4.1_01\bin\npjpi141_01.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Web Entry - {B4E30F61-16D9-11D3-85D1-005004229569} - c:\lotus\organize\bandobjs.dll

O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Arquivos de programas\PokerStars.NET\PokerStarsUpdate.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\arquivos de programas\bonjour\mdnsnsp.dll

O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{389C889C-B558-42BB-932D-C911DCD62162}: NameServer = 192.168.254.254

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL

O20 - AppInit_DLLs: fzcvoc.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe

Thanks.

Link to post
Share on other sites

  • Root Admin

Hello and Welcome to Malwarebytes.org

Please read and follow the instructions provided here: Pre- HJT Post Instructions

When ready please post your logs back here:

During this scan and cleanup process you should not install any other software unless requested to do so.

Update TrendMicro

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.28

Database version: 1271

Windows 5.1.2600 Service Pack 2

15/10/2008 18:31:45

mbam-log-2008-10-15 (18-31-45).txt

Scan type: Quick Scan

Objects scanned: 48798

Time elapsed: 3 minute(s), 17 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

-------------------

;*******************************************************************************

ANALYSIS: 2008-10-15 20:30:38

PROTECTIONS: 1

MALWARE: 12

SUSPECTS: 3

;*******************************************************************************

PROTECTIONS

Description Version Active Updated

;=============================================================

Eset NOD32 sistema antivrus 2.50 2.50 Yes No

;=============================================================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;=============================================================

00020255 Exploit/ByteVerify HackTools No 0 Yes No C:\Documents and Settings\usuario\.jpi_cache\jar\1.0\loaderadv620.jar-39a471c-39882a9a.zip[Dummy.class]

00020255 Exploit/ByteVerify HackTools No 0 Yes No C:\Documents and Settings\usuario\.jpi_cache\jar\1.0\loaderadv621.jar-3a85e9d-642381a7.zip[Dummy.class]

00047865 adware/midaddle Adware No 0 Yes No c:\documents and settings\usuario\configura

Link to post
Share on other sites

  • Root Admin

You need to shut down your uTorrent program while we're working on your computer.

Using Torrent sharing programs is often how you can get infected.

STEP 01

Update Java Runtime

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 7.

  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Go to Java Runtime Environment (JRE) 6 Update 7 and click on Download button.
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says "jre-6u7-windows-i586-p.exe" and save the downloaded file to your desktop.
  • Go to Start => Control Panel => Add or Remove Programs
  • Uninstall all all old versions of Java (Java 3 Runtime Environment, JRE or JSE), etc...
  • Browse to C:\Program Files\Java and remove the JAVA folder.
  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
  • Reboot your computer

STEP 02

Please upload this file C:\WINDOWS\system32\fzcvoc.dll to here

STEP 03

Start MB go to the MORE TOOLS tab, and select the Run Tool for FileASSASSIN and browse to this file

C:\WINDOWS\system32\wscntfy.exe and delete it.

STEP 04

Start HJT and do a Scan only and place a check mark on the following items.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://200.165.104.28/home

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local

O2 - BHO: (no name) - {81CE65E0-77F6-4C28-B2D2-FA74DB732742} - (no file)

O2 - BHO: {841254df-05e8-871a-9b84-a8ce42709e6c} - {c6e90724-ec8a-48b9-a178-8e50fd452148} - C:\WINDOWS\system32\fzcvoc.dll

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Arquivos de programas\PokerStars.NET\PokerStarsUpdate.exe

O20 - AppInit_DLLs: fzcvoc.dll

O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/usuario/CONFIG~1/Temp/msohtml1/01/clip_image002.jpg

O24 - Desktop Component 1: Privacy Protection - (no file)

Then click on Fix selected...

STEP 05

  • Download FixPolicies.exe by Bill Castner and save it to your desktop.
  • Double click on FixPolicies.exe to run it.
  • Click on Install. It will create a folder named FixPolicies on your desktop.
  • Open the FixPolicies folder.
  • Double click on Fix_policies.cmd to run it. Command Prompt will open and close quickly this is normal.
  • Reboot your computer after it runs

STEP 06

Run MB and UPDATE it and do a Quick Scan and fix anything found.

Reboot the computer when MB is done.

STEP 07

Start HJT and do a Scan and save log.

STEP 08

Post back the MB and HJT logs.

Link to post
Share on other sites

I tried to delete the file wscnfty.exe, like you said, and the program was not able to delete it.

O24 - Desktop Component 1: Privacy Protection - (no file) was not deleted.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:54:20, on 16/10/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\E_S00RP1.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\Arquivos de programas\D-Tools\daemon.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4T1.EXE

C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\ARQUIV~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Arquivos de programas\D-Tools\daemon.exe" -lang 1033

O4 - HKCU\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4T1.EXE /P23 "EPSON Stylus C45 Series" /M "Stylus C45" /EF "HKCU"

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\j2re1.4.1_01\bin\npjpi141_01.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\j2re1.4.1_01\bin\npjpi141_01.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Web Entry - {B4E30F61-16D9-11D3-85D1-005004229569} - c:\lotus\organize\bandobjs.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{389C889C-B558-42BB-932D-C911DCD62162}: NameServer = 192.168.254.254

O23 - Service: Adobe LM Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe

O24 - Desktop Component 1: Privacy Protection - (no file)

--

End of file - 4076 bytes

Malwarebytes' Anti-Malware 1.28

Database version: 1271

Windows 5.1.2600 Service Pack 2

16/10/2008 10:52:48

mbam-log-2008-10-16 (10-52-48).txt

Scan type: Quick Scan

Objects scanned: 48641

Time elapsed: 3 minute(s), 3 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Root Admin

Please find this file C:\WINDOWS\system32\fzcvoc.dll and attach it in a zipped folder here in a new topic you start, link back to your thread in the HJT forum please.

How To Use Compressed (Zipped) Folders in Windows XP

For now please ignore the C:\WINDOWS\system32\wscntfy.exe as it may be the legitimate one for XP. It was flagged by another site as being part of KAVPersonal90 Malware. Once we get and analyze the DLL file above that will help us to determine what else is going on.

Thanks.

Link to post
Share on other sites

  • Root Admin

Just a minor note while waiting to get the file. Sun Java has been updated to version 10 now.

Once ALL older versions are removed you will no longer need to remove them in the future. This update includes a new method of updating that will update the files in place. So with the next version 11 update it will actually update 10 instead of a new installation.

Update Java Runtime

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 10.

  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Go to Java Runtime Environment (JRE) 6 Update 10 about half way down the page and click on the Download button.
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says "jre-6u10-windows-i586-p.exe" and save the downloaded file to your desktop.
  • Go to Start => Control Panel => Add or Remove Programs
  • Uninstall all all old versions of Java (Java 3 Runtime Environment, JRE or JSE), etc...
  • Browse to C:\Program Files\Java and remove the JAVA folder.
  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
  • Reboot your computer
Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.29

Database version: 1284

Windows 5.1.2600 Service Pack 2

18/10/2008 11:39:50

mbam-log-2008-10-18 (11-39-50).txt

Scan type: Quick Scan

Objects scanned: 49104

Time elapsed: 2 minute(s), 47 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:40:10, on 18/10/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\E_S00RP1.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\wscntfy.exe

C:\Arquivos de programas\D-Tools\daemon.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4T1.EXE

C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\ARQUIV~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Arquivos de programas\D-Tools\daemon.exe" -lang 1033

O4 - HKCU\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4T1.EXE /P23 "EPSON Stylus C45 Series" /M "Stylus C45" /EF "HKCU"

O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\j2re1.4.1_01\bin\npjpi141_01.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\j2re1.4.1_01\bin\npjpi141_01.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Web Entry - {B4E30F61-16D9-11D3-85D1-005004229569} - c:\lotus\organize\bandobjs.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{389C889C-B558-42BB-932D-C911DCD62162}: NameServer = 192.168.254.254

O23 - Service: Adobe LM Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe

O24 - Desktop Component 1: Privacy Protection - (no file)

--

End of file - 4043 bytes

Looks like it's clean for the moment, thanks.

But O24 - Desktop Component 1: Privacy Protection - (no file) still does not want to be deleted.

Link to post
Share on other sites

  • Root Admin

Click on
START - RUN
and type in
SIGVERIF
and click OK

This is a Microsoft File Signature Verification program that will check some file status for us.
  • Click on the
    START
    button and let it run.
  • It will popup a box when it's done to show the status, you can close that box.

  • Close the
    File Signature Verification
    application.

  • Find and attach the file C:\WINDOWS\
    SIGVERIF.TXT
    to your reply.

  • DO NOT
    post the log directly into your reply, attach the file please.

Important!

All of the following instructions must be run on the affected computer. Logs from a different computer will not help me help you. So, if you need to download all of this and then copy it to CD or memory stick and take it to the other computer, please do so. Either way, it's important. The logs have to be made by the computer with the problem.

I also need for you to download this program
OTListIt.exe
to your desktop.
  • Close all applications and windows so that you have nothing open and are at your Desktop

  • Double-click on the OTListIt.exe file to start OTListIt. OK any warning about running OTListIt.

  • Place a checkmark in the
    Scan All Users
    checkbox (Leave the 'Use Whitelist' checked' and the 'File Age:' at 30 days)

  • Click the Run Scan button

  • NOTE:
    Please be patient and let the scan run without using the computer

  • When the scan is complete, a text file (
    OTListIt.Txt
    ) will open in Notepad (if not, it can be found on your Desktop)

  • In Notepad, click
    Edit
    ,
    Select all
    then
    Edit
    ,
    Copy

  • Reply to this topic, click in the topic reply window, and press Ctrl+V to paste the log or Righ click paste.

  • Submit your reply and close the Notepad window with
    OTList.txt

  • Also OTListIt's
    Extras.txt
    log file will be minimized in the Taskbar (and located on your Desktop) - click on this and maximize the window

  • In Notepad, click
    Edit
    ,
    Select all
    then
    Edit
    ,
    Copy

  • Reply to this topic again, click in the topic reply window, and press Ctrl+V to paste the extras log or Right click paste.

  • NOTE:
    If the files (
    OTListIt.txt, Extras.txt
    ) do not appear in your taskbar, just open the files in notepad from your desktop.


Please allow me time to analyze your post. If you don't see a reply from me after 24 hours, feel free to PM me.

Link to post
Share on other sites

OTListIt logfile created on: 23/10/2008 14:58:26 - Run

OTListIt by OldTimer - Version 1.0.11.0 Folder = C:\Documents and Settings\usuario\Desktop

Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.2180)

Locale: 00000416 | Country: Brasil | Language: PTB | Date Format: d/M/yyyy

1022,73 Mb Total Physical Memory | 712,79 Mb Available Physical Memory | 69,69% Memory free

1,65 Gb Paging File | 1,48 Gb Available in Paging File | 89,49% Paging File free

Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Arquivos de programas

Drive C: | 74,55 Gb Total Space | 36,11 Gb Free Space | 48,43% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

Drive G: | 149,04 Gb Total Space | 88,17 Gb Free Space | 59,16% Space Free | Partition Type: NTFS

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: CAT

Current User Name: usuario

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Whitelist: On

File Age = 30 Days

========== Processes ==========

[2002/07/01 08:02:00 | 00,062,464 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\WINDOWS\system32\E_S00RP1.EXE

[2005/01/28 02:36:00 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe

[2004/08/03 19:45:46 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe

[2004/08/22 18:05:02 | 00,081,920 | ---- | M] (DAEMON'S HOME) -- C:\Arquivos de programas\D-Tools\daemon.exe

[2004/01/14 09:00:00 | 00,099,840 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I4T1.EXE

[2007/01/19 13:54:56 | 05,674,352 | ---- | M] (Microsoft Corporation) -- C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

[2008/10/23 14:57:36 | 00,417,792 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\usuario\Desktop\OTListIt.exe

========== (O23) Win32 Services ==========

[2003/08/30 19:41:41 | 00,068,096 | ---- | M] () -- C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service [On_Demand | Stopped])

[2008/01/15 03:40:04 | 00,110,592 | ---- | M] (Apple, Inc.) -- C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Disabled | Stopped])

[2004/07/15 02:49:26 | 00,032,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])

[2003/09/30 11:19:56 | 00,376,832 | ---- | M] () -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller [Disabled | Stopped])

[2003/10/13 22:10:00 | 00,114,688 | ---- | M] () -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart [Disabled | Stopped])

[2007/07/24 16:17:08 | 00,229,376 | ---- | M] (Apple Inc.) -- C:\Arquivos de programas\Bonjour\mDNSResponder.exe -- (Bonjour Service [Disabled | Stopped])

[2003/05/23 02:38:26 | 00,106,496 | ---- | M] (Matsushita Electric Industrial Co., Ltd.) -- C:\WINDOWS\system32\DVDRAMSV.exe -- (DVD-RAM_Service [Disabled | Stopped])

[2002/07/01 08:02:00 | 00,062,464 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\WINDOWS\system32\E_S00RP1.EXE -- (EPSON_PM_RPCV2_01 [Auto | Running])

[2004/08/20 15:46:35 | 00,040,960 | ---- | M] (F-Secure Corporation) -- C:\Arquivos de programas\F-Secure Internet Security\fswsclds.exe -- (Fswsclds [Disabled | Stopped])

[2005/04/04 01:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])

[2008/03/30 11:36:30 | 00,504,104 | ---- | M] (Apple Inc.) -- C:\Arquivos de programas\iPod\bin\iPodService.exe -- (iPod Service [Disabled | Stopped])

[2003/06/19 23:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\MDM.EXE -- (MDM [Disabled | Stopped])

[2003/07/28 20:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Source Engine\OSE.EXE -- (ose [Disabled | Stopped])

[2008/04/07 20:26:40 | 00,098,488 | ---- | M] (SiSoftware) -- C:\Arquivos de programas\SiSoftware\SiSoftware Sandra Professional Business XII.SP2\RpcAgentSrv.exe -- (SandraAgentSrv [Disabled | Stopped])

[2003/07/02 07:40:08 | 00,045,056 | ---- | M] ( ) -- C:\WINDOWS\system32\slserv.exe -- (SLService [Disabled | Stopped])

[2005/04/05 12:17:22 | 00,206,552 | ---- | M] (Symantec Corporation) -- C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe -- (SNDSrvc [On_Demand | Stopped])

[2002/09/20 17:50:10 | 00,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default) [Disabled | Stopped])

[2005/01/28 02:36:00 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe -- (UMWdf [Auto | Running])

[2007/01/19 13:54:14 | 00,097,136 | ---- | M] (Microsoft Corporation) -- C:\Arquivos de programas\MSN Messenger\usnsvc.exe -- (usnjsvc [Disabled | Stopped])

========== Driver Services ==========

[2002/04/01 04:15:00 | 00,004,816 | ---- | M] (Andrea Electronics Corporation) -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (aeaudio [On_Demand | Running])

[2003/05/28 19:53:46 | 00,017,005 | ---- | M] (Adaptec) -- C:\WINDOWS\System32\drivers\ASPI32.SYS -- (Aspi32 [Auto | Running])

[2005/08/31 03:11:52 | 00,701,440 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag [On_Demand | Running])

[2002/06/06 02:07:00 | 00,009,344 | ---- | M] (B.H.A Co.,Ltd.) -- C:\WINDOWS\System32\drivers\BsStor.sys -- (BsStor [boot | Running])

[2004/03/08 13:55:50 | 00,013,567 | ---- | M] (B.H.A Corporation) -- C:\WINDOWS\System32\drivers\CDRBSDRV.SYS -- (cdrbsdrv [system | Running])

[2003/12/03 18:44:58 | 00,013,566 | ---- | M] (B.H.A Corporation) -- C:\WINDOWS\System32\drivers\cdrbsvsd.sys -- (cdrbsvsd [system | Running])

[2004/08/22 17:31:10 | 00,155,136 | ---- | M] ( ) -- C:\WINDOWS\system32\drivers\d347bus.sys -- (d347bus [boot | Running])

[2004/08/22 17:31:48 | 00,005,248 | ---- | M] ( ) -- C:\WINDOWS\system32\drivers\d347prt.sys -- (d347prt [boot | Running])

[2002/11/28 12:18:04 | 00,015,360 | ---- | M] (Elaborate Bytes AG) -- C:\WINDOWS\system32\drivers\ElbyCDFL.sys -- (ElbyCDFL [On_Demand | Running])

[2002/11/29 09:38:16 | 00,016,320 | ---- | M] (Elaborate Bytes AG) -- C:\WINDOWS\system32\drivers\ElbyCDIO.sys -- (ElbyCDIO [Auto | Running])

[2003/01/31 21:08:54 | 00,028,005 | ---- | M] (Efficient Networks, Inc.) -- C:\WINDOWS\system32\drivers\enethusb.sys -- (ENETHUSB [On_Demand | Running])

[2001/08/17 21:13:08 | 00,027,165 | ---- | M] (VIA Technologies, Inc. ) -- C:\WINDOWS\system32\drivers\fetnd5.sys -- (FETNDIS [On_Demand | Stopped])

[2003/01/16 02:17:00 | 00,040,960 | R--- | M] (VIA Technologies, Inc. ) -- C:\WINDOWS\system32\drivers\fetnd5b.sys -- (FETNDISB [On_Demand | Stopped])

[2008/01/29 13:01:28 | 00,016,168 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])

[2003/08/21 12:56:36 | 00,025,520 | ---- | M] (Ahead Software AG) -- C:\WINDOWS\System32\drivers\incdrm.sys -- (incdrm [system | Running])

[2003/10/24 02:53:14 | 00,090,416 | ---- | M] (Matsushita Electric Industrial Co.,Ltd.) -- C:\WINDOWS\system32\drivers\meiudf.sys -- (meiudf [system | Running])

[2001/08/17 22:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA [On_Demand | Running])

[2003/07/16 02:30:26 | 00,221,736 | ---- | M] ( ) -- C:\WINDOWS\system32\drivers\mtlmnt5.sys -- (Mtlmnt5 [On_Demand | Running])

[2003/07/02 06:26:36 | 01,301,128 | ---- | M] ( ) -- C:\WINDOWS\system32\drivers\mtlstrm.sys -- (Mtlstrm [On_Demand | Stopped])

[2005/08/31 03:11:26 | 00,032,840 | ---- | M] (NETGEAR Corporation.) -- C:\WINDOWS\system32\drivers\Ngrpci.sys -- (ngrpci [On_Demand | Stopped])

[2003/07/02 05:57:10 | 00,167,384 | ---- | M] ( ) -- C:\WINDOWS\system32\drivers\ntmtlfax.sys -- (NtMtlFax [On_Demand | Stopped])

[2002/09/12 22:29:00 | 00,006,016 | R--- | M] (VIA Technologies, Inc. ) -- C:\WINDOWS\system32\ntsim.sys -- (NTSIM [On_Demand | Stopped])

[2008/06/19 17:24:30 | 00,028,544 | ---- | M] (Panda Security, S.L.) -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot [boot | Running])

[2007/05/28 20:39:19 | 00,047,360 | ---- | M] (VSO Software) -- C:\WINDOWS\system32\drivers\pcouffin.sys -- (Pcouffin [On_Demand | Running])

[2004/01/31 00:40:08 | 00,010,368 | ---- | M] (Padus, Inc.) -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc [On_Demand | Running])

[2001/10/28 09:07:22 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])

[2007/02/23 02:29:52 | 00,036,624 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\pxhelp20.sys -- (PxHelp20 [boot | Running])

[2004/08/04 04:41:40 | 00,013,776 | ---- | M] (Smart Link) -- C:\WINDOWS\system32\drivers\recagent.sys -- (RecAgent [On_Demand | Stopped])

[2002/06/10 01:09:08 | 00,031,232 | ---- | M] (Robert Schlabbach) -- C:\WINDOWS\system32\drivers\RMSPPPOE.SYS -- (RMSPPPOE [On_Demand | Running])

[2008/03/10 20:30:36 | 00,021,408 | ---- | M] (SiSoftware) -- C:\Arquivos de programas\SiSoftware\SiSoftware Sandra Professional Business XII.SP2\WNt500x86\sandra.sys -- (SANDRA [On_Demand | Stopped])

[2007/11/13 08:25:56 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])

[2001/09/05 23:27:44 | 00,018,176 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\sermouse.sys -- (sermouse [On_Demand | Stopped])

[2003/07/16 02:39:32 | 00,545,528 | ---- | M] ( ) -- C:\WINDOWS\system32\drivers\slntamr.sys -- (Slntamr [On_Demand | Running])

[2003/07/02 06:24:36 | 00,086,128 | ---- | M] ( ) -- C:\WINDOWS\system32\drivers\slnthal.sys -- (SlNtHal [On_Demand | Stopped])

[2003/07/02 06:12:52 | 00,039,348 | ---- | M] (Vireo Software) -- C:\WINDOWS\system32\drivers\slwdmsup.sys -- (SlWdmSup [On_Demand | Running])

[2003/07/15 17:00:00 | 00,578,368 | ---- | M] (Analog Devices, Inc.) -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm [On_Demand | Running])

[2001/08/17 21:56:16 | 00,007,552 | ---- | M] (Sony Corporation) -- C:\WINDOWS\system32\drivers\SONYPVU1.SYS -- (SONYPVU1 [On_Demand | Stopped])

[2006/09/15 23:52:12 | 00,124,016 | ---- | M] (Symantec Corporation) -- C:\Arquivos de programas\Symantec\SYMEVENT.SYS -- (SymEvent [On_Demand | Running])

[2005/04/05 12:17:00 | 00,017,976 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symredrv.sys -- (SYMREDRV [On_Demand | Stopped])

[2005/04/05 12:17:02 | 00,267,192 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symtdi.sys -- (SYMTDI [system | Running])

[2003/07/02 05:42:00 | 00,027,904 | ---- | M] (VIA Technologies, Inc.) -- C:\WINDOWS\system32\drivers\VIAAGP1.SYS -- (viaagp1 [boot | Running])

[2005/09/01 10:22:22 | 00,077,312 | ---- | M] (VIA Technologies inc,.ltd) -- C:\WINDOWS\system32\drivers\viasraid.sys -- (viasraid [boot | Running])

[2003/08/04 05:29:08 | 00,006,912 | ---- | M] (VIA Technologies, Inc.) -- C:\WINDOWS\system32\drivers\vulfnth.sys -- (vulfnths [On_Demand | Running])

[2003/08/04 05:29:32 | 00,011,392 | ---- | M] (VIA Technologies, Inc.) -- C:\WINDOWS\system32\drivers\vulfntr.sys -- (vulfntrs [On_Demand | Running])

========== Internet Explorer ==========

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions =

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm

HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions =

HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com

HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/

HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

HKU\S-1-5-21-220523388-688789844-1417001333-1003\S-1-5-21-220523388-688789844-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: (316782 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts

O1 - Hosts: 127.0.0.1 localhost

O1 - Hosts: 0.0.0.0 acestats.com

O1 - Hosts: 0.0.0.0 www.acestats.com

O1 - Hosts: 0.0.0.0 www.activesearch.com #[Adware.ActiveSearch]

O1 - Hosts: 0.0.0.0 actualnames.com #[Parasite.ActualNames][spyware.ActualNames]

O1 - Hosts: 0.0.0.0 www.actualnames.com

O1 - Hosts: 0.0.0.0 ad-up.com

O1 - Hosts: 0.0.0.0 www.ad-up.com

O1 - Hosts: 0.0.0.0 adatom.com

O1 - Hosts: 0.0.0.0 aesp.adatom.com

O1 - Hosts: 0.0.0.0 adbest.com #[iE-SpyAd]

O1 - Hosts: 0.0.0.0 www.adcipta.net #[W32/Malware]

O1 - Hosts: 0.0.0.0 adserv.adbonus.com #[iE-SpyAd]

O1 - Hosts: 0.0.0.0 www.adbonus.com

O1 - Hosts: 0.0.0.0 media.adcentriconline.com #[iE-SpyAd]

O1 - Hosts: 0.0.0.0 ad2.adcept.net

O1 - Hosts: 0.0.0.0 ad3.adcept.net

O1 - Hosts: 0.0.0.0 www.adcept.net #[iE-SpyAd]

O1 - Hosts: 0.0.0.0 adcomplete.com #[iE-SpyAd]

O1 - Hosts: 0.0.0.0 www.adcomplete.com

O1 - Hosts: 0.0.0.0 www.adcopy.info

O1 - Hosts: 0.0.0.0 ads.adcorps.com #[verticalwebventures.com]

O1 - Hosts: 0.0.0.0 ads2.adcorps.com

O1 - Hosts: 0.0.0.0 ads.addynamix.com #[iE-SpyAd]

O1 - Hosts: 0.0.0.0 pt.server1.adexit.com

O1 - Hosts: 9001 more lines...

O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx ()

O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)

O2 - BHO: (QUICKfind BHO Object) - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\Arquivos de programas\TEXTware\QUICKfind\PlugIns\IEHelp.dll ()

O3 - HKCU\..\Toolbar: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKCU\..\Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKCU\..\Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKCU\..\Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\..\Toolbar: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\..\Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\..\Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\..\Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key does not exist or could not be opened. File not found

O4 - HKLM..\Run: [DAEMON Tools-1033] "C:\Arquivos de programas\D-Tools\daemon.exe" -lang 1033 (DAEMON'S HOME)

O4 - HKCU..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4T1.EXE /P23 "EPSON Stylus C45 Series" /M "Stylus C45" /EF "HKCU" (SEIKO EPSON CORPORATION)

O4 - HKCU..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background (Microsoft Corporation)

O4 - HKU\S-1-5-21-220523388-688789844-1417001333-1003..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4T1.EXE /P23 "EPSON Stylus C45 Series" /M "Stylus C45" /EF "HKCU" (SEIKO EPSON CORPORATION)

O4 - HKU\S-1-5-21-220523388-688789844-1417001333-1003..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background (Microsoft Corporation)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuMorePrograms = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogOff = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoToolbarCustomize = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispSettingPage = 1

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispBackgroundPage = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispScrSavPage = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispCPL = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispAppearancePage = 0

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuMorePrograms = 0

O7 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogOff = 0

O7 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoToolbarCustomize = 0

O7 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispSettingPage = 1

O7 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispBackgroundPage = 0

O7 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispScrSavPage = 0

O7 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispCPL = 0

O7 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispAppearancePage = 0

O8 - Extra context menu item: E&xport to Microsoft Excel - Reg Error: Value does not exist or could not be read.

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key does not exist or could not be opened. File not found

O9 - Extra Button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Arquivos de programas\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)

O9 - Extra Button: Web Entry - {B4E30F61-16D9-11D3-85D1-005004229569} - c:\lotus\organize\bandobjs.dll ()

O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe (Microsoft Corporation)

O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe (Microsoft Corporation)

O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\PLUGINS\NPDocBox.dll [2001/01/30 14:56:24 | 00,225,280 | ---- | M] (InterTrust Technologies Corporation, Inc.)

O15 - HKLM\..Trusted Sites: 1 domain(s) and sub-domain(s) not assigned to a zone.

O15 - HKCU\..Trusted Sites: (msn in Meu computador)

O15 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\..Trusted Sites: (msn in Meu computador)

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/get/shock...director/sw.cab (Shockwave ActiveX Control)

O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeupdate/content/opuc.cab (Office Update Installation Engine)

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (Symantec RuFSI Utility Class)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/products/plugin/1.4/ji...indows-i586.cab (Java Plug-in 1.4.1_01)

O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} http://java.sun.com/products/plugin/1.4/ji...indows-i586.cab (Java Plug-in 1.4.1_01)

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 192.168.254.254

O18 - Protocol\Handler: - cetihpz - C:\Arquivos de programas\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)

O18 - Protocol\Handler: - ipp - No CLSID value found

O18 - Protocol\Handler: - ipp\0x00000001 - C:\Arquivos de programas\Arquivos comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler: - livecall - C:\Arquivos de programas\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)

O18 - Protocol\Handler: - msdaipp - No CLSID value found

O18 - Protocol\Handler: - msdaipp\0x00000001 - C:\Arquivos de programas\Arquivos comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler: - msdaipp\oledb - C:\Arquivos de programas\Arquivos comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)

O18 - Protocol\Handler: - ms-itss - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)

O18 - Protocol\Handler: - msnim - C:\Arquivos de programas\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)

O18 - Protocol\Handler: - mso-offdap - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)

O18 - Protocol\Handler: - mso-offdap11 - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)

O18 - Protocol\Filter: - text/xml - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)

O20 - See sections below for AppInitDlls and Winlogon settings

========== LSA *Authentication Packages* ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]

"Authentication Packages" = msv1_0,C:\WINDOWS\system32\awtUOefC,

>File not found --

========== Safeboot Options ==========

"AlternateShell" = cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]

"AutoRun" = 1

========== Autorun Files on Drives ==========

autoAlbum.log [-i="C:\Documents and Settings\usuario\Configura

Link to post
Share on other sites

OTListIt Extras logfile created on: 23/10/2008 14:58:26 - Run

OTListIt by OldTimer - Version 1.0.11.0 Folder = C:\Documents and Settings\usuario\Desktop

Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 6.0.2900.2180)

Locale: 00000416 | Country: Brasil | Language: PTB | Date Format: d/M/yyyy

1022,73 Mb Total Physical Memory | 712,79 Mb Available Physical Memory | 69,69% Memory free

1,65 Gb Paging File | 1,48 Gb Available in Paging File | 89,49% Paging File free

Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Arquivos de programas

Drive C: | 74,55 Gb Total Space | 36,11 Gb Free Space | 48,43% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

Drive G: | 149,04 Gb Total Space | 88,17 Gb Free Space | 59,16% Space Free | Partition Type: NTFS

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: CAT

Current User Name: usuario

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Whitelist: On

File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- C:\Arquivos de programas\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 1

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile

"EnableFirewall" = 0

"DoNotAllowExceptions" = 0

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\IcmpSettings]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[2007/01/19 13:54:56 | 05,674,352 | ---- | M] (Microsoft Corporation) -- C:\Arquivos de programas\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1

[2007/01/04 17:10:02 | 00,297,752 | ---- | M] (Microsoft Corporation) -- C:\Arquivos de programas\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

[2004/10/13 14:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation) -- C:\Arquivos de programas\Messenger\msmsgs.exe:*:Enabled:Windows Messenger

File not found -- C:\Arquivos de programas\DAP\DAP.exe:*:Enabled:Download Accelerator Plus

[2005/03/04 15:33:11 | 00,204,845 | ---- | M] (RealNetworks, Inc.) -- C:\Arquivos de programas\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer

[2003/11/12 07:04:00 | 00,110,592 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\SAGENT4.EXE:*:Enabled:SAgent4

[2004/08/04 05:45:34 | 00,093,184 | ---- | M] (Microsoft Corporation) -- C:\Arquivos de programas\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer

[2004/08/16 19:18:33 | 00,147,460 | ---- | M] () -- C:\Arquivos de programas\AnalogX\Proxy\proxy.exe:*:Enabled:proxy

[1999/09/15 02:23:00 | 04,042,798 | ---- | M] (Lotus Development Corporation) -- C:\lotus\organize\org6.exe:*:Disabled:Lotus Organizer

[2008/05/18 15:41:01 | 00,219,952 | ---- | M] () -- C:\Arquivos de programas\uTorrent\utorrent.exe:*:Enabled:

Link to post
Share on other sites

  • Root Admin

Due to the use of Peer2Peer software and signs of illegal activity you need to uninstall these tools and quit using them if you want us to help you.

Delete this file for now and you can install a "Managaged hosts file" later on.

C:\WINDOWS\System32\drivers\etc\Hosts

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

This key is invalid and needs repair. Make a backup first. Then edit it with REGEDIT and remove the trailing portion.

It should only have msv1_0 in that key.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]

"Authentication Packages" = msv1_0,C:\WINDOWS\system32\awtUOefC,

Close ALL applications and browsers first.

Then start HJT and do a scan only and put a check mark on all of these entries if they're still there. Then click on Fix selected...

R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Start Page = http://200.165.104.28/home

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local

R1 - HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Internet Settings, ProxyOverride = localhost; local *.

O2 - BHO: (no name) - (81CE65E0-77F6-4C28-B2D2-FA74DB732742) - (no file)

O2 - BHO: (841254df-05e8-871st-9b84-a8ce42709e6c) - (c6e90724-ec8a-48b9-a178-8e50fd452148) - C: \ WINDOWS \ system32 \ fzcvoc.dll

O6 - HKCU \ Software \ Policies \ Microsoft \ Internet Explorer \ Restrictions present

O9 - Extra button: (no name) - (08B0E5C0-4FCB-11CF-AAA5-00401C608501) - C: \ Program Arquivos \ Java \ j2re1.4.1_01 \ bin \ npjpi141_01.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - (08B0E5C0-4FCB-11CF-AAA5-00401C608501) - C: \ Program Arquivos \ Java \ j2re1.4.1_01 \ bin \ npjpi141_01.dll

O9 - Extra button: PokerStars.net - (FA9B9510-9FCB-4ca0-818C-5D0987B47C4D) - C: \ Program Arquivos \ PokerStars.NET \ PokerStarsUpdate.exe

O14 - IERESET.INF: SEARCH_PAGE_URL = & http://home.microsoft.com/intl/br/access/allinone.asp

O17 - HKLM \ System \ CCS \ Services \ Tcpip \ .. \ (389C889C-B558-932D-42BB-C911DCD62162): NameServer = 192,168,254,254

O20 - AppInit_DLLs: fzcvoc.dll

O3 - HKCU\..\Toolbar: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKCU\..\Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKCU\..\Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKCU\..\Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\..\Toolbar: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\..\Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\..\Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key does not exist or could not be opened. File not found

O3 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\..\Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key does not exist or could not be opened. File not found

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuMorePrograms = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogOff = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoToolbarCustomize = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispSettingPage = 1

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispBackgroundPage = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispScrSavPage = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispCPL = 0

O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispAppearancePage = 0

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuMorePrograms = 0

O7 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogOff = 0

O7 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoToolbarCustomize = 0

O7 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispSettingPage = 1

O7 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispBackgroundPage = 0

O7 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispScrSavPage = 0

O7 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispCPL = 0

O7 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispAppearancePage = 0

O15 - HKLM\..Trusted Sites: 1 domain(s) and sub-domain(s) not assigned to a zone.

O15 - HKCU\..Trusted Sites: (msn in Meu computador)

O15 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\..Trusted Sites: (msn in Meu computador)

Using REGEDIT browse to this location: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components

and look for that Desktop Component 1: and remove it and any file it may point to.

Download SmitFraudFix by S!Ri and run it according to the instructions there.

Then run MBAM and go to the UPDATE tab and run a Quick Scan, fix anything found, REBOOT

Then after the reboot run another HJT and post back all the logs.

Link to post
Share on other sites

  • Root Admin

Since there has been no response in 5 days I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you
Fully Understand

how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting
Pre- HJT Post Instructions

Also don't forget that we offer
FREE
assistance with General PC questions and repair here
PC Help

If you're pleased with the product
Malwarebytes
and the service provided you, please let your friends, family, and co-workers know.
http://www.malwarebytes.org

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.