[Resolved] TR/Spy.Ursnif.35328l Trojan

**maxpayne____** · 02-01-2010

The Avira only detects the trojan,it doesnt't fix it.Here is my log from Hijackthis!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:11:22, on 02-01-2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\WerCon.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\WINDOWS\RtHDVCpl.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Java\jre1.6.0_07\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Windows\system32\conime.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Users\António Gomes\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 192.168.20.250:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Programa Auxiliar de Início de Sessão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [Servidor de Licenca Radiocef Studio 2] "C:\Radiocef Studio 2\Licenca\Server\RMLicServer.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\Windows\system32\Adobe\Shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/5.0_(Windows;_U;_Windows_NT_6.0;_pt-BR;_rv:1.9.0.16)_Gecko/2009120208_Firefox/3.0.16_(.NET_CLR_3.5.30729)" -"http://www.miniclip.com/games/motocross-urban-fever/pt/content_iframe.php"
O4 - HKUS\S-1-5-21-1780149496-2053220928-3784673967-1001\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'antgomes')
O4 - HKUS\S-1-5-21-1780149496-2053220928-3784673967-1001\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'antgomes')
O4 - Startup: Iniciação Rápida do Microsoft Office OneNote 2007.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Publicar em Blogue - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Publicar no Blogue no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn...Detection2.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe...bat/nos/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 11568 bytes

**broni** · 02-01-2010

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

NOTE. If Combofix asks you to install Recovery Console, please allow it.

Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

**maxpayne____** · 02-01-2010

thanks for helping me!!

Combofix log:
ComboFix 10-01-01.05 - António Gomes 02-01-2010 19:36:57.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.351.2070.18.2046.975 [GMT 0:00]
Executando de: c:\users\António Gomes\Desktop\ComboFix.exe
.
Os seguintes arquivos/ficheiros foram desabilitados durante a execução:
c:\windows\system32\colopcln.dll

(((((((((((((((( Arquivos/Ficheiros criados de 2009-12-02 to 2010-01-02 ))))))))))))))))))))))))))))
.

2010-01-02 19:43 . 2010-01-02 19:43 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-02 19:43 . 2010-01-02 19:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-02 19:43 . 2010-01-02 19:43 -------- d-----w- c:\users\Convidado\AppData\Local\temp
2010-01-02 19:43 . 2010-01-02 19:43 -------- d-----w- c:\users\antgomes\AppData\Local\temp
2010-01-02 02:08 . 2006-06-19 12:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-01-02 02:08 . 2006-05-25 14:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-01-02 02:08 . 2005-08-26 00:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-01-02 02:08 . 2002-03-06 00:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-01-02 02:08 . 2003-02-02 19:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-01-02 00:42 . 2010-01-02 00:42 -------- d-----w- c:\programdata\Malwarebytes
2010-01-02 00:42 . 2010-01-02 02:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-31 13:22 . 2009-12-31 13:22 35328 ----a-w- c:\windows\system32\colopcln.dll.vir
2009-12-09 03:10 . 2009-11-09 12:31 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-09 03:10 . 2009-11-09 12:30 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-09 03:10 . 2009-11-09 10:36 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-08 23:12 . 2009-10-07 11:36 243712 ----a-w- c:\windows\system32\rastls.dll
2009-12-05 15:15 . 2009-12-05 15:16 -------- d-----w- c:\program files\DAEMON Tools Lite

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2010-01-02 18:23 . 2009-07-08 18:58 56597 ----a-w- c:\programdata\nvModes.dat
2010-01-02 18:21 . 2007-12-07 16:16 1076 ----a-w- c:\windows\bthservsdp.dat
2009-12-17 18:23 . 2009-07-08 18:58 -------- d-----w- c:\programdata\NVIDIA
2009-12-09 03:12 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-09 03:12 . 2008-11-15 21:02 -------- d-----w- c:\programdata\Microsoft Help
2009-12-08 15:13 . 2009-10-18 23:12 -------- d-----w- c:\programdata\WildTangent
2009-12-07 14:38 . 2009-08-22 11:23 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-05 15:16 . 2009-03-07 03:14 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-12-05 15:15 . 2009-03-07 12:54 -------- d-----w- c:\programdata\DAEMON Tools Lite
2009-12-03 22:25 . 2009-10-25 12:50 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-12-02 22:09 . 2007-01-18 04:49 653540 ----a-w- c:\windows\system32\prfh0816.dat
2009-12-02 22:09 . 2007-01-18 04:49 128820 ----a-w- c:\windows\system32\prfc0816.dat
2009-11-30 18:02 . 2009-11-30 18:02 171144 ----a-w- c:\windows\system32\xliveinstall.dll
2009-11-30 18:02 . 2009-11-30 18:02 72840 ----a-w- c:\windows\system32\xliveinstallhost.exe
2009-11-21 06:40 . 2009-12-08 23:14 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-08 23:14 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-08 23:14 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-08 23:14 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-19 23:48 . 2009-11-19 14:48 -------- d-----w- c:\program files\Graboid
2009-11-19 23:48 . 2009-11-19 14:49 -------- d-----w- c:\program files\VideoLAN
2009-11-19 14:49 . 2009-11-19 14:49 -------- d-----w- c:\program files\Mozilla ActiveX Control v1.7.12
2009-11-19 02:59 . 2009-11-19 02:59 -------- d-----w- c:\program files\Windows Portable Devices
2009-11-19 02:59 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-19 02:58 . 2009-11-19 02:58 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_ 00.Wdf
2009-11-17 21:48 . 2009-10-25 12:11 -------- d-----w- c:\program files\Wolfenstein - Enemy Territory
2009-11-09 00:40 . 2009-10-25 12:51 139904 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-11-09 00:40 . 2009-10-25 12:50 189744 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-11-08 17:59 . 2008-12-13 20:55 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-06 10:59 . 2009-11-06 10:59 15406728 ----a-w- c:\windows\system32\xlive.dll
2009-11-06 10:59 . 2009-11-06 10:59 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2009-11-02 20:42 . 2009-10-03 11:52 195456 ----a-w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:17 . 2009-11-25 13:15 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-21 10:43 . 2009-10-21 10:43 98304 ----a-w- c:\programdata\NexonEU\NGM\nxgameeu.dll
2009-10-21 10:43 . 2009-10-21 10:43 81920 ----a-w- c:\programdata\NexonEU\NGM\npNxGameeu.dll
2009-10-21 10:43 . 2009-10-21 10:43 532480 ----a-w- c:\programdata\NexonEU\NGM\NGMDll.dll
2009-10-21 10:43 . 2009-10-21 10:43 331776 ----a-w- c:\programdata\NexonEU\NGM\NGMResource.dll
2009-10-21 10:43 . 2009-10-21 10:43 258352 ----a-w- c:\programdata\NexonEU\NGM\unicows.dll
2009-10-21 10:43 . 2009-10-21 10:43 155648 ----a-w- c:\programdata\NexonEU\NGM\NGM.exe
2009-10-21 01:12 . 2009-10-21 01:12 421888 ----a-w- c:\windows\NEXON_EU_DownloaderUpdater.exe
2009-10-18 22:39 . 2009-10-18 22:39 90112 ----a-w- c:\programdata\NexonUS\NGM\npNxGameUS.dll
2009-10-18 22:39 . 2009-10-18 22:39 258352 ----a-w- c:\programdata\NexonUS\NGM\unicows.dll
2009-10-18 22:39 . 2009-10-18 22:39 118784 ----a-w- c:\programdata\NexonUS\NGM\nxgameus.dll
2009-10-18 22:39 . 2009-10-18 22:39 393216 ----a-w- c:\programdata\NexonUS\NGM\NGMResource.dll
2009-10-18 22:39 . 2009-10-18 22:39 561152 ----a-w- c:\programdata\NexonUS\NGM\NGMDll.dll
2009-10-18 22:39 . 2009-10-18 22:39 167936 ----a-w- c:\programdata\NexonUS\NGM\NGM.exe
2009-10-08 21:08 . 2009-11-19 00:17 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 21:08 . 2009-11-19 00:17 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-08 21:07 . 2009-11-19 00:17 4096 ----a-w- c:\windows\system32\oleaccrc.dll
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150596.exe" [2009-04-29 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-13 827392]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-10-09 729088]
"Servidor de Licenca Radiocef Studio 2"="c:\radiocef studio 2\Licenca\Server\RMLicServer.exe" [2008-10-31 2460160]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-09 4390912]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-04-23 176128]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2008-12-04 92704]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 174872]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-03-12 50696]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-07 44128]

c:\users\Ant¢nio Gomes\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Inicia‡Æo R*pida do Microsoft Office OneNote 2007.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-12-20 719664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):fc,b1,cb,bc,76,40,ca,01

R2 {22D78859-9CE9-4b77-BF18-AC83E81A9263};{22D78859-9CE9-4b77-BF18-AC83E81A9263};c:\program files\HP\QuickPlay\000.fcl [30-10-2007 12:48 13560]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [22-08-2009 11:23 108289]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [01-02-2008 03:02 65536]
S3 FontCache;Serviço de Cache de Tipos de Letra do Windows;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [23-11-2008 12:54 21504]
S3 fssfltr;FssFltr;c:\windows\System32\drivers\fssflt r.sys [16-09-2009 12:07 54632]
S3 fsssvc;Serviço Segurança Familiar do Windows Live;c:\program files\Windows Live\Family Safety\fsssvc.exe [05-08-2009 21:48 704864]
S4 sptd;sptd;c:\windows\System32\drivers\sptd.sys [07-03-2009 03:14 691696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Scan Suplementar -------
.
uStart Page = about:blank
uInternet Settings,ProxyServer = 192.168.20.250:8080
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xportar para o Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\António Gomes\AppData\Roaming\Mozilla\Firefox\Profiles\e9r zilpn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: network.proxy.ftp - 192.168.20.250
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 192.168.20.250
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - 192.168.20.250
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 192.168.20.250
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 192.168.20.250
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nppl3260.d ll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nprpjplug. dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\programdata\NexonEU\NGM\npNxGameeu.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2010-01-02 19:43
Windows 6.0.6002 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{ 22D78859-9CE9-4b77-BF18-AC83E81A9263}]
"ImagePath"="\??\c:\program files\HP\QuickPlay\000.fcl"
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\a60a23f1-8580-f559-b012-8638c60ef25]
@Denied: (Full) (AuthenticatedUsers)
@Denied: (Full) (Administrators)
"1twof9nkz0jfy"=hex:37,62,30,30,65,34,37,39,2d,38, 66,36,66,2d,34,62,31,35,2d,
38,66,30,64,2d,33,39,66,61,64,39,66,38,35,31,36,64
"1bttvdb4pq5ov"=hex:65,00,00,00,f8,00,00,00,c1,46, e5,65,61,72,61,7a,69,00,00,
00,00,00,00,00,00,00,00,00,79,e4,00,7b,6f,8f,15,4b ,8f,0d,39,fa,d9,f8,51,6d,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Tempo para conclusão: 2010-01-02 19:46:03
ComboFix-quarantined-files.txt 2010-01-02 19:46
ComboFix2.txt 2010-01-02 18:19
ComboFix3.txt 2010-01-02 03:15

Pré-execução: 67.074.973.696 bytes livres
Pós execução: 67.044.691.968 bytes livres

- - End Of File - - 8E717A1644CE245C524F1A094CD94994

HiJacktHIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:51:04, on 02-01-2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Windows\system32\WerCon.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\WINDOWS\RtHDVCpl.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Users\António Gomes\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 192.168.20.250:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Programa Auxiliar de Início de Sessão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [Servidor de Licenca Radiocef Studio 2] "C:\Radiocef Studio 2\Licenca\Server\RMLicServer.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\Windows\system32\Adobe\Shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/5.0_(Windows;_U;_Windows_NT_6.0;_pt-BR;_rv:1.9.0.16)_Gecko/2009120208_Firefox/3.0.16_(.NET_CLR_3.5.30729)" -"http://www.miniclip.com/games/motocross-urban-fever/pt/content_iframe.php"
O4 - HKUS\S-1-5-21-1780149496-2053220928-3784673967-1001\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'antgomes')
O4 - HKUS\S-1-5-21-1780149496-2053220928-3784673967-1001\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'antgomes')
O4 - Startup: Iniciação Rápida do Microsoft Office OneNote 2007.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Publicar em Blogue - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Publicar no Blogue no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn...Detection2.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe...bat/nos/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 11198 bytes

**broni** · 02-01-2010

I see, this is 3rd Combofix run.
I need to see two previous logs:
- ComboFix2.txt
- ComboFix3.txt

**maxpayne____** · 02-01-2010

I'm afraid that's not possible,because i deleted it. I thought it wasn't necessary !!I just have the last one.

**maxpayne____** · 02-01-2010

I found it,here it goes

the first:

ComboFix 09-12-31.A1 - António Gomes 02-01-2010 2:59.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.351.2070.18.2046.1282 [GMT 0:00]
Executando de: c:\users\António Gomes\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))) )
.

c:\$recycle.bin\S-1-5-21-1780149496-2053220928-3784673967-500
c:\$recycle.bin\S-1-5-21-2199817886-4203402448-834553970-500

.
(((((((((((((((( Arquivos/Ficheiros criados de 2009-12-02 to 2010-01-02 ))))))))))))))))))))))))))))
.

2010-01-02 02:08 . 2006-06-19 12:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-01-02 02:08 . 2006-05-25 14:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-01-02 02:08 . 2005-08-26 00:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-01-02 02:08 . 2002-03-06 00:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-01-02 02:08 . 2003-02-02 19:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-01-02 02:08 . 2010-01-02 02:08 -------- d-----w- c:\program files\Trojan Remover
2010-01-02 02:08 . 2010-01-02 02:08 -------- d-----w- c:\programdata\Simply Super Software
2010-01-02 01:53 . 2010-01-02 01:53 -------- d-----w- c:\program files\CCleaner
2010-01-02 00:42 . 2010-01-02 00:42 -------- d-----w- c:\programdata\Malwarebytes
2010-01-02 00:42 . 2010-01-02 02:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-31 13:22 . 2009-12-31 13:22 35328 ----a-w- c:\windows\system32\colopcln.dll
2009-12-09 03:10 . 2009-11-09 12:31 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-09 03:10 . 2009-11-09 12:30 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-09 03:10 . 2009-11-09 10:36 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-08 23:12 . 2009-10-07 11:36 243712 ----a-w- c:\windows\system32\rastls.dll
2009-12-05 15:15 . 2009-12-05 15:16 -------- d-----w- c:\program files\DAEMON Tools Lite

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2010-01-02 02:57 . 2009-07-08 18:58 56597 ----a-w- c:\programdata\nvModes.dat
2010-01-02 02:55 . 2007-12-07 16:16 1076 ----a-w- c:\windows\bthservsdp.dat
2009-12-17 18:23 . 2009-07-08 18:58 -------- d-----w- c:\programdata\NVIDIA
2009-12-09 03:12 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-09 03:12 . 2008-11-15 21:02 -------- d-----w- c:\programdata\Microsoft Help
2009-12-08 15:13 . 2009-10-18 23:12 -------- d-----w- c:\programdata\WildTangent
2009-12-07 14:38 . 2009-08-22 11:23 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-05 15:16 . 2009-03-07 03:14 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-12-05 15:15 . 2009-03-07 12:54 -------- d-----w- c:\programdata\DAEMON Tools Lite
2009-12-03 22:25 . 2009-10-25 12:50 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-12-02 22:09 . 2007-01-18 04:49 653540 ----a-w- c:\windows\system32\prfh0816.dat
2009-12-02 22:09 . 2007-01-18 04:49 128820 ----a-w- c:\windows\system32\prfc0816.dat
2009-11-30 18:02 . 2009-11-30 18:02 171144 ----a-w- c:\windows\system32\xliveinstall.dll
2009-11-30 18:02 . 2009-11-30 18:02 72840 ----a-w- c:\windows\system32\xliveinstallhost.exe
2009-11-21 06:40 . 2009-12-08 23:14 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-08 23:14 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-08 23:14 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-08 23:14 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-19 23:48 . 2009-11-19 14:48 -------- d-----w- c:\program files\Graboid
2009-11-19 23:48 . 2009-11-19 14:49 -------- d-----w- c:\program files\VideoLAN
2009-11-19 14:49 . 2009-11-19 14:49 -------- d-----w- c:\program files\Mozilla ActiveX Control v1.7.12
2009-11-19 02:59 . 2009-11-19 02:59 -------- d-----w- c:\program files\Windows Portable Devices
2009-11-19 02:59 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-19 02:58 . 2009-11-19 02:58 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_ 00.Wdf
2009-11-17 21:48 . 2009-10-25 12:11 -------- d-----w- c:\program files\Wolfenstein - Enemy Territory
2009-11-09 00:40 . 2009-10-25 12:51 139904 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-11-09 00:40 . 2009-10-25 12:50 189744 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-11-08 17:59 . 2008-12-13 20:55 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-06 10:59 . 2009-11-06 10:59 15406728 ----a-w- c:\windows\system32\xlive.dll
2009-11-06 10:59 . 2009-11-06 10:59 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2009-11-02 20:42 . 2009-10-03 11:52 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:17 . 2009-11-25 13:15 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-21 10:43 . 2009-10-21 10:43 98304 ----a-w- c:\programdata\NexonEU\NGM\nxgameeu.dll
2009-10-21 10:43 . 2009-10-21 10:43 81920 ----a-w- c:\programdata\NexonEU\NGM\npNxGameeu.dll
2009-10-21 10:43 . 2009-10-21 10:43 532480 ----a-w- c:\programdata\NexonEU\NGM\NGMDll.dll
2009-10-21 10:43 . 2009-10-21 10:43 331776 ----a-w- c:\programdata\NexonEU\NGM\NGMResource.dll
2009-10-21 10:43 . 2009-10-21 10:43 258352 ----a-w- c:\programdata\NexonEU\NGM\unicows.dll
2009-10-21 10:43 . 2009-10-21 10:43 155648 ----a-w- c:\programdata\NexonEU\NGM\NGM.exe
2009-10-21 01:12 . 2009-10-21 01:12 421888 ----a-w- c:\windows\NEXON_EU_DownloaderUpdater.exe
2009-10-18 22:39 . 2009-10-18 22:39 90112 ----a-w- c:\programdata\NexonUS\NGM\npNxGameUS.dll
2009-10-18 22:39 . 2009-10-18 22:39 258352 ----a-w- c:\programdata\NexonUS\NGM\unicows.dll
2009-10-18 22:39 . 2009-10-18 22:39 118784 ----a-w- c:\programdata\NexonUS\NGM\nxgameus.dll
2009-10-18 22:39 . 2009-10-18 22:39 393216 ----a-w- c:\programdata\NexonUS\NGM\NGMResource.dll
2009-10-18 22:39 . 2009-10-18 22:39 561152 ----a-w- c:\programdata\NexonUS\NGM\NGMDll.dll
2009-10-18 22:39 . 2009-10-18 22:39 167936 ----a-w- c:\programdata\NexonUS\NGM\NGM.exe
2009-10-08 21:08 . 2009-11-19 00:17 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 21:08 . 2009-11-19 00:17 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-08 21:07 . 2009-11-19 00:17 4096 ----a-w- c:\windows\system32\oleaccrc.dll
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150596.exe" [2009-04-29 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2009-10-17 1070984]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-13 827392]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-10-09 729088]
"Servidor de Licenca Radiocef Studio 2"="c:\radiocef studio 2\Licenca\Server\RMLicServer.exe" [2008-10-31 2460160]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-09 4390912]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-04-23 176128]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2008-12-04 92704]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 174872]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-03-12 50696]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-07 44128]

c:\users\Ant¢nio Gomes\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Inicia‡Æo R*pida do Microsoft Office OneNote 2007.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-12-20 719664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):fc,b1,cb,bc,76,40,ca,01

R2 {22D78859-9CE9-4b77-BF18-AC83E81A9263};{22D78859-9CE9-4b77-BF18-AC83E81A9263};c:\program files\HP\QuickPlay\000.fcl [30-10-2007 12:48 13560]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [22-08-2009 11:23 108289]
S0 sptd;sptd;c:\windows\System32\drivers\sptd.sys [07-03-2009 03:14 691696]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [01-02-2008 03:02 65536]
S3 FontCache;Serviço de Cache de Tipos de Letra do Windows;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [23-11-2008 12:54 21504]
S3 fssfltr;FssFltr;c:\windows\System32\drivers\fssflt r.sys [16-09-2009 12:07 54632]
S3 fsssvc;Serviço Segurança Familiar do Windows Live;c:\program files\Windows Live\Family Safety\fsssvc.exe [05-08-2009 21:48 704864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Scan Suplementar -------
.
uStart Page = about:blank
uInternet Settings,ProxyServer = 192.168.20.250:8080
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xportar para o Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\António Gomes\AppData\Roaming\Mozilla\Firefox\Profiles\e9r zilpn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: network.proxy.ftp - 192.168.20.250
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 192.168.20.250
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - 192.168.20.250
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 192.168.20.250
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 192.168.20.250
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nppl3260.d ll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nprpjplug. dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\programdata\NexonEU\NGM\npNxGameeu.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");
.
- - - - ORFÃOS REMOVIDOS - - - -

WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe

************************************************** ************************
Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos:

************************************************** ************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{ 22D78859-9CE9-4b77-BF18-AC83E81A9263}]
"ImagePath"="\??\c:\program files\HP\QuickPlay\000.fcl"
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\a60a23f1-8580-f559-b012-8638c60ef25]
@Denied: (Full) (AuthenticatedUsers)
@Denied: (Full) (Administrators)
"1twof9nkz0jfy"=hex:37,62,30,30,65,34,37,39,2d,38, 66,36,66,2d,34,62,31,35,2d,
38,66,30,64,2d,33,39,66,61,64,39,66,38,35,31,36,64
"1bttvdb4pq5ov"=hex:65,00,00,00,f8,00,00,00,c1,46, e5,65,61,72,61,7a,69,00,00,
00,00,00,00,00,00,00,00,00,79,e4,00,7b,6f,8f,15,4b ,8f,0d,39,fa,d9,f8,51,6d,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Tempo para conclusão: 2010-01-02 03:15:47
ComboFix-quarantined-files.txt 2010-01-02 03:15

Pré-execução: 63.896.498.176 bytes livres
Pós execução: 67.259.600.896 bytes livres

- - End Of File - - BC5AAD3C6035F4080D964089F5E928F1

[COLOR="Red"]The Second:[/COLOR

ComboFix 09-12-31.A1 - António Gomes 02-01-2010 18:08:28.2.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.351.2070.18.2046.1141 [GMT 0:00]
Executando de: c:\users\António Gomes\Desktop\ComboFix.exe
Comandos utilizados :: c:\users\António Gomes\Desktop\CFScript.log
.

(((((((((((((((( Arquivos/Ficheiros criados de 2009-12-02 to 2010-01-02 ))))))))))))))))))))))))))))
.

2010-01-02 18:16 . 2010-01-02 18:16 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-02 18:16 . 2010-01-02 18:16 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-02 18:16 . 2010-01-02 18:16 -------- d-----w- c:\users\Convidado\AppData\Local\temp
2010-01-02 18:16 . 2010-01-02 18:16 -------- d-----w- c:\users\antgomes\AppData\Local\temp
2010-01-02 02:08 . 2006-06-19 12:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-01-02 02:08 . 2006-05-25 14:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-01-02 02:08 . 2005-08-26 00:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-01-02 02:08 . 2002-03-06 00:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-01-02 02:08 . 2003-02-02 19:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-01-02 00:42 . 2010-01-02 00:42 -------- d-----w- c:\programdata\Malwarebytes
2010-01-02 00:42 . 2010-01-02 02:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-31 13:22 . 2009-12-31 13:22 35328 ----a-w- c:\windows\system32\colopcln.dll
2009-12-09 03:10 . 2009-11-09 12:31 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-09 03:10 . 2009-11-09 12:30 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-09 03:10 . 2009-11-09 10:36 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-08 23:12 . 2009-10-07 11:36 243712 ----a-w- c:\windows\system32\rastls.dll
2009-12-05 15:15 . 2009-12-05 15:16 -------- d-----w- c:\program files\DAEMON Tools Lite

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2010-01-02 18:02 . 2009-07-08 18:58 56597 ----a-w- c:\programdata\nvModes.dat
2010-01-02 18:00 . 2007-12-07 16:16 1076 ----a-w- c:\windows\bthservsdp.dat
2009-12-17 18:23 . 2009-07-08 18:58 -------- d-----w- c:\programdata\NVIDIA
2009-12-09 03:12 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-09 03:12 . 2008-11-15 21:02 -------- d-----w- c:\programdata\Microsoft Help
2009-12-08 15:13 . 2009-10-18 23:12 -------- d-----w- c:\programdata\WildTangent
2009-12-07 14:38 . 2009-08-22 11:23 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-05 15:16 . 2009-03-07 03:14 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-12-05 15:15 . 2009-03-07 12:54 -------- d-----w- c:\programdata\DAEMON Tools Lite
2009-12-03 22:25 . 2009-10-25 12:50 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-12-02 22:09 . 2007-01-18 04:49 653540 ----a-w- c:\windows\system32\prfh0816.dat
2009-12-02 22:09 . 2007-01-18 04:49 128820 ----a-w- c:\windows\system32\prfc0816.dat
2009-11-30 18:02 . 2009-11-30 18:02 171144 ----a-w- c:\windows\system32\xliveinstall.dll
2009-11-30 18:02 . 2009-11-30 18:02 72840 ----a-w- c:\windows\system32\xliveinstallhost.exe
2009-11-21 06:40 . 2009-12-08 23:14 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-08 23:14 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-08 23:14 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-08 23:14 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-19 23:48 . 2009-11-19 14:48 -------- d-----w- c:\program files\Graboid
2009-11-19 23:48 . 2009-11-19 14:49 -------- d-----w- c:\program files\VideoLAN
2009-11-19 14:49 . 2009-11-19 14:49 -------- d-----w- c:\program files\Mozilla ActiveX Control v1.7.12
2009-11-19 02:59 . 2009-11-19 02:59 -------- d-----w- c:\program files\Windows Portable Devices
2009-11-19 02:59 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-19 02:58 . 2009-11-19 02:58 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_ 00.Wdf
2009-11-17 21:48 . 2009-10-25 12:11 -------- d-----w- c:\program files\Wolfenstein - Enemy Territory
2009-11-09 00:40 . 2009-10-25 12:51 139904 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-11-09 00:40 . 2009-10-25 12:50 189744 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-11-08 17:59 . 2008-12-13 20:55 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-06 10:59 . 2009-11-06 10:59 15406728 ----a-w- c:\windows\system32\xlive.dll
2009-11-06 10:59 . 2009-11-06 10:59 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2009-11-02 20:42 . 2009-10-03 11:52 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:17 . 2009-11-25 13:15 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-21 10:43 . 2009-10-21 10:43 98304 ----a-w- c:\programdata\NexonEU\NGM\nxgameeu.dll
2009-10-21 10:43 . 2009-10-21 10:43 81920 ----a-w- c:\programdata\NexonEU\NGM\npNxGameeu.dll
2009-10-21 10:43 . 2009-10-21 10:43 532480 ----a-w- c:\programdata\NexonEU\NGM\NGMDll.dll
2009-10-21 10:43 . 2009-10-21 10:43 331776 ----a-w- c:\programdata\NexonEU\NGM\NGMResource.dll
2009-10-21 10:43 . 2009-10-21 10:43 258352 ----a-w- c:\programdata\NexonEU\NGM\unicows.dll
2009-10-21 10:43 . 2009-10-21 10:43 155648 ----a-w- c:\programdata\NexonEU\NGM\NGM.exe
2009-10-21 01:12 . 2009-10-21 01:12 421888 ----a-w- c:\windows\NEXON_EU_DownloaderUpdater.exe
2009-10-18 22:39 . 2009-10-18 22:39 90112 ----a-w- c:\programdata\NexonUS\NGM\npNxGameUS.dll
2009-10-18 22:39 . 2009-10-18 22:39 258352 ----a-w- c:\programdata\NexonUS\NGM\unicows.dll
2009-10-18 22:39 . 2009-10-18 22:39 118784 ----a-w- c:\programdata\NexonUS\NGM\nxgameus.dll
2009-10-18 22:39 . 2009-10-18 22:39 393216 ----a-w- c:\programdata\NexonUS\NGM\NGMResource.dll
2009-10-18 22:39 . 2009-10-18 22:39 561152 ----a-w- c:\programdata\NexonUS\NGM\NGMDll.dll
2009-10-18 22:39 . 2009-10-18 22:39 167936 ----a-w- c:\programdata\NexonUS\NGM\NGM.exe
2009-10-08 21:08 . 2009-11-19 00:17 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 21:08 . 2009-11-19 00:17 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-08 21:07 . 2009-11-19 00:17 4096 ----a-w- c:\windows\system32\oleaccrc.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-01-02_03.11.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-30 12:06 . 2010-01-02 18:05 59268 c:\windows\System32\WDI\ShutdownPerformanceDiagnos tics_SystemData.bin
+ 2008-11-15 20:48 . 2010-01-02 18:05 19268 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1780149496-2053220928-3784673967-1000_UserData.bin
- 2008-11-15 20:48 . 2010-01-02 02:59 19268 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1780149496-2053220928-3784673967-1000_UserData.bin
+ 2008-11-15 20:45 . 2010-01-02 17:58 32768 c:\windows\System32\config\systemprofile\AppData\R oaming\Microsoft\Windows\Cookies\index.dat
- 2008-11-15 20:45 . 2010-01-02 02:14 32768 c:\windows\System32\config\systemprofile\AppData\R oaming\Microsoft\Windows\Cookies\index.dat
+ 2008-11-15 20:45 . 2010-01-02 17:58 49152 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-15 20:45 . 2010-01-02 02:14 49152 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-15 20:45 . 2010-01-02 02:14 32768 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\History\History.IE5\index.d at
+ 2008-11-15 20:45 . 2010-01-02 17:58 32768 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\History\History.IE5\index.d at
- 2010-01-02 02:56 . 2010-01-02 02:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive1.dat
+ 2010-01-02 18:01 . 2010-01-02 18:01 2048 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive1.dat
- 2010-01-02 02:56 . 2010-01-02 02:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive0.dat
+ 2010-01-02 18:01 . 2010-01-02 18:01 2048 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive0.dat
+ 2006-11-02 13:05 . 2010-01-02 18:05 108850 c:\windows\System32\WDI\BootPerformanceDiagnostics _SystemData.bin
+ 2009-07-13 13:26 . 2010-01-02 17:58 245760 c:\windows\System32\config\systemprofile\AppData\R oaming\Microsoft\Windows\IETldCache\index.dat
- 2009-07-13 13:26 . 2010-01-02 01:28 245760 c:\windows\System32\config\systemprofile\AppData\R oaming\Microsoft\Windows\IETldCache\index.dat
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150596.exe" [2009-04-29 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-13 827392]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-10-09 729088]
"Servidor de Licenca Radiocef Studio 2"="c:\radiocef studio 2\Licenca\Server\RMLicServer.exe" [2008-10-31 2460160]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-09 4390912]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-04-23 176128]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2008-12-04 92704]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 174872]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-03-12 50696]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-07 44128]

c:\users\Ant¢nio Gomes\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Inicia‡Æo R*pida do Microsoft Office OneNote 2007.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-12-20 719664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):fc,b1,cb,bc,76,40,ca,01

R2 {22D78859-9CE9-4b77-BF18-AC83E81A9263};{22D78859-9CE9-4b77-BF18-AC83E81A9263};c:\program files\HP\QuickPlay\000.fcl [30-10-2007 12:48 13560]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [22-08-2009 11:23 108289]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [01-02-2008 03:02 65536]
S3 FontCache;Serviço de Cache de Tipos de Letra do Windows;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [23-11-2008 12:54 21504]
S3 fssfltr;FssFltr;c:\windows\System32\drivers\fssflt r.sys [16-09-2009 12:07 54632]
S3 fsssvc;Serviço Segurança Familiar do Windows Live;c:\program files\Windows Live\Family Safety\fsssvc.exe [05-08-2009 21:48 704864]
S4 sptd;sptd;c:\windows\System32\drivers\sptd.sys [07-03-2009 03:14 691696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Scan Suplementar -------
.
uStart Page = about:blank
uInternet Settings,ProxyServer = 192.168.20.250:8080
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xportar para o Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\António Gomes\AppData\Roaming\Mozilla\Firefox\Profiles\e9r zilpn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: network.proxy.ftp - 192.168.20.250
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 192.168.20.250
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - 192.168.20.250
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 192.168.20.250
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 192.168.20.250
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nppl3260.d ll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nprpjplug. dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\programdata\NexonEU\NGM\npNxGameeu.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");
.

************************************************** ************************
Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos:

************************************************** ************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{ 22D78859-9CE9-4b77-BF18-AC83E81A9263}]
"ImagePath"="\??\c:\program files\HP\QuickPlay\000.fcl"
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\a60a23f1-8580-f559-b012-8638c60ef25]
@Denied: (Full) (AuthenticatedUsers)
@Denied: (Full) (Administrators)
"1twof9nkz0jfy"=hex:37,62,30,30,65,34,37,39,2d,38, 66,36,66,2d,34,62,31,35,2d,
38,66,30,64,2d,33,39,66,61,64,39,66,38,35,31,36,64
"1bttvdb4pq5ov"=hex:65,00,00,00,f8,00,00,00,c1,46, e5,65,61,72,61,7a,69,00,00,
00,00,00,00,00,00,00,00,00,79,e4,00,7b,6f,8f,15,4b ,8f,0d,39,fa,d9,f8,51,6d,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Tempo para conclusão: 2010-01-02 18:19:35
ComboFix-quarantined-files.txt 2010-01-02 18:19
ComboFix2.txt 2010-01-02 03:15

Pré-execução: 67.349.299.200 bytes livres
Pós execução: 67.308.343.296 bytes livres

- - End Of File - - F9A5016BAABCCEC650A6022D9FC1E570

Thanks.......

**broni** · 02-01-2010

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:

File::
c:\windows\system32\colopcln.dll.vir


Folder::

Driver::

Registry::

RegLockDel::

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

**maxpayne____** · 03-01-2010

since i started again my computer it seems to have disappeared the trojan events from de Avira Antivirus.

Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:08:38, on 03-01-2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18865)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Radiocef Studio 2\Licenca\Server\RMLicServer.exe
C:\Windows\system32\WerCon.exe
C:\WINDOWS\RtHDVCpl.exe
C:\Windows\system32\WerFault.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\António Gomes\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 192.168.20.250:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Programa Auxiliar de Início de Sessão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [Servidor de Licenca Radiocef Studio 2] "C:\Radiocef Studio 2\Licenca\Server\RMLicServer.exe"
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\RunOnce: [Launcher] %WINDIR%\SMINST\launcher.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\Windows\system32\Adobe\Shockwave 11\SwHelper_1150596.exe -Update -1150596 -"Mozilla/5.0_(Windows;_U;_Windows_NT_6.0;_pt-BR;_rv:1.9.0.16)_Gecko/2009120208_Firefox/3.0.16_(.NET_CLR_3.5.30729)" -"http://www.miniclip.com/games/motocross-urban-fever/pt/content_iframe.php"
O4 - HKUS\S-1-5-21-1780149496-2053220928-3784673967-1001\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'antgomes')
O4 - HKUS\S-1-5-21-1780149496-2053220928-3784673967-1001\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'antgomes')
O4 - Startup: Iniciação Rápida do Microsoft Office OneNote 2007.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~1.0_0\bin\ssv.dll
O9 - Extra button: Publicar em Blogue - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Publicar no Blogue no Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/de...e/HPDEXAXO.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn...Detection2.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe...bat/nos/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PostgreSQL Database Server 8.3 (pgsql-8.3) - PostgreSQL Global Development Group - C:\Program Files\PostgreSQL\8.3\bin\pg_ctl.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 11285 bytes

COMBOFIX:

ComboFix 10-01-01.05 - António Gomes 03-01-2010 1:55.4.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.351.2070.18.2046.972 [GMT 0:00]
Executando de: c:\users\António Gomes\Desktop\ComboFix.exe
Comandos utilizados :: c:\users\António Gomes\Desktop\CFScript.txt

FILE ::
"c:\windows\system32\colopcln.dll.vir"
.

(((((((((((((((( Arquivos/Ficheiros criados de 2009-12-03 to 2010-01-03 ))))))))))))))))))))))))))))
.

2010-01-03 02:01 . 2010-01-03 02:01 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-01-03 02:01 . 2010-01-03 02:01 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-01-03 02:01 . 2010-01-03 02:01 -------- d-----w- c:\users\Convidado\AppData\Local\temp
2010-01-03 02:01 . 2010-01-03 02:01 -------- d-----w- c:\users\antgomes\AppData\Local\temp
2010-01-02 02:08 . 2006-06-19 12:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-01-02 02:08 . 2006-05-25 14:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-01-02 02:08 . 2005-08-26 00:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-01-02 02:08 . 2002-03-06 00:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-01-02 02:08 . 2003-02-02 19:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-01-02 00:42 . 2010-01-02 00:42 -------- d-----w- c:\programdata\Malwarebytes
2010-01-02 00:42 . 2010-01-02 02:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-09 03:10 . 2009-11-09 12:31 24064 ----a-w- c:\windows\system32\nshhttp.dll
2009-12-09 03:10 . 2009-11-09 12:30 30720 ----a-w- c:\windows\system32\httpapi.dll
2009-12-09 03:10 . 2009-11-09 10:36 411648 ----a-w- c:\windows\system32\drivers\http.sys
2009-12-08 23:12 . 2009-10-07 11:36 243712 ----a-w- c:\windows\system32\rastls.dll
2009-12-05 15:15 . 2009-12-05 15:16 -------- d-----w- c:\program files\DAEMON Tools Lite

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2010-01-03 01:51 . 2009-07-08 18:58 56597 ----a-w- c:\programdata\nvModes.dat
2010-01-02 19:47 . 2007-12-07 16:16 1076 ----a-w- c:\windows\bthservsdp.dat
2009-12-17 18:23 . 2009-07-08 18:58 -------- d-----w- c:\programdata\NVIDIA
2009-12-09 03:12 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-12-09 03:12 . 2008-11-15 21:02 -------- d-----w- c:\programdata\Microsoft Help
2009-12-08 15:13 . 2009-10-18 23:12 -------- d-----w- c:\programdata\WildTangent
2009-12-07 14:38 . 2009-08-22 11:23 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-12-05 15:16 . 2009-03-07 03:14 691696 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-12-05 15:15 . 2009-03-07 12:54 -------- d-----w- c:\programdata\DAEMON Tools Lite
2009-12-03 22:25 . 2009-10-25 12:50 75064 ----a-w- c:\windows\system32\PnkBstrA.exe
2009-12-02 22:09 . 2007-01-18 04:49 653540 ----a-w- c:\windows\system32\prfh0816.dat
2009-12-02 22:09 . 2007-01-18 04:49 128820 ----a-w- c:\windows\system32\prfc0816.dat
2009-11-30 18:02 . 2009-11-30 18:02 171144 ----a-w- c:\windows\system32\xliveinstall.dll
2009-11-30 18:02 . 2009-11-30 18:02 72840 ----a-w- c:\windows\system32\xliveinstallhost.exe
2009-11-21 06:40 . 2009-12-08 23:14 916480 ----a-w- c:\windows\system32\wininet.dll
2009-11-21 06:34 . 2009-12-08 23:14 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-11-21 06:34 . 2009-12-08 23:14 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-11-21 04:59 . 2009-12-08 23:14 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-11-19 23:48 . 2009-11-19 14:48 -------- d-----w- c:\program files\Graboid
2009-11-19 23:48 . 2009-11-19 14:49 -------- d-----w- c:\program files\VideoLAN
2009-11-19 14:49 . 2009-11-19 14:49 -------- d-----w- c:\program files\Mozilla ActiveX Control v1.7.12
2009-11-19 02:59 . 2009-11-19 02:59 -------- d-----w- c:\program files\Windows Portable Devices
2009-11-19 02:59 . 2006-11-02 10:25 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-19 02:58 . 2009-11-19 02:58 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_07_ 00.Wdf
2009-11-17 21:48 . 2009-10-25 12:11 -------- d-----w- c:\program files\Wolfenstein - Enemy Territory
2009-11-09 00:40 . 2009-10-25 12:51 139904 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2009-11-09 00:40 . 2009-10-25 12:50 189744 ----a-w- c:\windows\system32\PnkBstrB.exe
2009-11-08 17:59 . 2008-12-13 20:55 -------- d-----w- c:\program files\Common Files\Adobe
2009-11-06 10:59 . 2009-11-06 10:59 15406728 ----a-w- c:\windows\system32\xlive.dll
2009-11-06 10:59 . 2009-11-06 10:59 13642888 ----a-w- c:\windows\system32\xlivefnt.dll
2009-11-02 20:42 . 2009-10-03 11:52 195456 ----a-w- c:\windows\system32\MpSigStub.exe
2009-10-29 09:17 . 2009-11-25 13:15 2048 ----a-w- c:\windows\system32\tzres.dll
2009-10-21 10:43 . 2009-10-21 10:43 98304 ----a-w- c:\programdata\NexonEU\NGM\nxgameeu.dll
2009-10-21 10:43 . 2009-10-21 10:43 81920 ----a-w- c:\programdata\NexonEU\NGM\npNxGameeu.dll
2009-10-21 10:43 . 2009-10-21 10:43 532480 ----a-w- c:\programdata\NexonEU\NGM\NGMDll.dll
2009-10-21 10:43 . 2009-10-21 10:43 331776 ----a-w- c:\programdata\NexonEU\NGM\NGMResource.dll
2009-10-21 10:43 . 2009-10-21 10:43 258352 ----a-w- c:\programdata\NexonEU\NGM\unicows.dll
2009-10-21 10:43 . 2009-10-21 10:43 155648 ----a-w- c:\programdata\NexonEU\NGM\NGM.exe
2009-10-21 01:12 . 2009-10-21 01:12 421888 ----a-w- c:\windows\NEXON_EU_DownloaderUpdater.exe
2009-10-18 22:39 . 2009-10-18 22:39 90112 ----a-w- c:\programdata\NexonUS\NGM\npNxGameUS.dll
2009-10-18 22:39 . 2009-10-18 22:39 258352 ----a-w- c:\programdata\NexonUS\NGM\unicows.dll
2009-10-18 22:39 . 2009-10-18 22:39 118784 ----a-w- c:\programdata\NexonUS\NGM\nxgameus.dll
2009-10-18 22:39 . 2009-10-18 22:39 393216 ----a-w- c:\programdata\NexonUS\NGM\NGMResource.dll
2009-10-18 22:39 . 2009-10-18 22:39 561152 ----a-w- c:\programdata\NexonUS\NGM\NGMDll.dll
2009-10-18 22:39 . 2009-10-18 22:39 167936 ----a-w- c:\programdata\NexonUS\NGM\NGM.exe
2009-10-08 21:08 . 2009-11-19 00:17 234496 ----a-w- c:\windows\system32\oleacc.dll
2009-10-08 21:08 . 2009-11-19 00:17 555520 ----a-w- c:\windows\system32\UIAutomationCore.dll
2009-10-08 21:07 . 2009-11-19 00:17 4096 ----a-w- c:\windows\system32\oleaccrc.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-01-02_03.11.31 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-10-30 12:06 . 2010-01-02 19:52 59284 c:\windows\System32\WDI\ShutdownPerformanceDiagnos tics_SystemData.bin
+ 2008-11-15 20:48 . 2010-01-02 19:52 19268 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1780149496-2053220928-3784673967-1000_UserData.bin
- 2008-11-15 20:48 . 2010-01-02 02:59 19268 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-1780149496-2053220928-3784673967-1000_UserData.bin
+ 2008-11-15 20:45 . 2010-01-02 18:46 32768 c:\windows\System32\config\systemprofile\AppData\R oaming\Microsoft\Windows\Cookies\index.dat
- 2008-11-15 20:45 . 2010-01-02 02:14 32768 c:\windows\System32\config\systemprofile\AppData\R oaming\Microsoft\Windows\Cookies\index.dat
+ 2008-11-15 20:45 . 2010-01-02 18:46 49152 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-15 20:45 . 2010-01-02 02:14 49152 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-11-15 20:45 . 2010-01-02 02:14 32768 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\History\History.IE5\index.d at
+ 2008-11-15 20:45 . 2010-01-02 18:46 32768 c:\windows\System32\config\systemprofile\AppData\L ocal\Microsoft\Windows\History\History.IE5\index.d at
+ 2010-01-02 19:48 . 2010-01-02 19:48 2048 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive1.dat
- 2010-01-02 02:56 . 2010-01-02 02:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive1.dat
+ 2010-01-02 19:48 . 2010-01-02 19:48 2048 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive0.dat
- 2010-01-02 02:56 . 2010-01-02 02:56 2048 c:\windows\ServiceProfiles\LocalService\AppData\Lo cal\lastalive0.dat
+ 2006-11-02 13:05 . 2010-01-02 19:52 108858 c:\windows\System32\WDI\BootPerformanceDiagnostics _SystemData.bin
- 2009-07-13 13:26 . 2010-01-02 01:28 245760 c:\windows\System32\config\systemprofile\AppData\R oaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-13 13:26 . 2010-01-02 18:46 245760 c:\windows\System32\config\systemprofile\AppData\R oaming\Microsoft\Windows\IETldCache\index.dat
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunOnce]
"Shockwave Updater"="c:\windows\system32\Adobe\Shockwave 11\SwHelper_1150596.exe" [2009-04-29 468408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-13 827392]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-10-09 729088]
"Servidor de Licenca Radiocef Studio 2"="c:\radiocef studio 2\Licenca\Server\RMLicServer.exe" [2008-10-31 2460160]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-09 4390912]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-04-23 176128]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]
"NvMediaCenter"="c:\windows\system32\NvMcTray. dll" [2008-12-04 92704]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-12-04 13556256]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2007-02-12 174872]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-03-12 50696]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-07 44128]

c:\users\Ant¢nio Gomes\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Inicia‡Æo R*pida do Microsoft Office OneNote 2007.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2008-10-25 98696]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-12-20 719664]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):fc,b1,cb,bc,76,40,ca,01

R2 {22D78859-9CE9-4b77-BF18-AC83E81A9263};{22D78859-9CE9-4b77-BF18-AC83E81A9263};c:\program files\HP\QuickPlay\000.fcl [30-10-2007 12:48 13560]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [22-08-2009 11:23 108289]
S2 pgsql-8.3;PostgreSQL Database Server 8.3;c:\program files\PostgreSQL\8.3\bin\pg_ctl.exe [01-02-2008 03:02 65536]
S3 FontCache;Serviço de Cache de Tipos de Letra do Windows;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [23-11-2008 12:54 21504]
S3 fssfltr;FssFltr;c:\windows\System32\drivers\fssflt r.sys [16-09-2009 12:07 54632]
S3 fsssvc;Serviço Segurança Familiar do Windows Live;c:\program files\Windows Live\Family Safety\fsssvc.exe [05-08-2009 21:48 704864]
S4 sptd;sptd;c:\windows\System32\drivers\sptd.sys [07-03-2009 03:14 691696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Scan Suplementar -------
.
uStart Page = about:blank
uInternet Settings,ProxyServer = 192.168.20.250:8080
uInternet Settings,ProxyOverride = *.local;<local>
IE: E&xportar para o Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\users\António Gomes\AppData\Roaming\Mozilla\Firefox\Profiles\e9r zilpn.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://www.bing.com/search?FORM=IEFM1&q=
FF - prefs.js: network.proxy.ftp - 192.168.20.250
FF - prefs.js: network.proxy.ftp_port - 8080
FF - prefs.js: network.proxy.gopher - 192.168.20.250
FF - prefs.js: network.proxy.gopher_port - 8080
FF - prefs.js: network.proxy.http - 192.168.20.250
FF - prefs.js: network.proxy.http_port - 8080
FF - prefs.js: network.proxy.socks - 192.168.20.250
FF - prefs.js: network.proxy.socks_port - 8080
FF - prefs.js: network.proxy.ssl - 192.168.20.250
FF - prefs.js: network.proxy.ssl_port - 8080
FF - prefs.js: network.proxy.type - 4
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nppl3260.d ll
FF - plugin: c:\program files\VistaCodecPack\rm\browser\plugins\nprpjplug. dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\programdata\NexonEU\NGM\npNxGameeu.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");
.

************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2010-01-03 02:01
Windows 6.0.6002 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

************************************************** ************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{ 22D78859-9CE9-4b77-BF18-AC83E81A9263}]
"ImagePath"="\??\c:\program files\HP\QuickPlay\000.fcl"
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\a60a23f1-8580-f559-b012-8638c60ef25]
@Denied: (Full) (AuthenticatedUsers)
@Denied: (Full) (Administrators)
"1twof9nkz0jfy"=hex:37,62,30,30,65,34,37,39,2d,38, 66,36,66,2d,34,62,31,35,2d,
38,66,30,64,2d,33,39,66,61,64,39,66,38,35,31,36,64
"1bttvdb4pq5ov"=hex:65,00,00,00,f8,00,00,00,c1,46, e5,65,61,72,61,7a,69,00,00,
00,00,00,00,00,00,00,00,00,79,e4,00,7b,6f,8f,15,4b ,8f,0d,39,fa,d9,f8,51,6d,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Cl ass\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Tempo para conclusão: 2010-01-03 02:04:18
ComboFix-quarantined-files.txt 2010-01-03 02:04
ComboFix2.txt 2010-01-02 19:46
ComboFix3.txt 2010-01-02 18:19
ComboFix4.txt 2010-01-02 03:15

Pré-execução: 67.810.967.552 bytes livres
Pós execução: 67.771.301.888 bytes livres

- - End Of File - - 87FC5914B51F47511575503095F2CA00

Thanks again

**broni** · 03-01-2010

Very good

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Restart computer.

================================================== ===========

Print these instructions out.

NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***

STEP 1. Download SUPERAntiSpyware Free for Home Users:
SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: SUPERAntiSpyware.com - Database Definition Information.)
* Close SUPERAntiSpyware.

PHYSICALLY DISCONNECT FROM THE INTERNET

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Open SUPERAntiSpyware.
* Click Scan your Computer... button.
* Click Scanning Preferences/Control Center... button.
* Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Terminate memory threats before quarantining.
* Click the Close button to leave the control center screen.
* On the left, make sure you check C:\Fixed Drive.
* On the right, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
* Make sure everything has a checkmark next to it and click Next.
* A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
* If asked if you want to reboot, click Yes.
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
Post SUPERAntiSpyware log.

RECONNECT TO THE INTERNET

RESTART COMPUTER!

STEP 2. Download Malwarebytes' Anti-Malware: Malwarebytes.org to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

STEP 3.
Post fresh HijackThis log.
NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
Do NOT attempt to "fix" anything!

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

**maxpayne____** · 03-01-2010

here is my antyspyware log:

SUPERAntiSpyware Scan Log
SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

Generated 01/03/2010 at 03:11 PM

Application Version : 4.32.1000

Core Rules Database Version : 4441
Trace Rules Database Version: 2265

Scan type : Complete Scan
Total Scan Time : 01:57:04

Memory items scanned : 257
Memory threats detected : 0
Registry items scanned : 8932
Registry threats detected : 0
File items scanned : 209967
File threats detected : 0

I'll send you the malware log right away,Thanks

[Resolved] TR/Spy.Ursnif.35328l Trojan

[Resolved] TR/Spy.Ursnif.35328l Trojan

Similar Threads

[Resolved] Win32/spy.ursnif.A Virus

[RESOLVED] trojan-please help

[RESOLVED] trojan-please help

Trojan j.exe (RESOLVED)

Trojan help (RESOLVED)