Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - Plinti

Pages: [1]

Tech Clinic / Pop ups + tray problem

« on: January 05, 2005, 09:08:46 PM »

Sorry, I did not notice I had not selected all the text before ctrl+c..

Here it is, the full output.txt:

=====
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Misc\Find It NT-2K-XP

------- System Files in System32 Directory -------
O volume na unidade C ‚ Lisandra
O n£mero de s‚rie do volume ‚ C4A0-296A

Pasta de C:\WINDOWS\System32

22/11/2004 21:26 <DIR> dllcache
0 arquivo(s) 0 bytes
1 pasta(s) 5.669.924.864 bytes dispon¡veis

------- Hidden Files in System32 Directory -------

O volume na unidade C ‚ Lisandra
O n£mero de s‚rie do volume ‚ C4A0-296A

Pasta de C:\WINDOWS\System32

22/11/2004 21:26 <DIR> dllcache
25/09/2003 14:39 6.696 200309.npl
05/07/2003 03:53 488 WindowsLogon.manifest
05/07/2003 03:53 488 logonui.exe.manifest
05/07/2003 03:52 749 wuaucpl.cpl.manifest
05/07/2003 03:52 749 cdplayer.exe.manifest
05/07/2003 03:52 749 sapi.cpl.manifest
05/07/2003 03:52 749 ncpa.cpl.manifest
05/07/2003 03:52 749 nwc.cpl.manifest
8 arquivo(s) 11.417 bytes
1 pasta(s) 5.669.924.864 bytes dispon¡veis

---------- Files Named "Guard" -------------

O volume na unidade C ‚ Lisandra
O n£mero de s‚rie do volume ‚ C4A0-296A

Pasta de C:\WINDOWS\System32

--------- Temp Files in System32 Directory --------

O volume na unidade C ‚ Lisandra
O n£mero de s‚rie do volume ‚ C4A0-296A

Pasta de C:\WINDOWS\System32

28/10/2001 15:06 2.969 CONFIG.TMP
1 arquivo(s) 2.969 bytes
0 pasta(s) 5.669.916.672 bytes dispon¡veis

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------------ Locate.com Results ------------------

No matches found.

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mouseElf"="C:\\ARQUIV~1\\GENIUS~1\\GNETMOUS.EXE"
"CloneCDElbyCDFL"="\"C:\\Arquivos de programas\\CloneCD\\ElbyCheck.exe\" /L ElbyCDFL"
"IMJPMIG8.1"="C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"AudioHQ"="C:\\Arquivos de programas\\Creative\\SBLive\\AudioHQ\\AHQTB.EXE"
"SMSERIAL"="sm56hlpr.exe"
"QuickTime Task"="\"C:\\Arquivos de programas\\QuickTime\\qttask.exe\" -atboottime"
"AVG7_CC"="C:\\ARQUIV~1\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\ARQUIV~1\\AVGFRE~1\\avgemc.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
=====

And a fresh hijackthis:

=====
Logfile of HijackThis v1.99.0
Scan saved at 22:00:25, on 5/1/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\ARQUIV~1\GENIUS~1\GNETMOUS.EXE
C:\Arquivos de programas\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\WINDOWS\sm56hlpr.exe
C:\ARQUIV~1\AVGFRE~1\avgcc.exe
C:\ARQUIV~1\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_SICN03.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\ARQUIV~1\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\AVGFRE~1\avgupsvc.exe
C:\Util\HijackThis.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.veloxzone.com.br/home
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [mouseElf] C:\ARQUIV~1\GENIUS~1\GNETMOUS.EXE
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Arquivos de programas\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AudioHQ] C:\Arquivos de programas\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\Arquivos de programas\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Arquivos de programas\GetRight\GRbrowse.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E291AD3-65D3-4154-96CB-17D1FCA333A8}: NameServer = 200.165.132.155 200.149.55.142
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\ARQUIV~1\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\ARQUIV~1\AVGFRE~1\avgupsvc.exe

=====

Tech Clinic / Pop ups + tray problem

« on: January 05, 2005, 06:18:32 PM »

New logs:

output.txt
============
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------------ Locate.com Results ------------------

No matches found.

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mouseElf"="C:\\ARQUIV~1\\GENIUS~1\\GNETMOUS.EXE"
"CloneCDElbyCDFL"="\"C:\\Arquivos de programas\\CloneCD\\ElbyCheck.exe\" /L ElbyCDFL"
"IMJPMIG8.1"="C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"AudioHQ"="C:\\Arquivos de programas\\Creative\\SBLive\\AudioHQ\\AHQTB.EXE"
"SMSERIAL"="sm56hlpr.exe"
"QuickTime Task"="\"C:\\Arquivos de programas\\QuickTime\\qttask.exe\" -atboottime"
"AVG7_CC"="C:\\ARQUIV~1\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\ARQUIV~1\\AVGFRE~1\\avgemc.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"
============

Hijackthis
============
Logfile of HijackThis v1.99.0
Scan saved at 19:03:13, on 5/1/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\ARQUIV~1\GENIUS~1\GNETMOUS.EXE
C:\Arquivos de programas\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\WINDOWS\sm56hlpr.exe
C:\ARQUIV~1\AVGFRE~1\avgcc.exe
C:\ARQUIV~1\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_SICN03.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\ARQUIV~1\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\AVGFRE~1\avgupsvc.exe
C:\Util\HijackThis.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.veloxzone.com.br/home
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [mouseElf] C:\ARQUIV~1\GENIUS~1\GNETMOUS.EXE
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Arquivos de programas\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AudioHQ] C:\Arquivos de programas\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\Arquivos de programas\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Arquivos de programas\GetRight\GRbrowse.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E291AD3-65D3-4154-96CB-17D1FCA333A8}: NameServer = 200.165.132.155 200.149.55.142
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\ARQUIV~1\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\ARQUIV~1\AVGFRE~1\avgupsvc.exe

============

thank you!

Tech Clinic / Pop ups + tray problem

« on: January 05, 2005, 12:20:29 AM »

New logs are on the way!

output.txt:
============
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Misc\Find It NT-2K-XP

------- System Files in System32 Directory -------
O volume na unidade C ‚ Lisandra
O n£mero de s‚rie do volume ‚ C4A0-296A

Pasta de C:\WINDOWS\System32

22/11/2004 21:26 <DIR> dllcache
0 arquivo(s) 0 bytes
1 pasta(s) 5.677.359.104 bytes dispon¡veis

------- Hidden Files in System32 Directory -------

O volume na unidade C ‚ Lisandra
O n£mero de s‚rie do volume ‚ C4A0-296A

Pasta de C:\WINDOWS\System32

22/11/2004 21:26 <DIR> dllcache
25/09/2003 14:39 6.696 200309.npl
05/07/2003 03:53 488 WindowsLogon.manifest
05/07/2003 03:53 488 logonui.exe.manifest
05/07/2003 03:52 749 wuaucpl.cpl.manifest
05/07/2003 03:52 749 cdplayer.exe.manifest
05/07/2003 03:52 749 sapi.cpl.manifest
05/07/2003 03:52 749 ncpa.cpl.manifest
05/07/2003 03:52 749 nwc.cpl.manifest
8 arquivo(s) 11.417 bytes
1 pasta(s) 5.677.359.104 bytes dispon¡veis

---------- Files Named "Guard" -------------

O volume na unidade C ‚ Lisandra
O n£mero de s‚rie do volume ‚ C4A0-296A

Pasta de C:\WINDOWS\System32

05/01/2005 01:01 56 Guard.tmp
1 arquivo(s) 56 bytes
0 pasta(s) 5.677.355.008 bytes dispon¡veis

--------- Temp Files in System32 Directory --------

O volume na unidade C ‚ Lisandra
O n£mero de s‚rie do volume ‚ C4A0-296A

Pasta de C:\WINDOWS\System32

05/01/2005 01:01 56 Guard.tmp
28/10/2001 15:06 2.969 CONFIG.TMP
2 arquivo(s) 3.025 bytes
0 pasta(s) 5.677.350.912 bytes dispon¡veis

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{72AB36EE-31E0-4CC6-976A-32AE6865C821}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Dynamic Directory]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\hr8805lue.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------------ Locate.com Results ------------------

No matches found.

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mouseElf"="C:\\ARQUIV~1\\GENIUS~1\\GNETMOUS.EXE"
"CloneCDElbyCDFL"="\"C:\\Arquivos de programas\\CloneCD\\ElbyCheck.exe\" /L ElbyCDFL"
"IMJPMIG8.1"="C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"AudioHQ"="C:\\Arquivos de programas\\Creative\\SBLive\\AudioHQ\\AHQTB.EXE"
"SMSERIAL"="sm56hlpr.exe"
"QuickTime Task"="\"C:\\Arquivos de programas\\QuickTime\\qttask.exe\" -atboottime"
"AVG7_CC"="C:\\ARQUIV~1\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\ARQUIV~1\\AVGFRE~1\\avgemc.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

============

Hijackthis:
============
Logfile of HijackThis v1.99.0
Scan saved at 01:08:00, on 5/1/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\ARQUIV~1\GENIUS~1\GNETMOUS.EXE
C:\Arquivos de programas\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\WINDOWS\sm56hlpr.exe
C:\ARQUIV~1\AVGFRE~1\avgcc.exe
C:\ARQUIV~1\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_SICN03.EXE
C:\ARQUIV~1\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Util\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.veloxzone.com.br/home
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [mouseElf] C:\ARQUIV~1\GENIUS~1\GNETMOUS.EXE
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Arquivos de programas\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AudioHQ] C:\Arquivos de programas\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\Arquivos de programas\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Arquivos de programas\GetRight\GRbrowse.htm
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\ARQUIV~1\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\ARQUIV~1\AVGFRE~1\avgupsvc.exe

============

Thanks in advance!

Tech Clinic / Pop ups + tray problem

« on: January 04, 2005, 05:05:51 PM »

Done everything as you asked, except for CWShredder. It crashes everytime I execute it..

So, new logs:

Symantec:
============
Symantec Backdoor.Agent.B Removal Tool 1.0.1.2

C:\Games\RagOnline\data\palette\??: (not scanned)
C:\Games\RagOnline\data\palette\?: (not scanned)
C:\System Volume Information: (not scanned)
Backdoor.Agent.B has not been found on your computer.
============

FindIt:
============
Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Misc\Find It NT-2K-XP

------- System Files in System32 Directory -------
O volume na unidade C ‚ Lisandra
O n£mero de s‚rie do volume ‚ C4A0-296A

Pasta de C:\WINDOWS\System32

04/01/2005 12:26 56 hr8805lue.dll
22/11/2004 21:26 <DIR> dllcache
1 arquivo(s) 56 bytes
1 pasta(s) 5.704.515.584 bytes dispon¡veis

------- Hidden Files in System32 Directory -------

O volume na unidade C ‚ Lisandra
O n£mero de s‚rie do volume ‚ C4A0-296A

Pasta de C:\WINDOWS\System32

22/11/2004 21:26 <DIR> dllcache
25/09/2003 14:39 6.696 200309.npl
05/07/2003 03:53 488 WindowsLogon.manifest
05/07/2003 03:53 488 logonui.exe.manifest
05/07/2003 03:52 749 wuaucpl.cpl.manifest
05/07/2003 03:52 749 cdplayer.exe.manifest
05/07/2003 03:52 749 sapi.cpl.manifest
05/07/2003 03:52 749 ncpa.cpl.manifest
05/07/2003 03:52 749 nwc.cpl.manifest
8 arquivo(s) 11.417 bytes
1 pasta(s) 5.704.515.584 bytes dispon¡veis

---------- Files Named "Guard" -------------

O volume na unidade C ‚ Lisandra
O n£mero de s‚rie do volume ‚ C4A0-296A

Pasta de C:\WINDOWS\System32

04/01/2005 17:17 56 Guard.tmp
1 arquivo(s) 56 bytes
0 pasta(s) 5.704.511.488 bytes dispon¡veis

--------- Temp Files in System32 Directory --------

O volume na unidade C ‚ Lisandra
O n£mero de s‚rie do volume ‚ C4A0-296A

Pasta de C:\WINDOWS\System32

04/01/2005 17:17 56 Guard.tmp
28/10/2001 15:06 2.969 CONFIG.TMP
2 arquivo(s) 3.025 bytes
0 pasta(s) 5.704.507.392 bytes dispon¡veis

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{72AB36EE-31E0-4CC6-976A-32AE6865C821}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Dynamic Directory]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\hr8805lue.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
hr8805~1.dll Tue 4 Jan 2005 12:26:56 ..S.R 56 0,05 K

1 item found: 1 file, 0 directories.
Total of file sizes: 56 bytes 0,05 K

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mouseElf"="C:\\ARQUIV~1\\GENIUS~1\\GNETMOUS.EXE"
"CloneCDElbyCDFL"="\"C:\\Arquivos de programas\\CloneCD\\ElbyCheck.exe\" /L ElbyCDFL"
"IMJPMIG8.1"="C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"AudioHQ"="C:\\Arquivos de programas\\Creative\\SBLive\\AudioHQ\\AHQTB.EXE"
"SMSERIAL"="sm56hlpr.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"QuickTime Task"="\"C:\\Arquivos de programas\\QuickTime\\qttask.exe\" -atboottime"
"AVG7_CC"="C:\\ARQUIV~1\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\ARQUIV~1\\AVGFRE~1\\avgemc.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

============

DLLCompare:
============
* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\hr8805~1.dll Tue 4 Jan 2005 12:26:56 ..S.R 56 0,05 K
________________________________________________

1.329 items found: 1.329 files (1 H/S), 0 directories.
Total of file sizes: 254.040.336 bytes 242,27 M

Administrator Account = True

--------------------End log---------------------

============

Hijackthis:
============
Logfile of HijackThis v1.99.0
Scan saved at 18:00:53, on 4/1/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\ARQUIV~1\GENIUS~1\GNETMOUS.EXE
C:\Arquivos de programas\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\WINDOWS\sm56hlpr.exe
C:\ARQUIV~1\AVGFRE~1\avgcc.exe
C:\ARQUIV~1\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_SICN03.EXE
C:\ARQUIV~1\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\AVGFRE~1\avgupsvc.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\Arquivos de programas\eMule\emule.exe
C:\Arquivos de programas\Kazaa Lite\KazaaLite.kpp
C:\Util\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.veloxzone.com.br/home
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [mouseElf] C:\ARQUIV~1\GENIUS~1\GNETMOUS.EXE
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Arquivos de programas\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AudioHQ] C:\Arquivos de programas\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\Arquivos de programas\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Arquivos de programas\GetRight\GRbrowse.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E291AD3-65D3-4154-96CB-17D1FCA333A8}: NameServer = 200.165.132.155 200.149.55.142
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\ARQUIV~1\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\ARQUIV~1\AVGFRE~1\avgupsvc.exe

============

Thank you for all your patience and help!

Tech Clinic / Pop ups + tray problem

« on: January 04, 2005, 02:46:05 PM »

The DLLCompare log:
================

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\h00q0a~1.dll Tue 4 Jan 2005 12:04:44 ..S.R 225.356 220,07 K
C:\WINDOWS\SYSTEM32\hr8805~1.dll Tue 4 Jan 2005 12:26:56 ..S.R 56 0,05 K
________________________________________________

1.329 items found: 1.329 files (2 H/S), 0 directories.
Total of file sizes: 254.265.636 bytes 242,48 M

Administrator Account = True

--------------------End log---------------------

===========

Thank you for your help!

Tech Clinic / Pop ups + tray problem

« on: January 04, 2005, 11:45:04 AM »

Thank you for your help!

So, here are the logs:

FindIT:
===================

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Misc\Find It NT-2K-XP

------- System Files in System32 Directory -------
O volume na unidade C ‚ Lisandra
O n£mero de s‚rie do volume ‚ C4A0-296A

Pasta de C:\WINDOWS\System32

04/01/2005 12:26 56 hr8805lue.dll
04/01/2005 12:04 225.356 h00q0ad5ed0.dll
22/11/2004 21:26 <DIR> dllcache
2 arquivo(s) 225.412 bytes
1 pasta(s) 5.738.717.184 bytes dispon¡veis

------- Hidden Files in System32 Directory -------

O volume na unidade C ‚ Lisandra
O n£mero de s‚rie do volume ‚ C4A0-296A

Pasta de C:\WINDOWS\System32

22/11/2004 21:26 <DIR> dllcache
25/09/2003 14:39 6.696 200309.npl
05/07/2003 03:53 488 WindowsLogon.manifest
05/07/2003 03:53 488 logonui.exe.manifest
05/07/2003 03:52 749 wuaucpl.cpl.manifest
05/07/2003 03:52 749 cdplayer.exe.manifest
05/07/2003 03:52 749 sapi.cpl.manifest
05/07/2003 03:52 749 ncpa.cpl.manifest
05/07/2003 03:52 749 nwc.cpl.manifest
8 arquivo(s) 11.417 bytes
1 pasta(s) 5.738.717.184 bytes dispon¡veis

---------- Files Named "Guard" -------------

O volume na unidade C ‚ Lisandra
O n£mero de s‚rie do volume ‚ C4A0-296A

Pasta de C:\WINDOWS\System32

04/01/2005 12:29 226.031 guard.tmp
1 arquivo(s) 226.031 bytes
0 pasta(s) 5.738.713.088 bytes dispon¡veis

--------- Temp Files in System32 Directory --------

O volume na unidade C ‚ Lisandra
O n£mero de s‚rie do volume ‚ C4A0-296A

Pasta de C:\WINDOWS\System32

04/01/2005 12:29 226.031 guard.tmp
28/10/2001 15:06 2.969 CONFIG.TMP
2 arquivo(s) 229.000 bytes
0 pasta(s) 5.738.708.992 bytes dispon¡veis

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{72AB36EE-31E0-4CC6-976A-32AE6865C821}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Run]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\h00q0ad5ed0.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

------------------ Locate.com Results ------------------

C:\WINDOWS\SYSTEM32\
h00q0a~1.dll Tue 4 Jan 2005 12:04:44 ..S.R 225.356 220,07 K
hr8805~1.dll Tue 4 Jan 2005 12:26:56 ..S.R 56 0,05 K

2 items found: 2 files, 0 directories.
Total of file sizes: 225.412 bytes 220,13 K

------------ Strings.exe Qoologic Results ------------

-------------- Strings.exe Aspack Results -------------

----------------- HKLM Run Key ------------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mouseElf"="C:\\ARQUIV~1\\GENIUS~1\\GNETMOUS.EXE"
"CloneCDElbyCDFL"="\"C:\\Arquivos de programas\\CloneCD\\ElbyCheck.exe\" /L ElbyCDFL"
"IMJPMIG8.1"="C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\System32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"AudioHQ"="C:\\Arquivos de programas\\Creative\\SBLive\\AudioHQ\\AHQTB.EXE"
"SMSERIAL"="sm56hlpr.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"QuickTime Task"="\"C:\\Arquivos de programas\\QuickTime\\qttask.exe\" -atboottime"
"AVG7_CC"="C:\\ARQUIV~1\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\ARQUIV~1\\AVGFRE~1\\avgemc.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

=

======================

Hijackthis
======================

Logfile of HijackThis v1.99.0
Scan saved at 12:39:40, on 4/1/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\ARQUIV~1\GENIUS~1\GNETMOUS.EXE
C:\Arquivos de programas\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\WINDOWS\sm56hlpr.exe
C:\ARQUIV~1\AVGFRE~1\avgcc.exe
C:\ARQUIV~1\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_SICN03.EXE
C:\ARQUIV~1\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\Util\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.veloxzone.com.br/home
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [mouseElf] C:\ARQUIV~1\GENIUS~1\GNETMOUS.EXE
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Arquivos de programas\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AudioHQ] C:\Arquivos de programas\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\Arquivos de programas\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Arquivos de programas\GetRight\GRbrowse.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E291AD3-65D3-4154-96CB-17D1FCA333A8}: NameServer = 200.165.132.155 200.149.55.142
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\ARQUIV~1\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\ARQUIV~1\AVGFRE~1\avgupsvc.exe

==========================

Won't be rebooting the machine anymore, 'til next fixes.

Tech Clinic / Pop ups + tray problem

« on: January 03, 2005, 10:22:14 PM »

First of all, thank you very much for your help and quick response.

Done everything as you've told me, except for:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.veloxzone.com.br/home

Since it's my internet connection provider, I thought it would be better not to clean up this line.

So, the updated logs:

VX2 Finder
================

Log for VX2.BetterInternet File Finder (msg126)

Files Found---

Additional Files---

Keys Under Notify---
Controls Folder
crypt32chain
cryptnet
cscdll
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
wlballoon

Guardian Key--- is called:

User Agent String---
{72AB36EE-31E0-4CC6-976A-32AE6865C821}

==================

DLLCompare
==================

* DLLCompare Log version(1.0.0.127)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\f6j2lg~1.dll Sat 1 Jan 2005 20:46:44 ..S.R 224.811 219,54 K
C:\WINDOWS\SYSTEM32\hr4s05~1.dll Sat 1 Jan 2005 21:21:18 ..S.R 225.214 219,93 K
C:\WINDOWS\SYSTEM32\hr8605~1.dll Sat 1 Jan 2005 20:58:46 ..S.R 224.958 219,68 K
C:\WINDOWS\SYSTEM32\lv6o09~1.dll Mon 3 Jan 2005 22:36:46 ..S.R 224.856 219,59 K
C:\WINDOWS\SYSTEM32\lv6s09~1.dll Mon 3 Jan 2005 22:28:30 ..S.R 223.717 218,47 K
________________________________________________

1.328 items found: 1.328 files (5 H/S), 0 directories.
Total of file sizes: 255.161.917 bytes 243,34 M

Administrator Account = True

--------------------End log---------------------

================

FindIt
================

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

------- System Files in System32 Directory -------

O volume na unidade C ‚ Lisandra
O n£mero de s‚rie do volume ‚ C4A0-296A

Pasta de C:\WINDOWS\System32

03/01/2005 22:36 224.856 lv6o09j3e.dll
03/01/2005 22:28 223.717 lv6s09j7e.dll
01/01/2005 21:21 225.214 hr4s05h7e.dll
01/01/2005 20:58 224.958 hr8605lse.dll
01/01/2005 20:46 224.811 f6j2lg1o16.dll
22/11/2004 21:26 <DIR> dllcache
5 arquivo(s) 1.123.556 bytes
1 pasta(s) 5.760.028.672 bytes dispon¡veis

------- Hidden Files in System32 Directory -------

O volume na unidade C ‚ Lisandra
O n£mero de s‚rie do volume ‚ C4A0-296A

Pasta de C:\WINDOWS\System32

22/11/2004 21:26 <DIR> dllcache
25/09/2003 14:39 6.696 200309.npl
05/07/2003 03:53 488 WindowsLogon.manifest
05/07/2003 03:53 488 logonui.exe.manifest
05/07/2003 03:52 749 wuaucpl.cpl.manifest
05/07/2003 03:52 749 cdplayer.exe.manifest
05/07/2003 03:52 749 sapi.cpl.manifest
05/07/2003 03:52 749 ncpa.cpl.manifest
05/07/2003 03:52 749 nwc.cpl.manifest
8 arquivo(s) 11.417 bytes
1 pasta(s) 5.760.024.576 bytes dispon¡veis

---------- Files Named "Guard" -------------

O volume na unidade C ‚ Lisandra
O n£mero de s‚rie do volume ‚ C4A0-296A

Pasta de C:\WINDOWS\System32

03/01/2005 22:57 224.847 guard.tmp
1 arquivo(s) 224.847 bytes
0 pasta(s) 5.760.020.480 bytes dispon¡veis

--------- Temp Files in System32 Directory --------

O volume na unidade C ‚ Lisandra
O n£mero de s‚rie do volume ‚ C4A0-296A

Pasta de C:\WINDOWS\System32

03/01/2005 22:57 224.847 guard.tmp
28/10/2001 15:06 2.969 CONFIG.TMP
2 arquivo(s) 227.816 bytes
0 pasta(s) 5.760.020.480 bytes dispon¡veis

---------------- User Agent ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{72AB36EE-31E0-4CC6-976A-32AE6865C821}"=""

------------ Keys Under Notify ------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Controls Folder]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\lv6s09j7e.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,33,32,2e,64,6c,6c,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,72,79,70,74,6e,65,74,2e,64,6c,6c,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,63,6c,67,6e,74,66,79,2e,64,6c,6c,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,6c,6e,6f,74,69,66,79,2e,64,6c,6c,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

---------------- Xfind Results -----------------

C:\WINDOWS\System32\LV6O09~1.DLL +++ File read error

-------------- Locate.com Results ---------------

C:\WINDOWS\SYSTEM32\
f6j2lg~1.dll Sat 1 Jan 2005 20:46:44 ..S.R 224.811 219,54 K
hr4s05~1.dll Sat 1 Jan 2005 21:21:18 ..S.R 225.214 219,93 K
hr8605~1.dll Sat 1 Jan 2005 20:58:46 ..S.R 224.958 219,68 K
lv6o09~1.dll Mon 3 Jan 2005 22:36:46 ..S.R 224.856 219,59 K
lv6s09~1.dll Mon 3 Jan 2005 22:28:30 ..S.R 223.717 218,47 K

5 items found: 5 files, 0 directories.
Total of file sizes: 1.123.556 bytes 1,07 M

=======================

New hijackthis log
=======================
Logfile of HijackThis v1.99.0
Scan saved at 23:10:46, on 3/1/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\ARQUIV~1\GENIUS~1\GNETMOUS.EXE
C:\Arquivos de programas\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\WINDOWS\sm56hlpr.exe
C:\ARQUIV~1\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\devldr32.exe
C:\ARQUIV~1\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_SICN03.EXE
C:\ARQUIV~1\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\AVGFRE~1\avgupsvc.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\Arquivos de programas\eMule\emule.exe
C:\Arquivos de programas\Kazaa Lite\KazaaLite.kpp
C:\Util\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.veloxzone.com.br/home
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [mouseElf] C:\ARQUIV~1\GENIUS~1\GNETMOUS.EXE
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Arquivos de programas\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AudioHQ] C:\Arquivos de programas\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\Arquivos de programas\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Arquivos de programas\GetRight\GRbrowse.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E291AD3-65D3-4154-96CB-17D1FCA333A8}: NameServer = 200.165.132.155 200.149.55.142
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\ARQUIV~1\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\ARQUIV~1\AVGFRE~1\avgupsvc.exe

====================

Thanks again!

Tech Clinic / Pop ups + tray problem

« on: January 03, 2005, 03:51:29 PM »

Hi,

I've just found this forum while searching for help in Google.. I hope my questions won't bother you, but I can't figure how to fix my computer..

The pop ups won't stop appearing (in IE at any time, and in Mozilla when it is open), and I can't maximize IE, or it will place itself lower than the tray bar. Also, when I minimize any program, it will always be at the first position in the tools bar, never in its current location.

What can I do to solve this?.. I've tried AdAware, but it has not found anything wrong to fix.

The hijackthis log:

===========

Logfile of HijackThis v1.99.0
Scan saved at 16:33:16, on 3/1/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\ARQUIV~1\GENIUS~1\GNETMOUS.EXE
C:\Arquivos de programas\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\sm56hlpr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_SICN03.EXE
C:\WINDOWS\System32\alg.exe
C:\ARQUIV~1\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Arquivos de programas\eMule\emule.exe
C:\Arquivos de programas\Kazaa Lite\KazaaLite.kpp
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\ARQUIV~1\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\AVGFRE~1\avgcc.exe
C:\ARQUIV~1\AVGFRE~1\avgemc.exe
C:\IntDown\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://wer-mit-wem.webhop.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.veloxzone.com.br/home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://213.159.117.134/index.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R3 - URLSearchHook: (no name) - _{CA0E28FA-1AFD-4C21-A8DC-70EB5BE2F076} - (no file)
O1 - Hosts: 127.0.0.3 n-glx.s-redirect.com
O1 - Hosts: 127.0.0.3 x.full-tgp.net
O1 - Hosts: 127.0.0.3 counter.sexmaniack.com
O1 - Hosts: 127.0.0.3 autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.autoescrowpay.com
O1 - Hosts: 127.0.0.3 www.awmdabest.com
O1 - Hosts: 127.0.0.3 www.sexfiles.nu
O1 - Hosts: 127.0.0.3 awmdabest.com
O1 - Hosts: 127.0.0.3 sexfiles.nu
O1 - Hosts: 127.0.0.3 allforadult.com
O1 - Hosts: 127.0.0.3 www.allforadult.com
O1 - Hosts: 127.0.0.3 www.iframe.biz
O1 - Hosts: 127.0.0.3 iframe.biz
O1 - Hosts: 127.0.0.3 www.newiframe.biz
O1 - Hosts: 127.0.0.3 newiframe.biz
O1 - Hosts: 127.0.0.3 www.vesbiz.biz
O1 - Hosts: 127.0.0.3 vesbiz.biz
O1 - Hosts: 127.0.0.3 www.pizdato.biz
O1 - Hosts: 127.0.0.3 pizdato.biz
O1 - Hosts: 127.0.0.3 www.aaasexypics.com
O1 - Hosts: 127.0.0.3 aaasexypics.com
O1 - Hosts: 127.0.0.3 www.virgin-tgp.net
O1 - Hosts: 69.20.16.183 auto.search.msn.com
O1 - Hosts: 69.20.16.183 search.netscape.com
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O1 - Hosts: 69.20.16.183 ieautosearch
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: IEMenuExtension toolbar - {6b95678d-30a4-4ff8-a72f-4208340c1f7f} - C:\Arquivos de programas\IEMenuExtension\tbextn.dll (file missing)
O4 - HKLM\..\Run: [mouseElf] C:\ARQUIV~1\GENIUS~1\GNETMOUS.EXE
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Arquivos de programas\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AudioHQ] C:\Arquivos de programas\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARQUIV~1\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Download with GetRight - C:\Arquivos de programas\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Arquivos de programas\GetRight\GRbrowse.htm
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.iframedollars.biz
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.iframedollars.biz (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.ysbweb.com (HKLM)
O15 - Trusted IP range: 213.159.117.202
O15 - Trusted IP range: 213.159.117.202 (HKLM)
O16 - DPF: {11111111-1111-1111-1111-111111111157} - ms-its:mhtml:file://c:\nosuch.mht!http://iframedollars.biz/dl/adv408/x.chm::/load.exe
O16 - DPF: {11111111-1111-1111-1111-111111113457} - file://c:\explorer.cab
O16 - DPF: {9A19966F-AE0E-4699-8CCE-9B6F5F1C352C} (NPKXSite Control) - http://kr.pristontale.com/nprotect/keycryp...pt/npkxsite.cab
O16 - DPF: {CFCB7308-782F-11D4-BE27-000102598CE4} (NPX Control) - http://kr.pristontale.com/nprotect/nprotect/npx.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E291AD3-65D3-4154-96CB-17D1FCA333A8}: NameServer = 200.165.132.155 200.149.55.142
O23 - Service: AVG7 Alert Manager Server - GRISOFT, s.r.o. - C:\ARQUIV~1\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service - GRISOFT, s.r.o. - C:\ARQUIV~1\AVGFRE~1\avgupsvc.exe

===============

Thanks in advance for your patience and help!

Pages: [1]

TheTechGuide Forum

News:

Show Posts

Messages - Plinti

Tech Clinic / Pop ups + tray problem

Tech Clinic / Pop ups + tray problem

Tech Clinic / Pop ups + tray problem

Tech Clinic / Pop ups + tray problem

Tech Clinic / Pop ups + tray problem

Tech Clinic / Pop ups + tray problem

Tech Clinic / Pop ups + tray problem

Tech Clinic / Pop ups + tray problem