Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Marcelo Almeida - HijackThis Log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby Marcelo Almeida » July 11th, 2006, 8:10 pm

Part 4:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}03D9A2A83030-C6C9-D744-CD5E-B94E9DC0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}620B13F22DF4-737B-F444-E4E1-F397236B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BE6202BF64F4-414A-03D4-07D0-8FDEAA08{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}54550E10A87E-B61A-0B54-45E9-3A013F26{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}129426ABF65B-E5A8-8474-C258-E682A53D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}42082FA4519A-0A2B-A704-C030-2D0644CA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C18E36620046-11F8-0534-B8DC-9441125E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}24A8A0A43CE6-5BA9-BDA4-E043-6898AA14{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C69250924DE1-3EFB-7274-B00E-9516ED6C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F28489C11C68-0F68-7084-F951-4F1AE4C6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C23FFB709608-F00A-6244-78A7-939AACF8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E6A311E57D7C-65CA-DBE4-F297-11D0D810{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7339E196ACF3-A458-6B04-C41B-9723B165{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}370DA93B2DAA-2F1A-AF44-E5CA-40FCDEB3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B480C6E34F8B-33AB-C6B4-75BD-43864796{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A6F911A0117D-9E68-D634-7A17-1270EAD8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}160D326D7D2A-B42A-E1E4-8F31-E7906B8E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}99439C37741E-765B-D174-C6DE-05F066B5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}118162B62F41-2C5B-2B84-8417-3032421F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}479E9709C3F4-B70A-4F04-6629-268EA5B3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A8681855AE43-85E9-8B24-3AB7-ACECB733{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6E54C20BDB3B-19B9-1ED4-2364-ADA74FBD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AE592DD43D53-8249-AE84-F5AE-7BE041EF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E21192DFFB2C-ADBB-3894-749B-A26637DF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B46CFC32B96A-13CB-9C84-B0C4-3B7B1E69{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0D41A4EA63E3-0A38-57E4-5441-A6627386{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}62EF115C89A7-1539-9144-3E21-5A91D9EB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B5BE59AF72B2-4D99-BA24-CC34-E74A656A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}89F3BCB9CAF2-BBDA-6714-1A3E-732A5A21{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5E572C625325-5739-4FD4-39F5-F45E5BFC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0109B15ABDCA-0089-1E14-D76F-FDCE23B0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}ADD0606063FA-985B-35E4-DDA3-700543E5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2388E9B24C72-931A-7894-02E6-62A247F6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F503D35758DC-7519-E0C4-0469-9E0A0EBF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}16015FB49E49-D5F9-93B4-AC4F-D32E08D6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1F088207759C-BD9A-4DB4-802A-E1E273A8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F2AE07FE32B7-13EB-20A4-AEA5-EBC63C73{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EF6BFF500FB9-285A-B6F4-EC54-6860D38B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BF0CE4908FBF-C5F9-B2D4-8DB1-DCAF392C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E3B38F2383EE-BE38-48E4-7714-5D89A952{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8DD79033F872-8B7A-36F4-E971-198D3E3A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1E24419F3458-7C0A-DAD4-C129-70D279A2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D6938279390C-FBE9-F934-F88D-DAAB2C7B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6118F3308A4C-2CE8-37B4-52C8-980114F1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D4F0DC6108B5-147A-8EB4-7E68-22AF68C2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6C6DA926D410-B95B-9C74-E6C3-0C3BE765{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}93F554D2BA60-6A7A-0974-8852-48047AB4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}728463908855-5EAB-96D4-5208-D06425F1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CB8003B0FB5C-41D9-B274-4114-427D6A6B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F42D76E70F8A-C8B9-93F4-67FC-DB0103CA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}08F0C13AB4A6-45A8-3F84-7656-D86F438E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5D51041F7027-562B-7914-2E10-278B1D74{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}449615D3937F-C0DB-B544-0909-11CD4DF6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1FB9EDF9E21E-C74A-6CB4-5F14-F1B6E15C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B9BC96B87FDF-6A09-ECF4-1259-3505CE15{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FFD2A899A5C6-F57B-7F74-E61E-7E462942{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}037ADAF9C370-901B-0F14-BF52-F8CCA1D7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}8F1D27413D38-2D0A-CC24-4BE9-EA543380{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F1CA7699B300-6488-4F94-6707-4AE90509{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}95A92D2B4957-F618-8194-D5BC-CCD38A81{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}717AC2D7BB28-947A-2B04-34A1-4E8C08A6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}43E087D632CF-603A-0D84-34BB-977E0EF9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}562D2BEE277A-1ADB-53C4-EB37-009C7577{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7B8DDA6AFE09-7368-3714-A483-18CFADFC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0D55BFAFB4BC-56F9-F414-4155-51468DD7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D69ED534FA3C-6299-0BD4-858F-AEB2C89C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}37177304C046-E7BB-7054-8091-0FD4B93F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B7AB0B079EF8-295B-5EA4-2296-584FB191{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7FED993D8A62-5F88-AA64-6C59-03CE5E32{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2E72F996B695-6DBA-61D4-CCB5-50101B88{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7D76B11B5B05-458B-4A44-0F08-958542BF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A015999313B2-33BA-3B94-9B2A-7283AD6F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5471C5941FF2-D4E8-6234-3A1E-591ABB13{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4C14A4ADBAC7-FA7B-A804-A151-B0284679{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A4700FEF4FB5-7EFB-D714-2239-6B4F6896{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0FC3D7D8D2EA-9FD8-8594-3C3E-A501FC70{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B16780BE1E04-4C88-FC54-E443-137BCE38{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B63D41BA4020-49FA-A7B4-E082-CCB4799A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C0ACF35C6BF4-878B-2E04-ACF5-6CE19ED5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}994208EA3B18-E91A-8974-87F5-89BC1CE4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}543D5AE990AB-C4AA-2CF4-1D7B-D58DEC5B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E00F3B5B6FC7-B008-1084-B49B-D6265550{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6C04B46BDFCA-975B-6E84-A4B8-81CD4F4E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}29839751156B-D1AA-DD74-05EF-B25C0888{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FABAADD16D0C-3D69-67F4-B54F-3919D86E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D5F0058F735C-E0AA-B974-12C9-7DFD1F76{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9A9B0FB8C323-E80A-59F4-DD3E-5D4207A0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2D7C6ED40217-7CCA-C124-CDE3-5DCED611{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}25E1571DA126-FCAA-D274-BFCF-AACAD38E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CD18A16F5ACB-BFEB-DD14-1F34-4FD8B64B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}E9C1901FA90D-98E9-EFE4-770F-BE9AEF24{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5224B70C30C9-C489-EE14-54AC-3F90C93B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FF85F7969DD6-D46B-68B4-ED8B-9EB823A2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}66E85710784F-9B5B-A114-9AAE-54E71188{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0CD7977A74ED-A25A-D684-4092-F4869BC6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BBED9382B9D6-159B-7E44-391B-69AA0F5F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DA734A514F4A-9348-F0F4-42CA-0261F5F4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}45B42A071315-8AA8-A164-2225-76370682{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5A392B2686E6-A3D8-5A64-5D6A-74C3F371{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C48839E2BF66-9649-4EA4-465B-5427E80E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}016927EEFD3E-FACB-1FB4-126D-39719282{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1589866D3C57-58D8-88F4-6E73-8FCFE2A7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3577D5DF709F-3A79-89A4-5FD4-4BA9CC25{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}801E2436BD6B-1368-F1A4-A6D3-4A1E3387{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1E274DE2FB2E-9DD8-CBC4-2284-962DD1A5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}66D90EF9F58F-6B4A-6C44-BD0A-7F210DFB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BA761E7FE591-38BB-C254-E6E4-E71C943E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}58B137E3BF20-6F39-EE14-3F21-510BA0D9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9754693D49C3-F31B-32C4-A8DE-8430A035{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}47BAE30EAFC0-65CA-5FD4-8B86-CB6F88D4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0D5E93F57BDC-741A-D054-6157-EC47C3F1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4EE183858E16-312B-2AD4-E823-F11C693C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AE6D8D5370DA-F459-EEA4-0735-381AE98C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}74D078EBBBD4-14B9-23F4-E9C7-8F9C43EC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7D775742B035-D4A8-E024-4087-78265107{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}541874429B04-4108-2514-65FA-D38468AD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EFB433EF7899-8CBA-3064-E4F6-57278FEA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C1DB49908B95-D17A-B574-0693-E5C97D5F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}432C0DEE8605-7F2A-A184-B46F-326425FF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}62B1AD04DD02-9279-6D24-9AA4-F8F50334{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5A414013B2E1-2CC8-AFF4-1AE1-1A185472{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}0E73B5D8517E-6D2A-C754-8B2F-0EC9B4AF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}193B04917DF1-2BA9-E874-0971-7BFE0F42{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3DD3903DA864-FF8A-A374-8F78-74647BCC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}34EFE48431D2-8F19-B754-255A-80114CAE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2B7D67F5F5E2-727B-5CF4-DEDA-AE1A142F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}72FBD3A7310E-A1EB-A824-63C6-5CE4F22B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2B2E0A0A7D85-F628-DBB4-1CA1-BA5BC431{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9A4AF9FA56AB-245A-3D74-A48B-25ADE664{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}CABD43071E3E-F4DB-0544-90EF-F48ED8A0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5925A55E3D19-8E7A-BE94-2F92-983D56A8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}539D9B505AEE-2BF9-9994-6D37-C0999CFD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EC767A8B89DE-269A-B504-8A40-75C02473{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}A1EE019D4D67-2E0B-BC94-0301-D903EE12{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DB97E7E79257-A0EB-97B4-2834-27B8AE93{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5AB3A58F3471-8AF8-7704-18D2-27A68285{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}415354A9896C-67D9-09A4-112D-9051308D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9FC55A84F843-8A59-29B4-329E-487F53A9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F0F84E7BC3A7-822A-A684-37FD-9AF8E769{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}76B4667D049E-17C9-E944-F1A7-068E9F53{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2AF3A8D00485-389B-FA64-26CC-C13BD8E8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C3CBA19FF441-56F9-C394-9E45-5EC2A930{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}811AB6C3D29C-565A-AA64-80C0-6A5F7F0C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}21DA9D1BE288-6349-BB14-826D-76C43D50{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C0F11F2CE603-F89A-6584-196F-76FD4AF3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}AB75A0264E07-D06B-7414-7BC0-1C481520{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}31932AC55793-273B-2EF4-3748-AE29A027{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7D31EFB8F31E-D8DB-1AD4-5D34-18B5740A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2DB71955B501-B34A-54E4-7F42-F9ADB64E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}EF7D5AABB1E9-096A-2A44-55D7-D58EDD8C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C70A70C65DC3-6F98-3534-F4E3-EE5210FF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4AF5DEDFC6EC-1379-6574-CEDB-7D6BFA1A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}39748E0EB37B-10E9-0814-DFC3-50495427{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DC42F7271C85-A25A-A0A4-8D0F-0462A9A5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}4BF0EFEDA605-EA59-E1F4-86E4-B5B6FEB2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}25770D36196A-D598-B444-B321-6563405D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}DB665D7FFB9A-1348-05E4-9A83-3A2FBCFD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C1520093B073-7E6A-8764-D11A-E6978990{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}FB3C32D60EEF-CFF9-FE64-3416-C532AF06{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C9FC9820445C-7358-9504-7827-39F1E471{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2E0C71DF89F7-00DA-37C4-F45F-4C57F282{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}3C8039098D19-7E9B-E5A4-B614-FE424244{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1171C49362B2-9C9A-E4D4-8ADE-C4D0D42C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}B30C5870465A-85B9-BD54-DD9E-1EB81E36{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}C10F0B24E7ED-4DF9-6C14-D754-E9D6AB60{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F6868D06608D-293B-B1A4-BC0C-D4D2D919{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}2115994ABE1D-E54A-4E94-E815-FF0EE188{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}F245D02FBEF9-522B-2FD4-2856-126B3B18{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}66FA624B3272-3248-4A94-4C12-29A9F5FD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}6E25EBD9A614-5CEB-E394-CB99-ABEC6B6F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1B0356444ED3-4529-15F4-D279-BE40CDA1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9A400E43C148-9B1B-DAA4-2B2E-E2573F81{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}35C196446AD6-FE49-E794-C04D-7F5B2970{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}5737AE073845-6DF9-2034-08C5-8E3C9578{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}BDA3B8BD6214-F759-97A4-7FFD-6CC80AEA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}9F3A16E485F7-4938-C4A4-83C4-624A3F26{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}7C14672BB96C-FE59-1574-FB37-640B2475{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}340AA09AD91F-3DC8-A384-D3B8-86A144FB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}D11A2B8F4740-6E4A-C704-BBC0-67980F11{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}1A422ACA93BD-8618-AEB4-60C3-D6DADFC1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\ypomd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\putesprpgd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\nlcalik
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\eerht
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\evif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\ypszr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\lavinraCputeS
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\owt
...

Random Runs removed from HKLM
"dmdak.exe"=-
"dmopy.exe"=-
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\DMMUP.EXE
* csr.exe C:\WINDOWS\System32\CSSAZ.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSSAZ.EXE 51.202 2006-06-29
C:\WINDOWS\SYSTEM32\DMCRG.EXE 44.087 2004-08-03
C:\WINDOWS\SYSTEM32\DMEGT.EXE 44.087 2004-08-03
C:\WINDOWS\SYSTEM32\DMFHV.EXE 44.087 2004-08-03
C:\WINDOWS\SYSTEM32\DMHBM.EXE 44.087 2004-08-03
C:\WINDOWS\SYSTEM32\DMHWD.EXE 44.087 2004-08-03
C:\WINDOWS\SYSTEM32\DMIGX.EXE 44.087 2004-08-03
C:\WINDOWS\SYSTEM32\DMIRP.EXE 44.087 2004-08-03
C:\WINDOWS\SYSTEM32\DMJXM.EXE 44.087 2004-08-03
C:\WINDOWS\SYSTEM32\DMJXQ.EXE 44.087 2004-08-03
C:\WINDOWS\SYSTEM32\DMJZH.EXE 44.087 2004-08-03
C:\WINDOWS\SYSTEM32\DMLAP.EXE 44.087 2004-08-03
C:\WINDOWS\SYSTEM32\DMMSP.EXE 44.087 2004-08-03
C:\WINDOWS\SYSTEM32\DMMUP.EXE 44.032 2004-08-03
C:\WINDOWS\SYSTEM32\DMMXL.EXE 44.087 2004-08-03
C:\WINDOWS\SYSTEM32\DMOOH.EXE 44.087 2004-08-03
C:\WINDOWS\SYSTEM32\DMOPY.EXE 44.087 2004-08-03
C:\WINDOWS\SYSTEM32\DMUGA.EXE 44.087 2004-08-03
C:\WINDOWS\SYSTEM32\DMVDN.EXE 44.087 2004-08-03
C:\WINDOWS\SYSTEM32\DMVQG.EXE 44.087 2004-08-03
C:\WINDOWS\SYSTEM32\DMYWZ.EXE 44.087 2004-08-03
Other suspects
Directory of C:\WINDOWS\system32
{1CFDAD6D-3C06-4BEA-8168-DB39ACA224A1}.exe
{11F08976-0CBB-407C-A4E6-0474F8B2A11D}.exe
{5742B046-73BF-4751-95EF-C69BB27641C7}.exe
{62F3A426-4C38-4A4C-8394-7F584E61A3F9}.exe
{AEA08CC6-DFF7-4A79-957F-4126DB8B3ADB}.exe
{8759C3E8-5C80-4302-9FD6-548370EA7375}.exe
{0792B5F7-D40C-497E-94EF-6DA644691C53}.exe
{18F3752E-E2B2-4AAD-B1B9-841C34E004A9}.exe
{1ADC04EB-972D-4F51-9254-3DE4446530B1}.exe
{F6B6CEBA-99BC-493E-BEC5-416A9DBE52E6}.exe
{DF5F9A92-21C4-49A4-8423-2723B426AF66}.exe
{81B3B621-6582-4DF2-B225-9FEBF20D542F}.exe
{881EE0FF-518E-49E4-A45E-D1EBA4995112}.exe
{919D2D4D-C0CB-4A1B-B392-D80660D8686F}.exe
{06BA6D9E-457D-41C6-9FD4-DE7E42B0F01C}.exe
{63E18BE1-E9DD-45DB-9B58-A5640785C03B}.exe
{C24D0D4C-EDA8-4D4E-A9C9-2B26394C1711}.exe
{442424EF-416B-4A5E-B9E7-91D8909308C3}.exe
{282F75C4-F54F-4C73-AD00-7F98FD17C0E2}.exe
{174E1F93-7287-4059-8537-C5440289CF9C}.exe
{60FA235C-6143-46EF-9FFC-FEE06D23C3BF}.exe
{0998796E-A11D-4678-A6E7-370B3900251C}.exe
{DFCBF2A3-38A9-4E50-8431-A9BFF7D566BD}.exe
{D5043656-123B-444B-895D-A69163D07752}.exe
{2BEF6B5B-4E68-4F1E-95AE-506ADEFE0FB4}.exe
{5A9A2640-F0D8-4A0A-A52A-58C1727F24CD}.exe
{72459405-3CFD-4180-9E01-B73BE0E84793}.exe
{A1AFB6D7-BDEC-4756-9731-CE6CFDED5FA4}.exe
{FF0125EE-3E4F-4353-89F6-3CD56C07A07C}.exe
{C8DDE85D-7D55-44A2-A690-9E1BBAA5D7FE}.exe
{E46BDA9F-24F7-4E45-A43B-105B55917BD2}.exe
{A0475B81-43D5-4DA1-BD8D-E13F8BFE13D7}.exe
{720A92EA-8473-4FE2-B372-39755CA23913}.exe
{025184C1-0CB7-4147-B60D-70E4620A57BA}.exe
{3FA4DF67-F691-4856-A98F-306EC2F11F0C}.exe
{05D34C67-D628-41BB-9436-882EB1D9AD12}.exe
{C0F7F5A6-0C08-46AA-A565-C92D3C6BA118}.exe
{039A2CE5-54E9-493C-9F65-144FF91ABC3C}.exe
{8E8DB31C-CC62-46AF-B983-58400D8A3FA2}.exe
{35F9E860-7A1F-449E-9C71-E940D7664B67}.exe
{967E8FA9-DF73-486A-A228-7A3CB7E48F0F}.exe
{9A35F784-E923-4B92-95A8-348F48A55CF9}.exe
{D8031509-D211-4A90-9D76-C6989A453514}.exe
{58286A72-2D81-4077-8FA8-1743F85A3BA5}.exe
{39EA8B72-4382-4B79-BE0A-75297E7E79BD}.exe
{21EE309D-1030-49CB-B0E2-76D4D910EE1A}.exe
{37420C57-04A8-405B-A962-ED98B8A767CE}.exe
{DFC9990C-73D6-4999-9FB2-EEA505B9D935}.exe
{8A65D389-29F2-49EB-A7E8-91D3E55A5295}.exe
{0A8DE84F-FE09-4450-BD4F-E3E17034DBAC}.exe
{466EDA52-B84A-47D3-A542-BA65AF9FA4A9}.exe
{134CB5AB-1AC1-4BBD-826F-58D7A0A0E2B2}.exe
{B22F4EC5-6C36-428A-BE1A-E0137A3DBF27}.exe
{F241A1EA-ADED-4FC5-B727-2E5F5F76D7B2}.exe
{EAC41108-A552-457B-91F8-2D13484EFE43}.exe
{CCB74647-87F8-473A-A8FF-468AD3093DD3}.exe
{24F0EFB7-1790-478E-9AB2-1FD71940B391}.exe
{FA4B9CE0-F2B8-457C-A2D6-E7158D5B37E0}.exe
{274581A1-1EA1-4FFA-8CC2-1E2B310414A5}.exe
{43305F8F-4AA9-42D6-9729-20DD40DA1B26}.exe
{FF524623-F64B-481A-A2F7-5068EED0C234}.exe
{F5D79C5E-3960-475B-A71D-59B80994BD1C}.exe
{AEF87275-6F4E-4603-ABC8-9987FE334BFE}.exe
{DA86483D-AF56-4152-8014-40B924478145}.exe
{70156287-7804-420E-8A4D-530B247577D7}.exe
{CE34C9F8-7C9E-4F32-9B41-4DBBBE870D47}.exe
{C89EA183-5370-4AEE-954F-AD0735D8D6EA}.exe
{C396C11F-328E-4DA2-B213-61E858381EE4}.exe
{1F3C74CE-7516-450D-A147-CDB75F39E5D0}.exe
{4D88F6BC-68B8-4DF5-AC56-0CFAE03EAB74}.exe
{530A0348-ED8A-4C23-B13F-3C94D3964579}.exe
{9D0AB015-12F3-41EE-93F6-02FB3E731B85}.exe
{E349C17E-4E6E-452C-BB83-195EF7E167AB}.exe
{BFD012F7-A0DB-44C6-A4B6-F85F9FE09D66}.exe
{5A1DD269-4822-4CBC-8DD9-E2BF2ED472E1}.exe
{7833E1A4-3D6A-4A1F-8631-B6DB6342E108}.exe
{52CC9AB4-4DF5-4A98-97A3-F907FD5D7753}.exe
{7A2EFCF8-37E6-4F88-8D85-75C3D6689851}.exe
{28291793-D621-4BF1-BCAF-E3DFEE729610}.exe
{E08E7245-B564-4AE4-9469-66FB2E93884C}.exe
{173F3C47-A6D5-46A5-8D3A-6E6862B293A5}.exe
{28607367-5222-461A-8AA8-513170A24B54}.exe
{4F5F1620-AC24-4F0F-8439-A4F415A437AD}.exe
{F5F0AA96-B193-44E7-B951-6D9B2839DEBB}.exe
{6CB9684F-2904-486D-A52A-DE47A7797DC0}.exe
{88117E45-EAA9-411A-B5B9-F48701758E66}.exe
{2A328BE9-B8DE-4B86-B64D-6DD9697F58FF}.exe
{B39C09F3-CA45-41EE-984C-9C03C07B4225}.exe
{42FEA9EB-F077-4EFE-9E89-D09AF1091C9E}.exe
{B46B8DF4-43F1-41DD-BEFB-BCA5F61A81DC}.exe
{E83DACAA-FCFB-472D-AACF-621AD1751E52}.exe
{116DECD5-3EDC-421C-ACC7-71204DE6C7D2}.exe
{0A7024D5-E3DD-4F95-A08E-323C8BF0B9A9}.exe
{67F1DFD7-9C21-479B-AA0E-C537F8500F5D}.exe
{E68D9193-F45B-4F76-96D3-C0D61DDAABAF}.exe
{8880C52B-FE50-47DD-AA1D-B65115793892}.exe
{E4F4DC18-8B4A-48E6-B579-ACFDB64B40C6}.exe
{0555626D-B94B-4801-800B-7CF6B5B3F00E}.exe
{B5CED85D-B7D1-4FC2-AA4C-BA099EA5D345}.exe
{4EC1CB98-5F78-4798-A19E-81B3AE802499}.exe
{5DE91EC6-5FCA-40E2-B878-4FB6C53FCA0C}.exe
{A9974BCC-280E-4B7A-AF94-0204AB14D36B}.exe
{83ECB731-344E-45CF-88C4-40E1EB08761B}.exe
{07CF105A-E3C3-4958-8DF9-AE2D8D7D3CF0}.exe
{6986F4B6-9322-417D-BFE7-5BF4FEF0074A}.exe
{9764820B-151A-408A-B7AF-7CABDA4A41C4}.exe
{31BBA195-E1A3-4326-8E4D-2FF1495C1745}.exe
{F6DA3827-A2B9-49B3-AB33-2B313999510A}.exe
{FB245859-80F0-44A4-B854-50B5B11B67D7}.exe
{88B10105-5BCC-4D16-ABD6-596B699F27E2}.exe
{23E5EC30-95C6-46AA-88F5-26A8D399DEF7}.exe
{191BF485-6922-4AE5-B592-8FE970B0BA7B}.exe
{F39B4DF0-1908-4507-BB7E-640C40377173}.exe
{C98C2BEA-F858-4DB0-9926-C3AF435DE96D}.exe
{7DD86415-5514-414F-9F65-CB4BFAFB55D0}.exe
{CFDAFC81-384A-4173-8637-90EFA6ADD8B7}.exe
{7757C900-73BE-4C35-BDA1-A772EEB2D265}.exe
{9FE0E779-BB43-48D0-A306-FC236D780E34}.exe
{6A80C8E4-1A43-40B2-A749-82BB7D2CA717}.exe
{18A83DCC-CB5D-4918-816F-7594B2D29A59}.exe
{90509EA4-7076-49F4-8846-003B9967AC1F}.exe
{083345AE-9EB4-42CC-A0D2-83D31472D1F8}.exe
{7D1ACC8F-25FB-41F0-B109-073C9FADA730}.exe
{249264E7-E16E-47F7-B75F-6C5A998A2DFF}.exe
{51EC5053-9521-4FCE-90A6-FDF78B69CB9B}.exe
{C51E6B1F-41F5-4BC6-A47C-E12E9FDE9BF1}.exe
{6FD4DC11-9090-445B-BD0C-F7393D516944}.exe
{47D1B872-01E2-4197-B265-7207F14015D5}.exe
{E834F68D-6567-48F3-8A54-6A4BA31C0F80}.exe
{AC3010BD-CF76-4F39-9B8C-A8F07E67D24F}.exe
{B6A6D724-4114-472B-9D14-C5BF0B3008BC}.exe
{1F52460D-8025-4D69-BAE5-558809364827}.exe
{4BA74084-2588-4790-A7A6-06AB2D455F39}.exe
{567EB3C0-3C6E-47C9-B59B-014D629AD6C6}.exe
{2C86FA22-86E7-4BE8-A741-5B8016CD0F4D}.exe
{1F411089-8C25-4B73-8EC2-C4A8033F8116}.exe
{B7C2BAAD-D88F-439F-9EBF-C0939728396D}.exe
{2A972D07-921C-4DAD-A0C7-8543F91442E1}.exe
{A3E3D891-179E-4F63-A7B8-278F33097DD8}.exe
{259A98D5-4177-4E84-83EB-EE3832F83B3E}.exe
{C293FACD-1BD8-4D2B-9F5C-FBF8094EC0FB}.exe
{B83D0686-45CE-4F6B-A582-9BF005FFB6FE}.exe
{37C36CBE-5AEA-4A02-BE31-7B23EF70EA2F}.exe
{8A372E1E-A208-4BD4-A9DB-C957702880F1}.exe
{6D80E23D-F4CA-4B39-9F5D-94E94BF51061}.exe
{FBE0A0E9-9640-4C0E-9157-CD85753D305F}.exe
{6F742A26-6E20-4987-A139-27C42B9E8832}.exe
{5E345007-3ADD-4E53-B589-AF3606060DDA}.exe
{0B32ECDF-F67D-41E1-9800-ACDBA51B9010}.exe
{CFB5E54F-5F93-4DF4-9375-523526C275E5}.exe
{12A5A237-E3A1-4176-ADBB-2FAC9BCB3F98}.exe
{A656A47E-43CC-42AB-99D4-2B27FA95EB5B}.exe
{BE9D19A5-12E3-4419-9351-7A98C511FE26}.exe
{6837266A-1445-4E75-83A0-3E36AE4A14D0}.exe
{96E1B7B3-4C0B-48C9-BC31-A69B23CFC64B}.exe
{FD73662A-B947-4983-BBDA-C2BFFD29112E}.exe
{FE140EB7-EA5F-48EA-9428-35D34DD295EA}.exe
{DBF47ADA-4632-4DE1-9B91-B3BDB02C45E6}.exe
{337BCECA-7BA3-42B8-9E58-34EA5581868A}.exe
{3B5AE862-9266-40F4-A07B-4F3C9079E974}.exe
{F1242303-7148-48B2-B5C2-14F26B261811}.exe
{5B660F50-ED6C-471D-B567-E14773C93499}.exe
{E8B6097E-13F8-4E1E-A24B-A2D7D623D061}.exe
{8DAE0721-71A7-436D-86E9-D7110A119F6A}.exe
{69746834-DB57-4B6C-BA33-B8F43E6C084B}.exe
{3BEDCF04-AC5E-44FA-A1F2-AAD2B39AD073}.exe
{561B3279-B14C-40B6-854A-3FCA691E9337}.exe
{018D0D11-792F-4EBD-AC56-C7D75E113A6E}.exe
{8FCAA939-7A87-4426-A00F-806907BFF32C}.exe
{6C4EA1F4-159F-4807-86F0-86C11C98482F}.exe
{C6DE6159-E00B-4727-BFE3-1ED42905296C}.exe
{41AA8986-340E-4ADB-9AB5-6EC34A0A8A42}.exe
{E5211449-CD8B-4350-8F11-64002663E81C}.exe
{AC4460D2-030C-407A-B2A0-A9154AF28024}.exe
{D35A286E-852C-4748-8A5E-B56FBA624921}.exe
{62F310A3-9E54-45B0-A16B-E78A01E05545}.exe
{80AAEDF8-0D70-4D30-A414-4F46FB2026EB}.exe
{B632793F-1E4E-444F-B737-4FD22F31B026}.exe
{0CD9E49B-E5DC-447D-9C6C-03038A2A9D30}.exe
{10CFAA9A-41CB-4184-972E-F2F37A65433E}.exe
{41B64E07-1471-4B3D-B9DF-3DFED8AB1F78}.exe
{CA585DA3-39F0-4FDB-B562-1531DC546E2F}.exe
{56361CE2-D52E-44F0-A890-E999FC12E8BE}.exe
{6C0C7F87-8CF0-4033-AB1C-0E53050142EC}.exe
{B3D31AD7-1EA5-4796-A88A-7C3166DB8570}.exe
{C78CC06C-065E-4EC6-9666-ADB1F8FBC45D}.exe
{E94E89EA-F19B-4A13-A4C7-33FE52AC2F1D}.exe
{F7708949-4F28-409B-98B7-B5C83BC7C1CB}.exe
{3E5F3599-A1E8-4C5C-BF2D-1D53B215EB4B}.exe
{87260F65-823C-435C-927D-EF32AFB13803}.exe
{DCA549DF-F140-48C9-9490-768C7A2B1649}.exe
{E9A8C417-454A-4EE9-AB0B-D5886A402A51}.exe
{DD55BC86-D126-4677-BA9F-18F9B4973B59}.exe
{044B24E0-5155-4EA6-9820-A0E167DC2DE7}.exe
{508A8226-AE16-4AC9-ADBD-3F1A3BE3CE05}.exe
{5BCF09A7-9EFB-4A02-B7ED-2B2F26BFC41A}.exe
{30DB8F63-4C39-42C4-9064-A268949ABF8F}.exe
{FBEC5FD4-12DC-4FB3-8803-6BDD99580D50}.exe
{C1A06879-BDC7-4FC0-B23C-FFFC997BE4D9}.exe
{6F751371-A552-4312-A2EE-A2E5C5AEA117}.exe
{CEFAABB7-61D6-40CE-8F3C-2D30A8368AE9}.exe
{7F8B5748-7681-4CCC-9325-495865A83A86}.exe
{E0BB8BCE-5BD5-4DC7-B11E-0CAF512419C1}.exe
{E5866451-0366-4727-912E-707EC1206A81}.exe
{96D80144-8294-4A08-B122-E0039C15DFC5}.exe
{848B67BD-EE4C-4D6F-A27D-1B48F66039E9}.exe
{072D45F0-6D35-4079-A699-9471352B5AB4}.exe
{BCE19FB3-981B-4A82-9E52-ACE0BFC43DE7}.exe
{71221A1E-87C9-40D3-9CE6-B2E61DF4C9F4}.exe
{14EBC186-A062-46A1-B8BD-A32F310EA198}.exe
{FEA613BB-FCAB-4210-806B-E7EECF5CD801}.exe
{DA6E02D8-F97A-48AE-B6CD-6FA59D832195}.exe
{981D5FB9-7127-40FC-9E3A-CAB963157351}.exe
{92FF5E17-8FA7-48AC-A1E9-7D68D261FFE2}.exe
{92A9CF67-8D4A-4FE3-ACAB-A7EC125F6FCC}.exe
{85D6A3C3-BED7-48BE-98D0-EC5D34966A9F}.exe
{94DA80E4-3FB9-430B-A674-CB6580098091}.exe
{D2A8AB0C-9866-45D2-B33D-AB1E67A38F66}.exe
{04EF51E1-2CF0-4469-B19B-19C2FA60E236}.exe
{A30BF200-AF27-4467-9DFE-111C24DEE4D3}.exe
{CDE8359B-1791-4F95-991E-4A81B6169B7B}.exe
{9FA9D6FB-C7B5-4BB8-A7F6-086B4E00F253}.exe
{9C73DD5B-7CB8-47E7-9FF7-C59F69C20917}.exe
{D866ADA9-1C2A-402C-87D0-CF65FA6E326C}.exe
{3FE90B26-FE71-4DA0-BE0B-DC12445AD228}.exe
{65E5B03C-E318-4D2B-B087-AE6CBB7EB2D4}.exe
{5C0A83A6-B6F1-4398-9A2A-DD284EFD499E}.exe
{934215A5-9610-4DD3-BBAB-BEEB422FD222}.exe
{D711FC7D-3AE4-45A9-BC88-926BFAA09112}.exe
{39C99043-E468-4FC3-937C-C76820D36F09}.exe
{3CF6C0F4-3D2D-47FF-8B14-17C444594A1A}.exe
{ECEA3979-06D0-491C-9773-F3847D1CA450}.exe
{F3269BA4-049B-496C-AC50-84552A41E30B}.exe
{FF4A2679-980F-441E-8599-D30B0CF654B8}.exe
{E8191744-E551-4495-9945-D94E6C73C7B0}.exe
{A1590BD0-8A62-4C48-9CBA-7EAE98F13F0B}.exe
{4D6E9F07-6327-4BB6-8930-8D0DB5331346}.exe
{66181247-27A4-4A54-9AD1-DB24962C4B49}.exe
Marcelo Almeida
Regular Member
 
Posts: 34
Joined: July 4th, 2006, 2:35 am
Advertisement
Register to Remove

Unread postby Marcelo Almeida » July 11th, 2006, 8:12 pm

Ok. I'll follow your instructions to clean up my system. I'll be posting the results soon.

Thank you.

Marcelo Almeida dos Reis.
Marcelo Almeida
Regular Member
 
Posts: 34
Joined: July 4th, 2006, 2:35 am

Unread postby Marcelo Almeida » July 11th, 2006, 9:00 pm

New HijackThis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 21:47:48, on 11/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Arquivos de programas\Ares\Ares.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Documents and Settings\Marcelo Almeida\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DPCUpdater Object - {61C07AF3-01A3-4B85-ADB2-4EFD04E1286C} - C:\WINDOWS\system32\tuvsq.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Arquivos de programas\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ares] "C:\Arquivos de programas\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Arquivos de programas\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Arquivos de programas\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1279004646
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: tuvsq - C:\WINDOWS\system32\tuvsq.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Serviço SNMP (SNMP) - Unknown owner - C:\WINDOWS\System32\snmp.exe (file missing)
O23 - Service: Spooler de impressão (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
Marcelo Almeida
Regular Member
 
Posts: 34
Joined: July 4th, 2006, 2:35 am

Unread postby Marcelo Almeida » July 11th, 2006, 9:42 pm

Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
...

Random Runs removed from HKLM
...

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\DMMUP.EXE
* csr.exe C:\WINDOWS\System32\CSSAZ.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSSAZ.EXE 51.202 2006-06-29
C:\WINDOWS\SYSTEM32\DMCRG.EXE 44.087 2004-08-03
C:\WINDOWS\SYSTEM32\DMEGT.EXE 44.087 2004-08-03
C:\WINDOWS\SYSTEM32\DMFHV.EXE 44.087 2004-08-03
C:\WINDOWS\SYSTEM32\DMHBM.EXE 44.087 2004-08-03
C:\WINDOWS\SYSTEM32\DMHWD.EXE 44.087 2004-08-03
C:\WINDOWS\SYSTEM32\DMIGX.EXE 44.087 2004-08-03
C:\WINDOWS\SYSTEM32\DMIRP.EXE 44.087 2004-08-03
C:\WINDOWS\SYSTEM32\DMJXM.EXE 44.087 2004-08-03
C:\WINDOWS\SYSTEM32\DMJXQ.EXE 44.087 2004-08-03
C:\WINDOWS\SYSTEM32\DMJZH.EXE 44.087 2004-08-03
C:\WINDOWS\SYSTEM32\DMLAP.EXE 44.087 2004-08-03
C:\WINDOWS\SYSTEM32\DMMSP.EXE 44.087 2004-08-03
C:\WINDOWS\SYSTEM32\DMMUP.EXE 44.032 2004-08-03
C:\WINDOWS\SYSTEM32\DMMXL.EXE 44.087 2004-08-03
C:\WINDOWS\SYSTEM32\DMOOH.EXE 44.087 2004-08-03
C:\WINDOWS\SYSTEM32\DMOPY.EXE 44.087 2004-08-03
C:\WINDOWS\SYSTEM32\DMUGA.EXE 44.087 2004-08-03
C:\WINDOWS\SYSTEM32\DMVDN.EXE 44.087 2004-08-03
C:\WINDOWS\SYSTEM32\DMVQG.EXE 44.087 2004-08-03
C:\WINDOWS\SYSTEM32\DMYWZ.EXE 44.087 2004-08-03
Other suspects
Directory of C:\WINDOWS\system32
{F3269BA4-049B-496C-AC50-84552A41E30B}.exe
{FF4A2679-980F-441E-8599-D30B0CF654B8}.exe
{E8191744-E551-4495-9945-D94E6C73C7B0}.exe
{A1590BD0-8A62-4C48-9CBA-7EAE98F13F0B}.exe
{66181247-27A4-4A54-9AD1-DB24962C4B49}.exe
Marcelo Almeida
Regular Member
 
Posts: 34
Joined: July 4th, 2006, 2:35 am

Unread postby Trogan » July 12th, 2006, 3:12 am

Thanks for the logs! Can you do the following...

Please download Killbox and save it to your desktop.

Next, copy everything in the Quote box below by pressing Ctrl+C
C:\WINDOWS\SYSTEM32\CSSAZ.EXE
C:\WINDOWS\SYSTEM32\DMMUP.EXE
C:\WINDOWS\SYSTEM32\DMCRG.EXE
C:\WINDOWS\SYSTEM32\DMEGT.EXE
C:\WINDOWS\SYSTEM32\DMFHV.EXE
C:\WINDOWS\SYSTEM32\DMHBM.EXE
C:\WINDOWS\SYSTEM32\DMHWD.EXE
C:\WINDOWS\SYSTEM32\DMIGX.EXE
C:\WINDOWS\SYSTEM32\DMIRP.EXE
C:\WINDOWS\SYSTEM32\DMJXM.EXE
C:\WINDOWS\SYSTEM32\DMJXQ.EXE
C:\WINDOWS\SYSTEM32\DMJZH.EXE
C:\WINDOWS\SYSTEM32\DMLAP.EXE
C:\WINDOWS\SYSTEM32\DMMSP.EXE
C:\WINDOWS\SYSTEM32\DMMXL.EXE
C:\WINDOWS\SYSTEM32\DMOOH.EXE
C:\WINDOWS\SYSTEM32\DMOPY.EXE
C:\WINDOWS\SYSTEM32\DMUGA.EXE
C:\WINDOWS\SYSTEM32\DMVDN.EXE
C:\WINDOWS\SYSTEM32\DMVQG.EXE
C:\WINDOWS\SYSTEM32\DMYWZ.EXE
C:\WINDOWS\system32\{F3269BA4-049B-496C-AC50-84552A41E30B}.exe
C:\WINDOWS\system32\{FF4A2679-980F-441E-8599-D30B0CF654B8}.exe
C:\WINDOWS\system32\{E8191744-E551-4495-9945-D94E6C73C7B0}.exe
C:\WINDOWS\system32\{A1590BD0-8A62-4C48-9CBA-7EAE98F13F0B}.exe
C:\WINDOWS\system32\{66181247-27A4-4A54-9AD1-DB24962C4B49}.exe

Next, open Killbox
Go to the File tab and select Paste from Clipboard
Select the Delete on Reboot option
Select All Files
Now click on the Red Circle with the White X
Press Yes to reboot your computer.

Continue below

Delete the current VundoFix file you have as there is a newer version out, and then do the following...

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
=====

Go to Start > Control Panel > Internet Options.
Under the General tab click the Delete Files... button; check the Delete all offline content box and press OK. Next, click the Delete Cookies... button and press OK

Go to "Start" -> "Run" and type in the box: "cleanmgr" press OK. Select the drive where your Operating System is installed (Default is C:) and press OK. Let Disk Cleanup scan your system for files to remove (it takes a few minutes!). On the next screen make sure these 3 options are checked and then press "OK" to remove:
  • Temporary Files
  • Temporary Internet Files
  • Recycle Bin
=====

Please download Ewido to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install Ewido by double clicking the installer.
  • Follow the prompts. Make sure that Launch Ewido is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
      Note: If the Update now option is grayed out, follow the steps below.
      • Click on Update on the toolbar.
      • Under Manual update, click on the Start Update button.
      • Wait until you see the Update succesfull message.
  • Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that Ewido is closed before installing the update.

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
Once in Safe Mode:

Close ALL open Windows / Programs / Folders. Please start Ewido and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Image
  • When done, click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.
Reboot back into Normal Mode. Post the following...

New HJT log
Ewido log
Contents of C:\vundofix.txt
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby Marcelo Almeida » July 12th, 2006, 7:15 pm

Ok. Let's see the results. Well, after scanning with the Vundo nothing infected was found. But here is the log file:

VundoFix V5.0.0

Checking Java version...

Sun Java not detected
Scan started at 12:40:49 7/7/2006

Listing files found while scanning....

VundoFix V5.0.0

Checking Java version...

Sun Java not detected
Scan started at 15:18:53 7/7/2006

Listing files found while scanning....


VundoFix V5.1.1

Checking Java version...

Sun Java not detected
Scan started at 00:27:50 12/7/2006

Listing files found while scanning....

C:\windows\system32\awtur.dll

Beginning removal...

The process smss.exe was successfully stopped

The process winlogon.exe was successfully stopped

The process explorer.exe was successfully stopped

The process iexplore.exe was successfully stopped

The process rundll32.exe was successfully stopped

Attempting to delete C:\windows\system32\awtur.dll
C:\windows\system32\awtur.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V5.1.1

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Sun Java not detected
Scan started at 12:22:25 7/12/aaaa

Listing files found while scanning....

No infected files were found.


Beginning removal...
----------------------------------------

Now let me talk about the Ewido Scan:

First, in the beggining I couldn't scan on safe mode, because after the login the screen went totally black. Nothing appeared but the names 'safe mode' on the corners of the screen. I waited for several minutes and tried about 3 times. Then, I decided to scan on normal mode(whether it is useful or not I don't know, but I did it anyway), but when the scan finished and I pressed 'apply all actions', my PC got stuck (froze). The program was showing some infected files, including 6 Trojan Horses which were apparently 'fixed' when I hit the button. As a result, I couldn't save the logfile and had to reboot.

However, when the computer was rebooting, I decided to give it a try again and the safe mode worked. I saved the logfile but I saw no Trojan Horses this time. Anyway, here goes the Ewido logfile:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 19:33:09 12/7/2006

+ Scan result:



C:\!KillBox\{F3269BA4-049B-496C-AC50-84552A41E30B}.exe -> Adware.Casino : Cleaned with backup (quarantined).
C:\Documents and Settings\Marcelo Almeida\Configurações locais\Temp\pts33.tmp -> Adware.Casino : Cleaned with backup (quarantined).
C:\Documents and Settings\Marcelo Almeida\Configurações locais\Temp\pts34.tmp -> Adware.Casino : Cleaned with backup (quarantined).
C:\!KillBox\{FF4A2679-980F-441E-8599-D30B0CF654B8}.exe -> Adware.Raze : Cleaned with backup (quarantined).
C:\Arquivos de programas\Save -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Arquivos de programas\Save\Save.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Arquivos de programas\Save\SaveUninst.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Arquivos de programas\Save\ffext.mod -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Arquivos de programas\Save\save.db -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Arquivos de programas\Save\save.htm -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Arquivos de programas\Save\store.db -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\Marcelo Almeida\Menu Iniciar\Programas\WhenU -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\Marcelo Almeida\Menu Iniciar\Programas\WhenU\Learn More About WhenU Save.url -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\Marcelo Almeida\Menu Iniciar\Programas\WhenU\Learn More About WhenU SaveNow.url -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\Marcelo Almeida\Menu Iniciar\Programas\WhenU\Uninstall.lnk -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\Marcelo Almeida\Menu Iniciar\Programas\WhenU\WhenU Help Desk.lnk -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\Documents and Settings\Marcelo Almeida\Menu Iniciar\Programas\WhenU\WhenU.com Website.url -> Adware.SaveNow : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\WUSN.1 -> Adware.SaveNow : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SaveNow -> Adware.SaveNow : Cleaned with backup (quarantined).
HKLM\SOFTWARE\WhenUSave -> Adware.SaveNow : Cleaned with backup (quarantined).
HKLM\SOFTWARE\WhenUSave\Partners -> Adware.SaveNow : Cleaned with backup (quarantined).
HKLM\SOFTWARE\WhenUSave\Partners\WUSV -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\VundoFix Backups\awtur.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\Documents and Settings\Marcelo Almeida\Configurações locais\Temp\Cookies\marcelo almeida@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
C:\Documents and Settings\Marcelo Almeida\Cookies\marcelo almeida@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
C:\Documents and Settings\Marcelo Almeida\Cookies\marcelo almeida@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).


::Report end
----------------------------------------------

Finally, the fresh HijackThis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 20:10:25, on 12/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe
C:\Arquivos de programas\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Documents and Settings\Marcelo Almeida\Desktop\hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DPCUpdater Object - {61C07AF3-01A3-4B85-ADB2-4EFD04E1286C} - C:\WINDOWS\system32\tuvsq.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Arquivos de programas\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Arquivos de programas\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ares] "C:\Arquivos de programas\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Arquivos de programas\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Arquivos de programas\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1279004646
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: tuvsq - C:\WINDOWS\system32\tuvsq.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Arquivos de programas\ewido anti-spyware 4.0\guard.exe
O23 - Service: Serviço SNMP (SNMP) - Unknown owner - C:\WINDOWS\System32\snmp.exe (file missing)
O23 - Service: Spooler de impressão (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)

I'll be waiting for further instructions. Thanks!

Marcelo Almeida dos Reis.
Marcelo Almeida
Regular Member
 
Posts: 34
Joined: July 4th, 2006, 2:35 am

Unread postby Trogan » July 13th, 2006, 2:32 pm

Hi Marcelo,

Can you download ComboFix from here. Save it to your desktop BUT don't do anything with it!

Go to Start > Run > copy and paste "%userprofile%\desktop\combofix.exe" /v tuvsq

Click "OK" to exit, then reboot the system.

Once rebooted, post a new HijackThis log please. :)
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby Marcelo Almeida » July 13th, 2006, 5:13 pm

I copied and pasted everything. But, when I hit 'OK' to exit the 'Run' the ComboFix opened but I didn't use it. ( I felt oddly compelled though :P )

Here is the HijackThis logfile:

Logfile of HijackThis v1.99.1
Scan saved at 18:08:51, on 13/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\ewido anti-spyware 4.0\ewido.exe
C:\Arquivos de programas\Ares\Ares.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe
C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Arquivos de programas\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Marcelo Almeida\Desktop\hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DPCUpdater Object - {61C07AF3-01A3-4B85-ADB2-4EFD04E1286C} - C:\WINDOWS\system32\tuvsq.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Arquivos de programas\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Arquivos de programas\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ares] "C:\Arquivos de programas\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Arquivos de programas\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [updateMgr] "C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Arquivos de programas\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1279004646
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: tuvsq - C:\WINDOWS\system32\tuvsq.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Arquivos de programas\ewido anti-spyware 4.0\guard.exe
O23 - Service: Serviço SNMP (SNMP) - Unknown owner - C:\WINDOWS\System32\snmp.exe (file missing)
O23 - Service: Spooler de impressão (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
Marcelo Almeida
Regular Member
 
Posts: 34
Joined: July 4th, 2006, 2:35 am

Unread postby Trogan » July 14th, 2006, 4:21 am

Hi Marcelo,

Delete any VundoFix files you have now and then continue below.

Please download VundoFix.exe to your desktop.
    * Double-click VundoFix.exe to run it.
    * Put a check next to Run VundoFix as a task.
    * You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
    * When VundoFix re-opens, click Scan for Vundo button.
    * Once the scan is complete, Right Click inside the listbox (white box) and click Add more file?
    * Copy & Paste the 2 entries below into the top 2 boxes

    o C:\WINDOWS\system32\tuvsq.dll
    o C:\WINDOWS\system32\qsvut.*

    * Click Add Files and click Close Window
    * Click the Remove Vundo button.
    * You will receive a prompt asking if you want to remove the files, click YES
    * Once you click yes, your desktop will go blank as it starts removing Vundo.
    * When completed, it will prompt that it will shutdown your computer, click OK.
    * Turn your computer back on.
    * Please post the contents of C:\vundofix.txt and a new HiJackThis log.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby Marcelo Almeida » July 14th, 2006, 11:59 am

VundoFix logfile:

VundoFix V5.1.3

Running as SYSTEM
from c:\windows\system32\VundoFix.exe

Checking Java version...

Sun Java not detected
Scan started at 12:39:15 7/14/aaaa

Listing files found while scanning....

C:\windows\system32\tuvsq.dll
C:\windows\system32\qsvut.ini
C:\windows\system32\qsvut.bak1
C:\windows\system32\qsvut.bak2
C:\windows\system32\qsvut.ini2
C:\windows\system32\qsvut.tmp

Beginning removal...

The process smss.exe was successfully stopped

The process winlogon.exe was successfully stopped

The process explorer.exe was successfully stopped

The process iexplore.exe was successfully stopped

The process rundll32.exe was successfully stopped

Attempting to delete C:\windows\system32\tuvsq.dll
C:\windows\system32\tuvsq.dll Has been deleted!

Attempting to delete C:\windows\system32\qsvut.ini
C:\windows\system32\qsvut.ini Has been deleted!

Attempting to delete C:\windows\system32\qsvut.bak1
C:\windows\system32\qsvut.bak1 Has been deleted!

Attempting to delete C:\windows\system32\qsvut.bak2
C:\windows\system32\qsvut.bak2 Has been deleted!

Attempting to delete C:\windows\system32\qsvut.ini2
C:\windows\system32\qsvut.ini2 Has been deleted!

Attempting to delete C:\windows\system32\qsvut.tmp
C:\windows\system32\qsvut.tmp Has been deleted!

Performing Repairs to the registry.
Done!
------------------------------------------------------------

HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 12:56:16, on 14/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\ewido anti-spyware 4.0\ewido.exe
C:\Arquivos de programas\Ares\Ares.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe
C:\Arquivos de programas\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Marcelo Almeida\Desktop\hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DPCUpdater Object - {61C07AF3-01A3-4B85-ADB2-4EFD04E1286C} - C:\WINDOWS\system32\tuvsq.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Arquivos de programas\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Arquivos de programas\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ares] "C:\Arquivos de programas\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Arquivos de programas\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [updateMgr] "C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Arquivos de programas\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1279004646
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Arquivos de programas\ewido anti-spyware 4.0\guard.exe
O23 - Service: Serviço SNMP (SNMP) - Unknown owner - C:\WINDOWS\System32\snmp.exe (file missing)
O23 - Service: Spooler de impressão (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
Marcelo Almeida
Regular Member
 
Posts: 34
Joined: July 4th, 2006, 2:35 am

Unread postby Trogan » July 14th, 2006, 8:18 pm

Hi Marcelo! Can you do the following....

Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

O2 - BHO: DPCUpdater Object - {61C07AF3-01A3-4B85-ADB2-4EFD04E1286C} - C:\WINDOWS\system32\tuvsq.dll (file missing)

- Close ALL open windows (especially Internet Explorer!)
Click Fix Checked

=====

I would like to see another log from HijackThis.
  • Run Hijackthis.
  • Click on Open the Misc Tools section.
  • Next click on Open uninstall manager.
  • Press the Save list button. It will open a Notepad file.
  • Copy & Paste the entire contents of that file in your in your next post.

=====

I don't see any indication of a Firewall in your HijackThis log. If you don't have one, please download one of these Free Firewalls

Zone Alarm << I recommend this
Sunbelt Kerio PF

=====

Please post a new HijackThis log, along with the Uninstall manager log.
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby Marcelo Almeida » July 14th, 2006, 10:18 pm

Uninstall_list:

Ad-Aware SE Personal
Adobe Download Manager 2.0 (Só remoção)
Adobe Reader 7.0.5 Language Support
Adobe Reader 7.0.8 - Português
Adobe® Photoshop® Album Starter Edition 3.0
Ares 1.8.1
Arquivo do WinRAR
BitLord 1.1
CM4 Beta Demo
Crack do MS Office XP (port. Brasil)
ewido anti-spyware 4.0
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Informações Velox
LightDialer 3.0
LightModem 3.0
Macromedia Flash Player 8
Microsoft Office XP Professional com FrontPage
MSN Messenger 7.5
NAVY FIELD
PCI Audio Driver
Spybot - Search & Destroy 1.4
Spyware Doctor 3.8
Viewpoint Media Player
WinZip
ZoneAlarm

-----------------------------------------------------------------

HijackThis Logfile:

Logfile of HijackThis v1.99.1
Scan saved at 23:15:29, on 14/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Arquivos de programas\ewido anti-spyware 4.0\ewido.exe
C:\Arquivos de programas\Ares\Ares.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Marcelo Almeida\Desktop\hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Arquivos de programas\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Arquivos de programas\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ares] "C:\Arquivos de programas\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Arquivos de programas\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Arquivos de programas\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1279004646
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Arquivos de programas\ewido anti-spyware 4.0\guard.exe
O23 - Service: Serviço SNMP (SNMP) - Unknown owner - C:\WINDOWS\System32\snmp.exe (file missing)
O23 - Service: Spooler de impressão (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


I didn't have a firewall because the virus somehow disabled it and I couldn't make it work again. I downloaded the one you suggested.
Marcelo Almeida
Regular Member
 
Posts: 34
Joined: July 4th, 2006, 2:35 am

Unread postby Trogan » July 15th, 2006, 2:49 am

Marcelo,

Uninstall Crack do MS Office XP (port. Brasil) from Add/Remove programs please.

AVG has somehow been removed from your computer. It is vital that you redownload and install it now. Run a full system scan, and make a note of any file that could not be deleted.

Post a new HijackThis log, and a new uninstall manager list log
User avatar
Trogan
MRU Teacher Emeritus
 
Posts: 2291
Joined: November 26th, 2005, 9:31 am
Location: London

Unread postby Marcelo Almeida » July 15th, 2006, 12:37 pm

Ok. Here I go:

1- Crack uninstalled.

2- I downloaded the Firewall you suggested, but it someway disabled not only the AVG, but also the programs ARES and MSN. So, as I didn't know how to configurate things, I uninstalled it. What should I do now?

3- I downloaded AVG again and ran a full system scam but nothing was found. BUT , right after that I went to bed and when I woke up..guess what?! There were 3 viruses (Trojan Horses) on the virus vault: Clicker-FR, Generic. XKS and PSW.Generic2.BKS. I ran a full sacn again, but nothing was found. That's strange.

Ah, they are all located at: C:\System Volume Information\_restore

Well, here are the logfiles:

Ad-Aware SE Personal
Adobe Download Manager 2.0 (Só remoção)
Adobe Reader 7.0.5 Language Support
Adobe Reader 7.0.8 - Português
Adobe® Photoshop® Album Starter Edition 3.0
Ares 1.8.1
Arquivo do WinRAR
AVG Free Edition
BitLord 1.1
CM4 Beta Demo
ewido anti-spyware 4.0
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Informações Velox
LightDialer 3.0
LightModem 3.0
Macromedia Flash Player 8
Microsoft Office XP Professional com FrontPage
MSN Messenger 7.5
NAVY FIELD
PCI Audio Driver
Spybot - Search & Destroy 1.4
Spyware Doctor 3.8
Viewpoint Media Player
WinZip

---------------------------
HT logfile:

Logfile of HijackThis v1.99.1
Scan saved at 13:17:19, on 15/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Arquivos de programas\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Arquivos de programas\ewido anti-spyware 4.0\ewido.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\WINDOWS\system32\svchost.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Arquivos de programas\Grisoft\AVG Free\avgcc.exe
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\Grisoft\AVG Free\avgwb.dat
C:\Documents and Settings\Marcelo Almeida\Desktop\hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar1.dll
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Arquivos de programas\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!ewido] "C:\Arquivos de programas\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ares] "C:\Arquivos de programas\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Arquivos de programas\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Arquivos de programas\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Arquivos de programas\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\arquivos de programas\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 1279004646
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnme ... loader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARQUIV~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Arquivos de programas\ewido anti-spyware 4.0\guard.exe
O23 - Service: Serviço SNMP (SNMP) - Unknown owner - C:\WINDOWS\System32\snmp.exe (file missing)
O23 - Service: Spooler de impressão (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)

[/b]
Marcelo Almeida
Regular Member
 
Posts: 34
Joined: July 4th, 2006, 2:35 am

Unread postby Marcelo Almeida » July 15th, 2006, 4:31 pm

I forgot to say that the viruses were healed (with those blue exclamation marks next to it).
Marcelo Almeida
Regular Member
 
Posts: 34
Joined: July 4th, 2006, 2:35 am
Advertisement
Register to Remove

PreviousNext

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 285 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware