Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

coolwebsearch spyware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: coolwebsearch spyware

Unread postby dvegas » June 6th, 2008, 12:01 pm

lets see...


ComboFix 08-06-05.3 - Proprietário 2008-06-06 15:14:27.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.2070.18.677 [GMT 1:00]
Executando de: C:\Documents and Settings\Proprietário\Ambiente de trabalho\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((( Ficheiros criados de 2008-05-06 to 2008-06-06 ))))))))))))))))))))))))))))))))
.

2008-06-06 15:13 . 2008-06-06 15:13 <DIR> d-------- C:\WINDOWS\LastGood
2008-06-06 12:14 . 2008-06-06 12:18 <DIR> d-------- C:\Programas\Malwarebytes' Anti-Malware
2008-06-06 12:14 . 2008-06-06 12:14 <DIR> d-------- C:\Documents and Settings\Proprietário\Application Data\Malwarebytes
2008-06-06 12:14 . 2008-06-06 12:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-06 12:14 . 2008-06-05 16:04 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-06 12:14 . 2008-06-05 16:04 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-06 01:10 . 2008-06-06 01:10 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-06 01:10 . 2008-06-06 01:10 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-05 23:31 . 2008-06-05 23:31 <DIR> d-------- C:\Nova pasta
2008-06-05 23:10 . 2008-06-05 23:10 <DIR> d-------- C:\Programas\Sun
2008-06-05 23:10 . 2008-06-05 23:10 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-06-05 22:32 . 2008-06-05 22:32 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Definiþ§es locais
2008-06-05 22:32 . 2008-06-05 22:32 <DIR> d-------- C:\Documents and Settings\Proprietßrio
2008-06-05 22:32 . 2008-06-05 22:32 <DIR> d-------- C:\Documents and Settings\NetworkService\Definiþ§es locais
2008-06-05 22:32 . 2008-06-05 22:32 <DIR> d-------- C:\Documents and Settings\LocalService\Definiþ§es locais
2008-06-05 22:32 . 2008-06-05 22:32 <DIR> d-------- C:\Documents and Settings\Administrador\Definiþ§es locais
2008-06-02 14:28 . 2008-06-02 14:28 24,576 --a------ C:\WINDOWS\sistem.exe
2008-06-02 14:28 . 2008-06-02 14:28 22,528 --a------ C:\WINDOWS\ctrlpan.dll
2008-06-01 04:23 . 2008-06-01 04:23 21,504 --a------ C:\WINDOWS\editpad.exe
2008-06-01 04:23 . 2008-06-02 01:29 21,248 --a------ C:\WINDOWS\rundll16.exe
2008-06-01 04:23 . 2008-06-01 04:23 19,712 --a------ C:\WINDOWS\quicken.exe
2008-06-01 04:23 . 2008-06-01 04:23 11,776 --a------ C:\WINDOWS\msconfd.dll
2008-06-01 04:03 . 2008-06-05 23:04 <DIR> d-------- C:\Programas\Spyware Doctor
2008-05-31 23:40 . 2008-06-05 23:04 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-31 22:56 . 2008-06-02 01:29 15,104 --a------ C:\WINDOWS\qttasks.exe
2008-05-31 22:55 . 2008-05-31 22:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-05-31 21:26 . 2008-05-31 21:27 <DIR> d-------- C:\Programas\Internet Explorer 7
2008-05-31 21:10 . 2006-03-02 13:00 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls
2008-05-31 21:08 . 2006-03-02 13:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-05-31 21:07 . 2006-03-02 13:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-05-31 21:07 . 2003-03-24 15:52 188,480 --a--c--- C:\WINDOWS\system32\dllcache\cfgwiz.exe
2008-05-31 21:07 . 2004-05-13 00:39 184,435 --a--c--- C:\WINDOWS\system32\dllcache\fp4amsft.dll
2008-05-31 21:07 . 2003-03-24 15:52 147,513 --a--c--- C:\WINDOWS\system32\dllcache\fp4apws.dll
2008-05-31 21:07 . 2003-03-24 15:52 82,035 --a--c--- C:\WINDOWS\system32\dllcache\fp4anscp.dll
2008-05-31 21:07 . 2003-03-24 15:52 20,540 --a--c--- C:\WINDOWS\system32\dllcache\author.dll
2008-05-31 21:07 . 2003-03-24 15:52 20,540 --a--c--- C:\WINDOWS\system32\dllcache\admin.dll
2008-05-31 21:07 . 2003-03-24 15:52 16,439 --a--c--- C:\WINDOWS\system32\dllcache\author.exe
2008-05-31 21:07 . 2003-03-24 15:52 16,439 --a--c--- C:\WINDOWS\system32\dllcache\admin.exe
2008-05-31 21:06 . 2008-05-31 21:06 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-05-31 21:06 . 2008-05-31 21:06 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-05-31 21:06 . 2008-05-31 21:06 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-05-31 21:06 . 2008-05-31 21:06 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-05-31 21:06 . 2008-05-31 21:06 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-05-31 21:01 . 2008-05-02 22:46 181,895 --a------ C:\WINDOWS\system32\nvdsp.chm
2008-05-31 21:01 . 2008-05-02 22:46 121,529 --a------ C:\WINDOWS\system32\nvcpl.chm
2008-05-31 21:01 . 2008-05-02 22:46 116,384 --a------ C:\WINDOWS\system32\nv3d.chm
2008-05-31 21:01 . 2008-05-02 22:46 54,988 --a------ C:\WINDOWS\system32\nvmob.chm
2008-05-31 19:28 . 2008-05-31 19:28 <DIR> d-------- C:\Programas\Yahoo!
2008-05-31 19:19 . 2008-05-31 19:19 26,624 --a------ C:\WINDOWS\helpcvs.exe
2008-05-31 04:04 . 2008-05-31 04:04 16,384 --a------ C:\WINDOWS\ctfmon32.exe
2008-05-30 23:54 . 2008-05-30 23:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-30 02:45 . 2008-05-30 02:45 9,984 --a------ C:\WINDOWS\xplugin.dll
2008-05-30 02:21 . 2008-05-30 02:21 15,616 --a------ C:\WINDOWS\cpan.dll
2008-05-30 02:21 . 2008-05-30 02:21 11,008 --a------ C:\WINDOWS\astctl32.ocx
2008-05-30 00:02 . 2008-05-30 00:11 121 --a------ C:\WINDOWS\bdagent.INI
2008-05-29 23:45 . 2008-05-30 00:12 <DIR> d-------- C:\Programas\BitDefender
2008-05-29 23:42 . 2008-05-29 23:54 <DIR> d-------- C:\WINDOWS\system32\zA
2008-05-29 23:42 . 2008-05-31 00:11 <DIR> d-------- C:\WINDOWS\system32\vntiho06
2008-05-29 23:42 . 2008-05-30 00:01 <DIR> d-------- C:\WINDOWS\system32\bIP
2008-05-29 23:42 . 2008-06-05 22:26 <DIR> d-------- C:\Temp
2008-05-29 23:42 . 2008-05-31 00:43 <DIR> d-------- C:\Programas\uTorrent
2008-05-29 23:42 . 2008-05-31 00:43 <DIR> d-------- C:\Documents and Settings\Proprietário\Application Data\uTorrent
2008-05-29 23:41 . 2008-05-29 23:41 <DIR> dr------- C:\Documents and Settings\LocalService\Favoritos
2008-05-29 23:41 . 2008-05-29 23:41 4 --a------ C:\WINDOWS\system32\hljwugsf.bin
2008-05-29 23:34 . 2008-05-29 23:45 <DIR> d-------- C:\Programas\Ficheiros comuns\BitDefender
2008-05-29 22:55 . 2008-05-30 00:55 774 --ahs---- C:\WINDOWS\system32\dnprjbij.ini
2008-05-29 14:30 . 2008-05-29 14:30 <DIR> dr-h----- C:\MSOCache
2008-05-29 00:59 . 2008-05-30 15:02 613 --a------ C:\WINDOWS\wininit.ini
2008-05-28 23:33 . 2008-05-28 23:39 <DIR> d-------- C:\Documents and Settings\Proprietário\Application Data\AVGTOOLBAR
2008-05-28 23:31 . 2008-05-29 00:12 124,688 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
2008-05-28 23:22 . 2008-06-02 01:27 <DIR> d-------- C:\Programas\Spybot - Search & Destroy
2008-05-28 23:22 . 2008-06-02 02:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-28 18:59 . 2008-05-28 18:59 <DIR> dr-h----- C:\Documents and Settings\Proprietário\Application Data\SecuROM
2008-05-28 14:49 . 2008-05-28 14:49 <DIR> d-------- C:\Programas\Ficheiros comuns\Adobe
2008-05-27 19:12 . 2008-05-27 19:12 <DIR> d-------- C:\Programas\Apple Software Update
2008-05-27 19:12 . 2008-05-27 19:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-05-27 19:08 . 2008-05-27 19:13 <DIR> d-------- C:\Documents and Settings\Proprietário\Application Data\Apple Computer
2008-05-27 18:45 . 2008-05-27 18:45 <DIR> d-------- C:\Documents and Settings\Proprietário\Application Data\skypePM
2008-05-27 18:45 . 2008-05-27 18:45 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-05-27 18:41 . 2008-05-27 18:41 <DIR> d-------- C:\Programas\Ficheiros comuns\Skype
2008-05-27 18:41 . 2008-05-27 18:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-05-27 18:25 . 2008-05-27 18:25 379 --a------ C:\WINDOWS\ODBC.INI
2008-05-27 18:24 . 2008-05-27 18:24 <DIR> d-------- C:\Programas\Microsoft.NET
2008-05-27 18:24 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-05-27 18:23 . 2008-05-27 18:24 <DIR> d--h----- C:\WINDOWS\ShellNew
2008-05-27 18:12 . 2008-05-27 18:12 <DIR> d-------- C:\Documents and Settings\Proprietário\Application Data\Creative
2008-05-27 16:55 . 2003-06-12 23:25 7,062 --a------ C:\WINDOWS\system32\audiopid.vxd
2008-05-27 16:54 . 2000-05-22 09:58 647,872 --a------ C:\WINDOWS\system32\Mscomct2.ocx
2008-05-27 16:54 . 2004-08-04 00:57 91,648 --a------ C:\WINDOWS\system32\kswdmcap.ax
2008-05-27 16:54 . 2004-08-04 00:57 61,952 --a------ C:\WINDOWS\system32\kstvtune.ax
2008-05-27 16:54 . 2004-08-04 00:56 54,784 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2008-05-27 16:54 . 2004-08-04 00:57 43,008 --a------ C:\WINDOWS\system32\ksxbar.ax
2008-05-27 16:54 . 1999-10-10 18:00 41,984 --a------ C:\WINDOWS\Ctregrun.exe
2008-05-27 16:54 . 2004-08-04 00:57 28,672 --a------ C:\WINDOWS\system32\vidcap.ax
2008-05-27 16:21 . 2008-05-27 16:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-05-27 16:03 . 2008-05-27 16:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-27 16:00 . 2008-05-27 16:00 <DIR> d-------- C:\WINDOWS\WinRAR
2008-05-27 14:52 . 2008-05-27 19:13 <DIR> d-------- C:\Programas\QuickTime
2008-05-27 14:51 . 2008-05-27 19:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-27 14:51 . 2004-12-18 21:32 38,229 --a------ C:\WINDOWS\system32\drivers\StMp3Rec.sys
2008-05-27 14:46 . 2008-05-27 14:51 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-05-27 01:04 . 2008-05-27 01:04 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-05-27 01:04 . 2008-05-27 16:41 <DIR> d-------- C:\Programas\MSN Messenger
2008-05-27 01:04 . 2008-05-27 14:42 <DIR> d-------- C:\Documents and Settings\Proprietário\Contacts
2008-05-27 01:04 . 2008-05-27 14:42 <DIR> d-------- C:\Documents and Settings\Proprietário\Contacts
2008-05-27 01:02 . 2008-05-27 01:02 <DIR> d-------- C:\Programas\Ficheiros comuns\Java
2008-05-27 01:02 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-27 00:31 . 2008-05-27 18:13 <DIR> d--hsc--- C:\Programas\Ficheiros comuns\WindowsLiveInstaller
2008-05-27 00:30 . 2008-05-27 18:14 <DIR> d-------- C:\Programas\Windows Live
2008-05-27 00:30 . 2008-05-29 14:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-27 00:10 . 2008-05-27 00:10 <DIR> d-------- C:\Programas\Windows Media Connect 2
2008-05-27 00:09 . 2008-05-27 00:09 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-05-27 00:09 . 2008-05-27 00:10 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-05-26 23:52 . 2008-05-26 23:52 <DIR> d-------- C:\WINDOWS\system32\pt-pt
2008-05-26 23:18 . 2008-06-06 13:14 1,073,037,312 --a------ C:\WINDOWS\MEMORY.DMP
2008-05-26 22:29 . 2008-05-02 22:46 182,347 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-05-26 22:26 . 2006-03-02 13:00 1,086,058 -ra------ C:\WINDOWS\SET25.tmp
2008-05-26 22:26 . 2006-03-02 13:00 1,013,613 -ra------ C:\WINDOWS\SET22.tmp
2008-05-26 22:26 . 2006-03-02 13:00 14,913 -ra------ C:\WINDOWS\SET31.tmp
2008-05-26 22:26 . 2006-03-02 13:00 14,573 -ra------ C:\WINDOWS\SET5C.tmp
2008-05-26 20:48 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-26 20:48 . 2007-07-30 19:18 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-05-26 20:32 . 2008-05-26 20:34 <DIR> d-------- C:\Documents and Settings\João\Os meus documentos
2008-05-26 20:32 . 2008-05-26 20:34 <DIR> d-------- C:\Documents and Settings\João
2008-05-26 20:30 . 2008-06-05 23:57 <DIR> d-------- C:\Documents and Settings\Proprietário\Application Data\Azureus

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-30 23:57 13,312 ----a-w C:\WINDOWS\dnsrelay.dll
2008-05-28 17:59 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-05-26 18:55 --------- d-----w C:\Programas\Serviços online
2008-05-26 13:23 9,709,568 ----a-w C:\WINDOWS\RTLCPL.exe
2008-05-26 13:23 86,016 ----a-w C:\WINDOWS\SoundMan.exe
2008-05-26 13:23 69,632 ----a-w C:\WINDOWS\Alcmtr.exe
2008-05-26 13:23 499,712 ----a-w C:\WINDOWS\RtlExUpd.dll
2008-05-26 13:23 49,152 ----a-w C:\WINDOWS\system32\ChCfg.exe
2008-05-26 13:23 4,381,184 ----a-w C:\WINDOWS\system32\drivers\RtkHDAud.Sys
2008-05-26 13:23 364,544 ----a-w C:\WINDOWS\RtlUpd.exe
2008-05-26 13:23 2,879,488 ----a-w C:\WINDOWS\SkyTel.exe
2008-05-26 13:23 2,808,832 ----a-w C:\WINDOWS\alcwzrd.exe
2008-05-26 13:23 2,155,008 ----a-w C:\WINDOWS\MicCal.exe
2008-05-26 13:23 16,264,192 ----a-w C:\WINDOWS\RTHDCPL.exe
2008-05-26 13:01 9,728 ----a-w C:\WINDOWS\system32\drivers\videX32.sys
2008-05-26 13:01 11,264 ----a-w C:\WINDOWS\system32\drivers\xfilt.sys
2008-05-26 09:06 --------- d-----w C:\Programas\microsoft frontpage
2008-03-19 20:29 21,760 ----a-w C:\Documents and Settings\João\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot_2008-06-06_ 0.31.36,98 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-05 21:59:49 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-06 14:11:59 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-06 14:12:03 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_418.dat
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vazias & legítimas por defeito não são mostradas.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00110011-4b0b-44d5-9718-90c88817369b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{086ae192-23a6-48d6-96ec-715f53797e85}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{150fa160-130d-451f-b863-b655061432ba}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17da0c9e-4a27-4ac5-bb75-5d24b8cdb972}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d38a51a-23c9-48a1-a33c-48675aa2b494}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2e9caff6-30c7-4208-8807-e79d4ec6f806}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{467faeb2-5f5b-4c81-bae0-2a4752ca7f4e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5321e378-ffad-4999-8c62-03ca8155f0b3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{587dbf2d-9145-4c9e-92c2-1f953da73773}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6cc1c91a-ae8b-4373-a5b4-28ba1851e39a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{79369d5c-2903-4b7a-ade2-d5e0dee14d24}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{799a370d-5993-4887-9df7-0a4756a77d00}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{902107E5-0FB1-4227-8605-0CF4D8586767}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98dbbf16-ca43-4c33-be80-99e6694468a4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a55581dc-2cdb-4089-8878-71a080b22342}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AC05EE52-030F-4CA5-B583-1C833EB8322F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b847676d-72ac-4393-bfff-43a1eb979352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bc97b254-b2b9-4d40-971d-78e0978f5f26}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CAF0988F-C51B-48D9-B535-808EEAE295A9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765721306}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e2ddf680-9905-4dee-8c64-0a5de7fe133c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e3eebbe8-9cab-4c76-b26a-747e25ebb4c6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e7afff2a-1b57-49c7-bf6b-e5123394c970}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FAB2E16A-D9C3-41D3-BF19-F3A02BA6DCEB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fd9bc004-8331-4457-b830-4759ff704c22}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 13:00 15360]
"MsnMsgr"="C:\Programas\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"swg"="C:\Programas\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-05-27 16:20 171448]
"SpybotSD TeaTimer"="C:\Programas\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"Creative WebCam Tray"="C:\Programas\Creative\Shared Files\CamTray.exe" [2005-10-27 11:00 299008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"nwiz"="nwiz.exe" [2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe]
"SkyTel"="SkyTel.EXE" [2008-05-26 14:23 2879488 C:\WINDOWS\SkyTel.exe]
"Google Desktop Search"="C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe" [2008-05-27 16:20 1862144]
"QuickTime Task"="C:\Programas\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"Adobe Reader Speed Launcher"="C:\Programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:46 86016]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-26 14:23 16264192 C:\WINDOWS\RTHDCPL.exe]
"AdslTaskBar"="stmctrl.dll" [2004-05-13 15:54 159744 C:\WINDOWS\system32\stmctrl.dll]
"SunJavaUpdateSched"="C:\Programas\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 13:00 15360]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\
WinZip Quick Pick.lnk - C:\Programas\WinZip\WZQKPICK.EXE [2007-08-03 11:10:00 394856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnoOghG]
nnnoOghG.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnnlljh]
opnnlljh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= C:\PROGRA~1\ACEMEG~1\SystemS\ATI\atiyuv12.DLL
"vidc.divx"= C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivX520.dll
"vidc.iyuv"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\iyuv_32.dll
"vidc.yvu9"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\Iyvu9_32.dll
"vidc.uyvy"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
"vidc.yuy2"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
"vidc.yvyu"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Programas\\MSN Messenger\\msnmsgr.exe"=
"C:\\Programas\\soulseek\\slsk.exe"=
"C:\\Programas\\azureus\\Azureus.exe"=

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2008-05-26 14:01]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2008-05-26 14:01]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 00:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 00:16]
R3 Stmatm;ATM/ADSL miniport;C:\WINDOWS\system32\DRIVERS\stmatm.sys [2003-08-08 10:51]
R3 TaurusUsb;ADSL Modem USB Service;C:\WINDOWS\system32\DRIVERS\torususb.sys [2003-09-04 09:15]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F8B9E5C0-4DCC-CFCF-ABA5-00401D608516}]
C:\Documents and Settings\All Users\Menu Iniciar\Programas\Ferramentas administrativas\Recycle Bin\kdja.exe
.
Conteúdo da pasta 'Tarefas Agendadas'
"2008-05-30 12:28:15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programas\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-06 15:16:47
Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso
Ficheiros ocultos: 0

**************************************************************************
.
Tempo para conclusão: 2008-06-06 15:18:59
ComboFix-quarantined-files.txt 2008-06-06 14:18:57
ComboFix2.txt 2008-06-06 01:03:44
ComboFix3.txt 2008-06-06 01:01:31
ComboFix4.txt 2008-06-05 23:31:44
ComboFix5.txt 2008-06-05 21:32:43

Pre-Run: 90,761,756,672 bytes livres
Post-Run: 90,756,517,888 bytes livres

262 --- E O F --- 2008-06-06 13:59:29
dvegas
Regular Member
 
Posts: 39
Joined: June 1st, 2008, 7:50 pm
Advertisement
Register to Remove

Re: coolwebsearch spyware

Unread postby dvegas » June 6th, 2008, 12:11 pm

look this.. is a new scan...

ComboFix 08-06-05.3 - Proprietário 2008-06-06 17:06:18.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.2070.18.619 [GMT 1:00]
Executando de: C:\Documents and Settings\Proprietário\Ambiente de trabalho\ComboFix.exe
Command switches used :: C:\Documents and Settings\Proprietário\Ambiente de trabalho\CFScript.txt
* Criado um novo ponto de restauro

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\Documents and Settings\All Users\Menu Iniciar\Programas\Ferramentas administrativas\Recycle Bin\kdja.exe
C:\WINDOWS\astctl32.ocx
C:\WINDOWS\avpcc.dll
C:\WINDOWS\cpan.dll
C:\WINDOWS\ctrlpan.dll
C:\WINDOWS\dnsrelay.dll
C:\WINDOWS\internet.exe
C:\WINDOWS\msconfd.dll
C:\WINDOWS\mtwirl32.dll
C:\WINDOWS\rundll16.exe
C:\WINDOWS\SET22.tmp
C:\WINDOWS\SET25.tmp
C:\WINDOWS\SET31.tmp
C:\WINDOWS\SET5C.tmp
C:\WINDOWS\sistem.exe
C:\WINDOWS\svchost32.exe
C:\WINDOWS\system32\dnprjbij.ini
C:\WINDOWS\system32\gside.exe
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\mysidesearch_sidebar_uninstall.exe
C:\WINDOWS\system32\winpfz33.sys
C:\WINDOWS\xplugin.dll
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Ferramentas administrativas\Recycle Bin\kdja.exe
C:\WINDOWS\astctl32.ocx
C:\WINDOWS\cpan.dll
C:\WINDOWS\ctrlpan.dll
C:\WINDOWS\dnsrelay.dll
C:\WINDOWS\msconfd.dll
C:\WINDOWS\rundll16.exe
C:\WINDOWS\SET22.tmp
C:\WINDOWS\SET25.tmp
C:\WINDOWS\SET31.tmp
C:\WINDOWS\SET5C.tmp
C:\WINDOWS\sistem.exe
C:\WINDOWS\system32\bIP
C:\WINDOWS\system32\dnprjbij.ini
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\vntiho06
C:\WINDOWS\system32\zA
C:\WINDOWS\xplugin.dll

.
((((((((((((((((((((((( Ficheiros criados de 2008-05-06 to 2008-06-06 ))))))))))))))))))))))))))))))))
.

2008-06-06 15:13 . 2008-06-06 15:13 <DIR> d-------- C:\WINDOWS\LastGood
2008-06-06 12:14 . 2008-06-06 12:18 <DIR> d-------- C:\Programas\Malwarebytes' Anti-Malware
2008-06-06 12:14 . 2008-06-06 12:14 <DIR> d-------- C:\Documents and Settings\Proprietário\Application Data\Malwarebytes
2008-06-06 12:14 . 2008-06-06 12:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-06 12:14 . 2008-06-05 16:04 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-06 12:14 . 2008-06-05 16:04 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-06 01:10 . 2008-06-06 01:10 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-06-06 01:10 . 2008-06-06 01:10 1,409 --a------ C:\WINDOWS\QTFont.for
2008-06-05 23:31 . 2008-06-05 23:31 <DIR> d-------- C:\Nova pasta
2008-06-05 23:10 . 2008-06-05 23:10 <DIR> d-------- C:\Programas\Sun
2008-06-05 23:10 . 2008-06-05 23:10 1,355 --a------ C:\WINDOWS\imsins.BAK
2008-06-05 22:32 . 2008-06-05 22:32 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Definiþ§es locais
2008-06-05 22:32 . 2008-06-05 22:32 <DIR> d-------- C:\Documents and Settings\Proprietßrio
2008-06-05 22:32 . 2008-06-05 22:32 <DIR> d-------- C:\Documents and Settings\NetworkService\Definiþ§es locais
2008-06-05 22:32 . 2008-06-05 22:32 <DIR> d-------- C:\Documents and Settings\LocalService\Definiþ§es locais
2008-06-05 22:32 . 2008-06-05 22:32 <DIR> d-------- C:\Documents and Settings\Administrador\Definiþ§es locais
2008-06-01 04:23 . 2008-06-01 04:23 21,504 --a------ C:\WINDOWS\editpad.exe
2008-06-01 04:23 . 2008-06-01 04:23 19,712 --a------ C:\WINDOWS\quicken.exe
2008-06-01 04:03 . 2008-06-05 23:04 <DIR> d-------- C:\Programas\Spyware Doctor
2008-05-31 23:40 . 2008-06-05 23:04 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-31 22:56 . 2008-06-02 01:29 15,104 --a------ C:\WINDOWS\qttasks.exe
2008-05-31 22:55 . 2008-05-31 22:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-05-31 21:26 . 2008-05-31 21:27 <DIR> d-------- C:\Programas\Internet Explorer 7
2008-05-31 21:10 . 2006-03-02 13:00 28,288 --a--c--- C:\WINDOWS\system32\dllcache\xjis.nls
2008-05-31 21:08 . 2006-03-02 13:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-05-31 21:07 . 2006-03-02 13:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-05-31 21:07 . 2003-03-24 15:52 188,480 --a--c--- C:\WINDOWS\system32\dllcache\cfgwiz.exe
2008-05-31 21:07 . 2004-05-13 00:39 184,435 --a--c--- C:\WINDOWS\system32\dllcache\fp4amsft.dll
2008-05-31 21:07 . 2003-03-24 15:52 147,513 --a--c--- C:\WINDOWS\system32\dllcache\fp4apws.dll
2008-05-31 21:07 . 2003-03-24 15:52 82,035 --a--c--- C:\WINDOWS\system32\dllcache\fp4anscp.dll
2008-05-31 21:07 . 2003-03-24 15:52 20,540 --a--c--- C:\WINDOWS\system32\dllcache\author.dll
2008-05-31 21:07 . 2003-03-24 15:52 20,540 --a--c--- C:\WINDOWS\system32\dllcache\admin.dll
2008-05-31 21:07 . 2003-03-24 15:52 16,439 --a--c--- C:\WINDOWS\system32\dllcache\author.exe
2008-05-31 21:07 . 2003-03-24 15:52 16,439 --a--c--- C:\WINDOWS\system32\dllcache\admin.exe
2008-05-31 21:06 . 2008-05-31 21:06 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-05-31 21:06 . 2008-05-31 21:06 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-05-31 21:06 . 2008-05-31 21:06 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-05-31 21:06 . 2008-05-31 21:06 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-05-31 21:06 . 2008-05-31 21:06 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-05-31 21:01 . 2008-05-02 22:46 181,895 --a------ C:\WINDOWS\system32\nvdsp.chm
2008-05-31 21:01 . 2008-05-02 22:46 121,529 --a------ C:\WINDOWS\system32\nvcpl.chm
2008-05-31 21:01 . 2008-05-02 22:46 116,384 --a------ C:\WINDOWS\system32\nv3d.chm
2008-05-31 21:01 . 2008-05-02 22:46 54,988 --a------ C:\WINDOWS\system32\nvmob.chm
2008-05-31 19:28 . 2008-05-31 19:28 <DIR> d-------- C:\Programas\Yahoo!
2008-05-31 19:19 . 2008-05-31 19:19 26,624 --a------ C:\WINDOWS\helpcvs.exe
2008-05-31 04:04 . 2008-05-31 04:04 16,384 --a------ C:\WINDOWS\ctfmon32.exe
2008-05-30 23:54 . 2008-05-30 23:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-05-30 00:02 . 2008-05-30 00:11 121 --a------ C:\WINDOWS\bdagent.INI
2008-05-29 23:45 . 2008-05-30 00:12 <DIR> d-------- C:\Programas\BitDefender
2008-05-29 23:42 . 2008-06-05 22:26 <DIR> d-------- C:\Temp
2008-05-29 23:42 . 2008-05-31 00:43 <DIR> d-------- C:\Programas\uTorrent
2008-05-29 23:42 . 2008-05-31 00:43 <DIR> d-------- C:\Documents and Settings\Proprietário\Application Data\uTorrent
2008-05-29 23:41 . 2008-05-29 23:41 <DIR> dr------- C:\Documents and Settings\LocalService\Favoritos
2008-05-29 23:34 . 2008-05-29 23:45 <DIR> d-------- C:\Programas\Ficheiros comuns\BitDefender
2008-05-29 14:30 . 2008-05-29 14:30 <DIR> dr-h----- C:\MSOCache
2008-05-29 00:59 . 2008-05-30 15:02 613 --a------ C:\WINDOWS\wininit.ini
2008-05-28 23:33 . 2008-05-28 23:39 <DIR> d-------- C:\Documents and Settings\Proprietário\Application Data\AVGTOOLBAR
2008-05-28 23:31 . 2008-05-29 00:12 124,688 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
2008-05-28 23:22 . 2008-06-02 01:27 <DIR> d-------- C:\Programas\Spybot - Search & Destroy
2008-05-28 23:22 . 2008-06-02 02:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-28 18:59 . 2008-05-28 18:59 <DIR> dr-h----- C:\Documents and Settings\Proprietário\Application Data\SecuROM
2008-05-28 14:49 . 2008-05-28 14:49 <DIR> d-------- C:\Programas\Ficheiros comuns\Adobe
2008-05-27 19:12 . 2008-05-27 19:12 <DIR> d-------- C:\Programas\Apple Software Update
2008-05-27 19:12 . 2008-05-27 19:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-05-27 19:08 . 2008-05-27 19:13 <DIR> d-------- C:\Documents and Settings\Proprietário\Application Data\Apple Computer
2008-05-27 18:45 . 2008-05-27 18:45 <DIR> d-------- C:\Documents and Settings\Proprietário\Application Data\skypePM
2008-05-27 18:45 . 2008-05-27 18:45 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-05-27 18:41 . 2008-05-27 18:41 <DIR> d-------- C:\Programas\Ficheiros comuns\Skype
2008-05-27 18:41 . 2008-05-27 18:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-05-27 18:25 . 2008-05-27 18:25 379 --a------ C:\WINDOWS\ODBC.INI
2008-05-27 18:24 . 2008-05-27 18:24 <DIR> d-------- C:\Programas\Microsoft.NET
2008-05-27 18:24 . 2003-06-18 17:31 17,920 --a------ C:\WINDOWS\system32\mdimon.dll
2008-05-27 18:23 . 2008-05-27 18:24 <DIR> d--h----- C:\WINDOWS\ShellNew
2008-05-27 18:12 . 2008-05-27 18:12 <DIR> d-------- C:\Documents and Settings\Proprietário\Application Data\Creative
2008-05-27 16:55 . 2003-06-12 23:25 7,062 --a------ C:\WINDOWS\system32\audiopid.vxd
2008-05-27 16:54 . 2000-05-22 09:58 647,872 --a------ C:\WINDOWS\system32\Mscomct2.ocx
2008-05-27 16:54 . 2004-08-04 00:57 91,648 --a------ C:\WINDOWS\system32\kswdmcap.ax
2008-05-27 16:54 . 2004-08-04 00:57 61,952 --a------ C:\WINDOWS\system32\kstvtune.ax
2008-05-27 16:54 . 2004-08-04 00:56 54,784 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2008-05-27 16:54 . 2004-08-04 00:57 43,008 --a------ C:\WINDOWS\system32\ksxbar.ax
2008-05-27 16:54 . 1999-10-10 18:00 41,984 --a------ C:\WINDOWS\Ctregrun.exe
2008-05-27 16:54 . 2004-08-04 00:57 28,672 --a------ C:\WINDOWS\system32\vidcap.ax
2008-05-27 16:21 . 2008-05-27 16:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-05-27 16:03 . 2008-05-27 16:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-27 16:00 . 2008-05-27 16:00 <DIR> d-------- C:\WINDOWS\WinRAR
2008-05-27 14:52 . 2008-05-27 19:13 <DIR> d-------- C:\Programas\QuickTime
2008-05-27 14:51 . 2008-05-27 19:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-27 14:51 . 2004-12-18 21:32 38,229 --a------ C:\WINDOWS\system32\drivers\StMp3Rec.sys
2008-05-27 14:46 . 2008-05-27 14:51 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-05-27 01:04 . 2008-05-27 01:04 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-05-27 01:04 . 2008-05-27 16:41 <DIR> d-------- C:\Programas\MSN Messenger
2008-05-27 01:04 . 2008-05-27 14:42 <DIR> d-------- C:\Documents and Settings\Proprietário\Contacts
2008-05-27 01:04 . 2008-05-27 14:42 <DIR> d-------- C:\Documents and Settings\Proprietário\Contacts
2008-05-27 01:02 . 2008-05-27 01:02 <DIR> d-------- C:\Programas\Ficheiros comuns\Java
2008-05-27 01:02 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-27 00:31 . 2008-05-27 18:13 <DIR> d--hsc--- C:\Programas\Ficheiros comuns\WindowsLiveInstaller
2008-05-27 00:30 . 2008-05-27 18:14 <DIR> d-------- C:\Programas\Windows Live
2008-05-27 00:30 . 2008-05-29 14:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-05-27 00:10 . 2008-05-27 00:10 <DIR> d-------- C:\Programas\Windows Media Connect 2
2008-05-27 00:09 . 2008-05-27 00:09 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-05-27 00:09 . 2008-05-27 00:10 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-05-26 23:52 . 2008-05-26 23:52 <DIR> d-------- C:\WINDOWS\system32\pt-pt
2008-05-26 23:18 . 2008-06-06 13:14 1,073,037,312 --a------ C:\WINDOWS\MEMORY.DMP
2008-05-26 22:29 . 2008-05-02 22:46 182,347 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-05-26 20:48 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-26 20:48 . 2007-07-30 19:18 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-05-26 20:32 . 2008-05-26 20:34 <DIR> d-------- C:\Documents and Settings\João\Os meus documentos
2008-05-26 20:32 . 2008-05-26 20:34 <DIR> d-------- C:\Documents and Settings\João
2008-05-26 20:30 . 2008-06-06 17:06 <DIR> d-------- C:\Documents and Settings\Proprietário\Application Data\Azureus
2008-05-26 20:30 . 2008-05-26 20:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-05-26 20:29 . 2008-05-27 18:46 <DIR> d-------- C:\Documents and Settings\Proprietário\Application Data\Skype
2008-05-26 20:20 . 2003-03-25 05:49 106,544 --a------ C:\WINDOWS\system32\tweakui.cpl
2008-05-26 20:20 . 2003-03-25 05:49 98,304 --a------ C:\WINDOWS\system32\startup.cpl
2008-05-26 20:20 . 2004-02-17 10:11 53,248 --a------ C:\WINDOWS\system32\vp6dec_settings.cpl
2008-05-26 20:20 . 2003-03-25 05:49 51,238 --a------ C:\WINDOWS\system32\tweakui.hlp
2008-05-26 20:03 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-05-26 20:01 . 2008-05-26 20:01 <DIR> d--hs---- C:\Documents and Settings\Proprietário\UserData
2008-05-26 20:01 . 2008-05-26 20:01 <DIR> d--hs---- C:\Documents and Settings\Proprietário\UserData
2008-05-26 19:28 . 2008-05-26 19:28 <DIR> d-------- C:\WINDOWS\system32\InsFiles
2008-05-26 19:28 . 2008-05-26 19:28 <DIR> d-------- C:\Programas\Modem ADSL
2008-05-26 19:28 . 2003-09-04 09:15 540,589 -ra------ C:\WINDOWS\system32\drivers\torususb.sys
2008-05-26 19:28 . 2004-05-13 15:39 331,776 -ra------ C:\WINDOWS\system32\stmadsl.cpl
2008-05-26 19:28 . 2003-11-29 00:19 253,952 -ra------ C:\WINDOWS\system32\stmcfg32.dll
2008-05-26 19:28 . 2003-03-22 21:09 249,859 -ra------ C:\WINDOWS\editadsl.exe
2008-05-26 19:28 . 2004-05-13 15:54 159,744 -ra------ C:\WINDOWS\system32\stmctrl.dll

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-28 17:59 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-05-26 18:55 --------- d-----w C:\Programas\Serviços online
2008-05-26 13:23 9,709,568 ----a-w C:\WINDOWS\RTLCPL.exe
2008-05-26 13:23 86,016 ----a-w C:\WINDOWS\SoundMan.exe
2008-05-26 13:23 69,632 ----a-w C:\WINDOWS\Alcmtr.exe
2008-05-26 13:23 499,712 ----a-w C:\WINDOWS\RtlExUpd.dll
2008-05-26 13:23 49,152 ----a-w C:\WINDOWS\system32\ChCfg.exe
2008-05-26 13:23 4,381,184 ----a-w C:\WINDOWS\system32\drivers\RtkHDAud.Sys
2008-05-26 13:23 364,544 ----a-w C:\WINDOWS\RtlUpd.exe
2008-05-26 13:23 2,879,488 ----a-w C:\WINDOWS\SkyTel.exe
2008-05-26 13:23 2,808,832 ----a-w C:\WINDOWS\alcwzrd.exe
2008-05-26 13:23 2,155,008 ----a-w C:\WINDOWS\MicCal.exe
2008-05-26 13:23 16,264,192 ----a-w C:\WINDOWS\RTHDCPL.exe
2008-05-26 13:01 9,728 ----a-w C:\WINDOWS\system32\drivers\videX32.sys
2008-05-26 13:01 11,264 ----a-w C:\WINDOWS\system32\drivers\xfilt.sys
2008-05-26 09:06 --------- d-----w C:\Programas\microsoft frontpage
2008-03-19 20:29 21,760 ----a-w C:\Documents and Settings\João\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot_2008-06-06_ 0.31.36,98 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-05 21:59:49 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-06 14:11:59 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-06 14:12:03 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_418.dat
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vazias & legítimas por defeito não são mostradas.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-02 13:00 15360]
"MsnMsgr"="C:\Programas\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"swg"="C:\Programas\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2008-05-27 16:20 171448]
"SpybotSD TeaTimer"="C:\Programas\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"Creative WebCam Tray"="C:\Programas\Creative\Shared Files\CamTray.exe" [2005-10-27 11:00 299008]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"nwiz"="nwiz.exe" [2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe]
"SkyTel"="SkyTel.EXE" [2008-05-26 14:23 2879488 C:\WINDOWS\SkyTel.exe]
"Google Desktop Search"="C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe" [2008-05-27 16:20 1862144]
"QuickTime Task"="C:\Programas\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"Adobe Reader Speed Launcher"="C:\Programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:46 86016]
"RTHDCPL"="RTHDCPL.EXE" [2008-05-26 14:23 16264192 C:\WINDOWS\RTHDCPL.exe]
"AdslTaskBar"="stmctrl.dll" [2004-05-13 15:54 159744 C:\WINDOWS\system32\stmctrl.dll]
"SunJavaUpdateSched"="C:\Programas\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-02 13:00 15360]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\
WinZip Quick Pick.lnk - C:\Programas\WinZip\WZQKPICK.EXE [2007-08-03 11:10:00 394856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12"= C:\PROGRA~1\ACEMEG~1\SystemS\ATI\atiyuv12.DLL
"vidc.divx"= C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivX520.dll
"vidc.iyuv"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\iyuv_32.dll
"vidc.yvu9"= C:\PROGRA~1\ACEMEG~1\SystemS\Intel\Iyvu9_32.dll
"vidc.uyvy"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
"vidc.yuy2"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
"vidc.yvyu"= C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Programas\\MSN Messenger\\msnmsgr.exe"=
"C:\\Programas\\soulseek\\slsk.exe"=
"C:\\Programas\\azureus\\Azureus.exe"=

R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2008-05-26 14:01]
R0 xfilt;VIA SATA IDE Hot-plug Driver;C:\WINDOWS\system32\DRIVERS\xfilt.sys [2008-05-26 14:01]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 00:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 00:16]
R3 Stmatm;ATM/ADSL miniport;C:\WINDOWS\system32\DRIVERS\stmatm.sys [2003-08-08 10:51]
R3 TaurusUsb;ADSL Modem USB Service;C:\WINDOWS\system32\DRIVERS\torususb.sys [2003-09-04 09:15]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F8B9E5C0-4DCC-CFCF-ABA5-00401D608516}]
C:\Documents and Settings\All Users\Menu Iniciar\Programas\Ferramentas administrativas\Recycle Bin\kdja.exe
.
Conteúdo da pasta 'Tarefas Agendadas'
"2008-05-30 12:28:15 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Programas\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-06 17:08:03
Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso
Ficheiros ocultos: 0

**************************************************************************
.
Tempo para conclusão: 2008-06-06 17:09:24
ComboFix-quarantined-files.txt 2008-06-06 16:09:21
ComboFix2.txt 2008-06-06 14:19:00
ComboFix3.txt 2008-06-06 01:03:44
ComboFix4.txt 2008-06-06 01:01:31
ComboFix5.txt 2008-06-05 23:31:44

Pre-Run: 90,785,968,128 bytes livres
Post-Run: 90,788,188,160 bytes livres

275 --- E O F --- 2008-06-06 13:59:29
dvegas
Regular Member
 
Posts: 39
Joined: June 1st, 2008, 7:50 pm

Re: coolwebsearch spyware

Unread postby dan12 » June 6th, 2008, 1:14 pm

Thanks that's better, can I see a fresh HJT log also.
dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: coolwebsearch spyware

Unread postby dvegas » June 6th, 2008, 1:20 pm

hijackthis..

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:18:57, on 06-06-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programas\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\MSN Messenger\MsnMsgr.Exe
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Programas\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06E12C36-760F-4D92-8509-5E5DBF12C423} - (no file)
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {902107E5-0FB1-4227-8605-0CF4D8586767} - (no file)
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AC05EE52-030F-4CA5-B583-1C833EB8322F} - (no file)
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {CAF0988F-C51B-48D9-B535-808EEAE295A9} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {FAB2E16A-D9C3-41D3-BF19-F3A02BA6DCEB} - (no file)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Programas\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Programas\Creative\Shared Files\CamTray.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programas\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programas\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1828591125
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 1829019109
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/ ... /CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4DD62A15-6A62-477F-BF4D-661AF5D9FBEE}: NameServer = 212.55.154.174
O17 - HKLM\System\CS2\Services\Tcpip\..\{4DD62A15-6A62-477F-BF4D-661AF5D9FBEE}: NameServer = 212.55.154.174
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHEI~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: nnnoOghG - C:\WINDOWS\
O20 - Winlogon Notify: opnnlljh - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: GoogleDesktopManager - Google - C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Programas\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 10201 bytes
dvegas
Regular Member
 
Posts: 39
Joined: June 1st, 2008, 7:50 pm

Re: coolwebsearch spyware

Unread postby dan12 » June 6th, 2008, 1:31 pm

Your TeaTimer is going to interfere with what we are trying to do. I need you to disable it.

Disable Spybot's TeaTimer. This is a two step process.
First:
- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
- Choose Exit Spybot S&D Resident
Second:
- Open Spybot S&D
- Click Mode, check Advanced Mode
- Go To Left Panel, Click Tools, then also in left panel, click Resident
- If your firewall raises a question, say OK
- Uncheck the box labeled Resident Tea-Timer and OK any prompts.
- Use File, Exit to terminate Spybot
- Reboot your machine for the changes to take effect.

Leave it disabled till I tell you it's ok to turn it back on.

spybot search & destroy sdhelper

Disable spybot search & destroy\SDHelper
Open up spybot search & destroy go to mode check advanced mode.
Go to bottom left of panel and click tools then click resident
uncheck resident
SDHelper
We will need to do this in reverse to enable when fix is done

__________________


Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present)

O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: (no name) - {06E12C36-760F-4D92-8509-5E5DBF12C423} - (no file)
O2 - BHO: (no name) - {086ae192-23a6-48d6-96ec-715f53797e85} - (no file)
O2 - BHO: (no name) - {150fa160-130d-451f-b863-b655061432ba} - (no file)
O2 - BHO: (no name) - {17da0c9e-4a27-4ac5-bb75-5d24b8cdb972} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb1} - (no file)
O2 - BHO: (no name) - {1f48aa48-c53a-4e21-85e7-ac7cc6b5ffb2} - (no file)
O2 - BHO: (no name) - {2d38a51a-23c9-48a1-a33c-48675aa2b494} - (no file)
O2 - BHO: (no name) - {2e9caff6-30c7-4208-8807-e79d4ec6f806} - (no file)
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {467faeb2-5f5b-4c81-bae0-2a4752ca7f4e} - (no file)
O2 - BHO: (no name) - {5321e378-ffad-4999-8c62-03ca8155f0b3} - (no file)
O2 - BHO: (no name) - {587dbf2d-9145-4c9e-92c2-1f953da73773} - (no file)
O2 - BHO: (no name) - {6cc1c91a-ae8b-4373-a5b4-28ba1851e39a} - (no file)
O2 - BHO: (no name) - {79369d5c-2903-4b7a-ade2-d5e0dee14d24} - (no file)
O2 - BHO: (no name) - {799a370d-5993-4887-9df7-0a4756a77d00} - (no file)
O2 - BHO: (no name) - {902107E5-0FB1-4227-8605-0CF4D8586767} - (no file)
O2 - BHO: (no name) - {98dbbf16-ca43-4c33-be80-99e6694468a4} - (no file)
O2 - BHO: (no name) - {a55581dc-2cdb-4089-8878-71a080b22342} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {AC05EE52-030F-4CA5-B583-1C833EB8322F} - (no file)
O2 - BHO: (no name) - {b847676d-72ac-4393-bfff-43a1eb979352} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {CAF0988F-C51B-48D9-B535-808EEAE295A9} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765721306} - (no file)
O2 - BHO: (no name) - {e2ddf680-9905-4dee-8c64-0a5de7fe133c} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {e7afff2a-1b57-49c7-bf6b-e5123394c970} - (no file)
O2 - BHO: (no name) - {FAB2E16A-D9C3-41D3-BF19-F3A02BA6DCEB} - (no file)
O2 - BHO: (no name) - {fcaddc14-bd46-408a-9842-cdbe1c6d37eb} - (no file)
O2 - BHO: (no name) - {fd9bc004-8331-4457-b830-4759ff704c22} - (no file)
O2 - BHO: (no name) - {ff1bf4c7-4e08-4a28-a43f-9d60a9f7a880} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
O20 - Winlogon Notify: nnnoOghG - C:\WINDOWS\
O20 - Winlogon Notify: opnnlljh - C:\WINDOWS\

WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit


: Malwarebytes' Anti-Malware :

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a check mark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidentally close it, the log file is saved here and will be named like this:
    • C:\\Documents and Settings\\Username\\Application Data\\Malwarebytes\\Malwarebytes' Anti-Malware\\Logs\\mbam-log-date (time).txt

Post me the malwarebytes report and a Fresh HJT log.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: coolwebsearch spyware

Unread postby dvegas » June 6th, 2008, 1:49 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:48:14, on 06-06-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\Programas\QuickTime\qttask.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Programas\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\MSN Messenger\MsnMsgr.Exe
C:\Programas\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Programas\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {00110011-4b0b-44d5-9718-90c88817369b} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Programas\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Programas\Creative\Shared Files\CamTray.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programas\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programas\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1828591125
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 1829019109
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/ ... /CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4DD62A15-6A62-477F-BF4D-661AF5D9FBEE}: NameServer = 212.55.154.174
O17 - HKLM\System\CS2\Services\Tcpip\..\{4DD62A15-6A62-477F-BF4D-661AF5D9FBEE}: NameServer = 212.55.154.174
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHEI~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: GoogleDesktopManager - Google - C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Programas\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7425 bytes
dvegas
Regular Member
 
Posts: 39
Joined: June 1st, 2008, 7:50 pm

Re: coolwebsearch spyware

Unread postby dvegas » June 6th, 2008, 3:53 pm

Malwarebytes' Anti-Malware 1.15
Versão do banco de dados: 831

20:52:11 06-06-2008
mbam-log-6-6-2008 (20-52-11).txt

Tipo de Verificação: Completa (C:\|D:\|)
Objetos verificados: 142400
Tempo decorrido: 22 minute(s), 8 second(s)

Processos da Memória infectados: 0
Módulos de Memória Infectados: 0
Chaves do Registro infectadas: 0
Valores do Registro infectados: 0
Ítens do Registro infectados: 0
Pastas infectadas: 0
Arquivos infectados: 0

Processos da Memória infectados:
(Nenhum ítem malicioso foi detectado)

Módulos de Memória Infectados:
(Nenhum ítem malicioso foi detectado)

Chaves do Registro infectadas:
(Nenhum ítem malicioso foi detectado)

Valores do Registro infectados:
(Nenhum ítem malicioso foi detectado)

Ítens do Registro infectados:
(Nenhum ítem malicioso foi detectado)

Pastas infectadas:
(Nenhum ítem malicioso foi detectado)

Arquivos infectados:
(Nenhum ítem malicioso foi detectado)
dvegas
Regular Member
 
Posts: 39
Joined: June 1st, 2008, 7:50 pm

Re: coolwebsearch spyware

Unread postby dvegas » June 6th, 2008, 4:52 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:51:53, on 06-06-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Programas\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\MSN Messenger\MsnMsgr.Exe
C:\Programas\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Programas\Windows Media Player\wmplayer.exe
C:\Programas\azureus\Azureus.exe
C:\Programas\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Programas\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Programas\Creative\Shared Files\CamTray.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programas\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programas\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1828591125
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 1829019109
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/ ... /CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4DD62A15-6A62-477F-BF4D-661AF5D9FBEE}: NameServer = 212.55.154.174
O17 - HKLM\System\CS2\Services\Tcpip\..\{4DD62A15-6A62-477F-BF4D-661AF5D9FBEE}: NameServer = 212.55.154.174
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHEI~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: GoogleDesktopManager - Google - C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Programas\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7593 bytes
dvegas
Regular Member
 
Posts: 39
Joined: June 1st, 2008, 7:50 pm

Re: coolwebsearch spyware

Unread postby dan12 » June 6th, 2008, 5:20 pm

Installed Programs

Please could you give me a list of the programs that are installed.
  • Start HijackThis
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.




1 - Kaspersky Online Scan
With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
Please do an online scan with >Kaspersky Online Scanner<. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    o Scan using the following Anti-Virus database:
    + Extended (If available otherwise Standard)
    o Scan Options:
    + Scan Archives
    + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run.
  • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As... button (see red arrow below)

    Image

  • In the Save as... prompt, select Desktop
  • In the File name box, name the file KasScan-ddmmyy (or similar)
  • In the Save as type prompt, select Text file (see below)

    Image

  • Copy and paste the report in your next post.
Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.


Post the above reports and let me know how things are
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: coolwebsearch spyware

Unread postby dvegas » June 6th, 2008, 5:36 pm

ACE Mega CoDecS Pack
Actualização para Windows XP (KB898461)
Adobe Flash Player ActiveX
Adobe Reader 8.1.2 - Português
ADSL Modem
Apple Software Update
Assistente de Conexão do Windows Live
avast! Antivirus
Azureus 3.0
Barra de Ferramentas do Yahoo! com bloqueador de pop-up
Championship Manager 2008
Cobian Backup 9
Creative Software AutoUpdate
Google Desktop
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
iPod for Windows 2006-06-28
iTunes
Java(TM) 6 Update 5
Java(TM) SE Runtime Environment 6
Malwarebytes' Anti-Malware
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
NVIDIA Drivers
OpenOffice.org Installer 1.0
PowerISO
QuickTime
Realtek High Definition Audio Driver
Skype™ 3.8
SoulSeek Client 156c
Spybot - Search & Destroy
VIA Platform Device Manager
VobSub v2.23 (Remove Only)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
WinRAR
WinZip 11.1
Yahoo! Install Manager
dvegas
Regular Member
 
Posts: 39
Joined: June 1st, 2008, 7:50 pm

Re: coolwebsearch spyware

Unread postby dvegas » June 6th, 2008, 6:31 pm

ACE Mega CoDecS Pack
Actualização para Windows XP (KB898461)
Adobe Flash Player ActiveX
Adobe Reader 8.1.2 - Português
ADSL Modem
Apple Software Update
Assistente de Conexão do Windows Live
avast! Antivirus
Azureus 3.0
Barra de Ferramentas do Yahoo! com bloqueador de pop-up
Championship Manager 2008
Cobian Backup 9
Creative Software AutoUpdate
Google Desktop
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
iPod for Windows 2006-06-28
iTunes
Java(TM) 6 Update 5
Java(TM) SE Runtime Environment 6
Malwarebytes' Anti-Malware
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Visual C++ 2005 Redistributable
NVIDIA Drivers
OpenOffice.org Installer 1.0
PowerISO
QuickTime
Realtek High Definition Audio Driver
Skype™ 3.8
SoulSeek Client 156c
Spybot - Search & Destroy
VIA Platform Device Manager
VobSub v2.23 (Remove Only)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live installer
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
WinRAR
WinZip 11.1
Yahoo! Install Manager
dvegas
Regular Member
 
Posts: 39
Joined: June 1st, 2008, 7:50 pm

Re: coolwebsearch spyware

Unread postby dvegas » June 6th, 2008, 6:32 pm

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, June 06, 2008 11:31:19 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/06/2008
Kaspersky Anti-Virus database records: 834859
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 106311
Number of viruses found: 3
Number of infected objects: 3
Number of suspicious objects: 86
Duration of the scan process: 00:35:39

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffIedll10.zip/iedll.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffIedll10.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffIedll13.zip/loader.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffIedll13.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffIedll16.zip/iedll.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffIedll16.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffIedll21.zip/loader.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffIedll21.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffIedll26.zip/iedll.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffIedll26.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffIedll27.zip/loader.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffIedll27.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffIedll3.zip/loader.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchAffIedll3.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchBootconf12.zip/msupdate.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchBootconf12.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchBootconf2.zip/msupdate.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchBootconf2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchBootconf9.zip/msupdate.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchBootconf9.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch10.zip/notepad32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch10.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSvcinit3.zip/mssys.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSvcinit3.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSvcinit5.zip/mssys.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSvcinit5.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSvcinit9.zip/mssys.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSvcinit9.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip/users32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC104.zip/users32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC104.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC11.zip/win32e.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC11.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC111.zip/waol.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC111.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC113.zip/olehelp.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC113.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC122.zip/systemcritical.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC122.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC127.zip/y.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC127.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC129.zip/olehelp.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC129.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC131.zip/win64.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC131.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC139.zip/systemcritical.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC139.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC146.zip/olehelp.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC146.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC147.zip/win32e.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC147.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC160.zip/y.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC160.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC162.zip/olehelp.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC162.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC185.zip/winmgnt.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC185.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC199.zip/winmgnt.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC199.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC225.zip/accesss.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC225.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC47.zip/win32e.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC47.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC56.zip/window.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC56.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC70.zip/users32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC70.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC78.zip/waol.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC78.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC90.zip/window.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC90.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC93.zip/systeem.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC93.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC97.zip/olehelp.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC97.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip/iexplorer.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric13.zip/accesss.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric13.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip/systeem.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgeneric2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp13.zip/x.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp13.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp3.zip/x.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCgp3.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Application Data\Microsoft\Internet Explorer\Desktop.htt Infected: not-virus:Hoax.HTML.Secureinvites.b skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Proprietário\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Proprietário\Definições locais\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Proprietário\Definições locais\Application Data\Microsoft\Messenger\dvegas5@msn.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Proprietário\Definições locais\Application Data\Microsoft\Messenger\dvegas5@msn.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Proprietário\Definições locais\Application Data\Microsoft\Messenger\dvegas5@msn.com\SharingMetadata\Working\database_3EF8_E955_F8E9_BC9\dfsr.db Object is locked skipped
C:\Documents and Settings\Proprietário\Definições locais\Application Data\Microsoft\Messenger\dvegas5@msn.com\SharingMetadata\Working\database_3EF8_E955_F8E9_BC9\fsr.log Object is locked skipped
C:\Documents and Settings\Proprietário\Definições locais\Application Data\Microsoft\Messenger\dvegas5@msn.com\SharingMetadata\Working\database_3EF8_E955_F8E9_BC9\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Proprietário\Definições locais\Application Data\Microsoft\Messenger\dvegas5@msn.com\SharingMetadata\Working\database_3EF8_E955_F8E9_BC9\tmp.edb Object is locked skipped
C:\Documents and Settings\Proprietário\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Proprietário\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Proprietário\Definições locais\Application Data\Microsoft\Windows Live Contacts\dvegas5@msn.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Proprietário\Definições locais\Application Data\Microsoft\Windows Live Contacts\dvegas5@msn.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Proprietário\Definições locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Proprietário\Definições locais\Histórico\History.IE5\MSHist012008060620080607\index.dat Object is locked skipped
C:\Documents and Settings\Proprietário\Definições locais\Temp\~DFE0AB.tmp Object is locked skipped
C:\Documents and Settings\Proprietário\Definições locais\Temp\~DFE0C2.tmp Object is locked skipped
C:\Documents and Settings\Proprietário\Definições locais\Temp\~DFE95A.tmp Object is locked skipped
C:\Documents and Settings\Proprietário\Definições locais\Temp\~DFE9E3.tmp Object is locked skipped
C:\Documents and Settings\Proprietário\Definições locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Proprietário\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Proprietário\ntuser.dat.LOG Object is locked skipped
C:\Programas\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Programas\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Programas\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Programas\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Programas\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Programas\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Programas\Alwil Software\Avast4\DATA\log\selfdef.log Object is locked skipped
C:\Programas\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{61128455-0625-4F61-BE99-7B4DAB959044}\RP19\A0006057.exe/is155088.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.vqj skipped
C:\System Volume Information\_restore{61128455-0625-4F61-BE99-7B4DAB959044}\RP19\A0006057.exe CAB: infected - 1 skipped
C:\System Volume Information\_restore{61128455-0625-4F61-BE99-7B4DAB959044}\RP47\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{7186D5A9-5480-4932-B09F-BC947F861ED3}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_420.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
dvegas
Regular Member
 
Posts: 39
Joined: June 1st, 2008, 7:50 pm

Re: coolwebsearch spyware

Unread postby dan12 » June 7th, 2008, 3:15 am

Open spybot search and destroy, click on Recovery and click on purge selected items, close program when complete.

________

Update Java Runtime Environment (JRE)

Your JRE is out of date. The current version is Java Runtime Environment (JRE) 6 Update 6.

  1. Click on Start > Control Panel and double click on Add/Remove Programs. Locate Java(TM) 6 Update 5 and click on Change/Remove to uninstall it.
  2. Repeat for these old versions of JRE:
      Java(TM) SE Runtime Environment 6
  3. Click here to visit Java's website.
  4. Scroll down to Java Runtime Environment (JRE) 6 Update 6. Click on Download.
  5. Select Windows from the drop-down list for Platform.
  6. Select Multi-language from the drop-down list for Language.
  7. Check (tick) I agree to the Java SE Runtime Environment 6 License Agreement box and click on Continue.
  8. Click on jre-6u6-windows-i586-p.exe link to download it and save this to a convenient location.
  9. Run this installation to update your Java.

Post me a new HJT log
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: coolwebsearch spyware

Unread postby dvegas » June 7th, 2008, 6:44 am

java update done!!

new HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:42:59, on 07-06-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\MSN Messenger\MsnMsgr.Exe
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Programas\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Programas\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Programas\Creative\Shared Files\CamTray.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programas\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programas\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1828591125
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 1829019109
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/ ... /CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4DD62A15-6A62-477F-BF4D-661AF5D9FBEE}: NameServer = 212.55.154.174
O17 - HKLM\System\CS2\Services\Tcpip\..\{4DD62A15-6A62-477F-BF4D-661AF5D9FBEE}: NameServer = 212.55.154.174
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHEI~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: GoogleDesktopManager - Google - C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Programas\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7157 bytes
dvegas
Regular Member
 
Posts: 39
Joined: June 1st, 2008, 7:50 pm

Re: coolwebsearch spyware

Unread postby dvegas » June 7th, 2008, 9:52 am

new hjt scan

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:51:50, on 07-06-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\QuickTime\qttask.exe
C:\Programas\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\MSN Messenger\MsnMsgr.Exe
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Programas\MSN Messenger\usnsvc.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Programas\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Programas\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Programas\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Creative WebCam Tray] "C:\Programas\Creative\Shared Files\CamTray.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Programas\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Programas\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1828591125
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 1829019109
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/ ... /CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4DD62A15-6A62-477F-BF4D-661AF5D9FBEE}: NameServer = 212.55.154.174
O17 - HKLM\System\CS2\Services\Tcpip\..\{4DD62A15-6A62-477F-BF4D-661AF5D9FBEE}: NameServer = 212.55.154.174
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\FICHEI~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: GoogleDesktopManager - Google - C:\Programas\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Programas\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7661 bytes
dvegas
Regular Member
 
Posts: 39
Joined: June 1st, 2008, 7:50 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 266 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware