Free Malware Removal Forum

[arengajojo]

Hi... I open a file downloaded stupiditly from emule... it was about 800kb .... then my antivirus stoped working and also all the anti sypware (nod32, lavasoft adware, S&D) ... I tried to install them again and give the error "filename..exe is not a valid win32 aplication" ... I rebooted in safe mode and delete the process winterm.exe. I also run f-secure blacklight rootkit eliminator ... the log is this...

02/01/08 11:51:14 [Info]: BlackLight Engine 1.0.67 initialized
02/01/08 11:51:14 [Info]: OS: 6.0 build 6001 (Service Pack 1, v.668)
02/01/08 11:51:14 [Note]: 7019 4
02/01/08 11:51:14 [Note]: 7005 0
02/01/08 11:51:44 [Note]: 7006 0
02/01/08 11:51:44 [Note]: 7027 0
02/01/08 11:51:48 [Note]: 7026 0
02/01/08 11:51:51 [Note]: 7026 0
02/01/08 11:51:51 [Note]: 7024 3
02/01/08 11:51:51 [Info]: Hidden process: C:\Windows\System32\drivers\hldrrr.exe
02/01/08 11:51:56 [Note]: FSRAW library version 1.7.1024
02/01/08 11:52:10 [Note]: 4015 48187
02/01/08 11:52:10 [Note]: 4027 48187 2752512
02/01/08 11:52:10 [Note]: 4020 40516 458752
02/01/08 11:52:10 [Note]: 4018 40516 458752
02/01/08 11:52:46 [Info]: Hidden file: c:\Program Files\Common Files\Nero\Shared\NL3\AdvrCntr3.dll
02/01/08 11:52:46 [Note]: 10002 3
02/01/08 11:52:46 [Info]: Hidden file: c:\Program Files\Common Files\Nero\Shared\NL3\btc-bar.gif
02/01/08 11:52:46 [Note]: 10002 3
02/01/08 11:52:46 [Info]: Hidden file: c:\Program Files\Common Files\Nero\Shared\NL3\logo.gif
02/01/08 11:52:46 [Note]: 10002 3
02/01/08 11:52:46 [Info]: Hidden file: c:\Program Files\Common Files\Nero\Shared\NL3\NeroAPIGlueLayerUnicode.dll
02/01/08 11:52:46 [Note]: 10002 3
02/01/08 11:52:46 [Info]: Hidden file: c:\Program Files\Common Files\Nero\Shared\NL3\NEROINST.DB
02/01/08 11:52:46 [Note]: 10002 3
02/01/08 11:52:46 [Info]: Hidden file: c:\Program Files\Common Files\Nero\Shared\NL3\NeroPatentActivation.exe
02/01/08 11:52:46 [Note]: 10002 3
02/01/08 11:52:46 [Info]: Hidden file: c:\Program Files\Common Files\Nero\Shared\NL3\NeroUpgrade.exe
02/01/08 11:52:46 [Note]: 10002 3
02/01/08 11:52:46 [Info]: Hidden file: c:\Program Files\Common Files\Nero\Shared\NL3\patentactivationfax.htm
02/01/08 11:52:46 [Note]: 10002 3
02/01/08 11:52:46 [Info]: Hidden file: c:\Program Files\Common Files\Nero\Shared\NL3\rollback.db
02/01/08 11:52:46 [Note]: 10002 3
02/01/08 11:52:46 [Info]: Hidden file: c:\Program Files\Common Files\Nero\Shared\NL3\ShellManager3.dll
02/01/08 11:52:46 [Note]: 10002 3
02/01/08 11:52:46 [Info]: Hidden file: c:\Program Files\Common Files\Nero\Shared\NSCLoader.dll
02/01/08 11:52:46 [Note]: 10002 3
02/01/08 11:52:46 [Note]: 10002 2
02/01/08 11:52:46 [Note]: 10002 2
02/01/08 11:53:57 [Info]: Hidden file: c:\Program Files\Movie Maker\Shared\Common.fxh
02/01/08 11:53:57 [Note]: 10002 3
02/01/08 11:53:57 [Info]: Hidden file: c:\Program Files\Movie Maker\Shared\DissolveAnother.png
02/01/08 11:53:57 [Note]: 10002 3
02/01/08 11:53:57 [Info]: Hidden file: c:\Program Files\Movie Maker\Shared\DissolveNoise.png
02/01/08 11:53:57 [Note]: 10002 3
02/01/08 11:53:57 [Info]: Hidden file: c:\Program Files\Movie Maker\Shared\Filters.xml
02/01/08 11:53:57 [Note]: 10002 3
02/01/08 11:53:57 [Info]: Hidden file: c:\Program Files\Movie Maker\Shared\news.png
02/01/08 11:53:57 [Note]: 10002 3
02/01/08 11:53:57 [Info]: Hidden file: c:\Program Files\Movie Maker\Shared\paint.png
02/01/08 11:53:57 [Note]: 10002 3
02/01/08 11:53:57 [Info]: Hidden file: c:\Program Files\Movie Maker\Shared\Parity.fx
02/01/08 11:53:57 [Note]: 10002 3
02/01/08 11:53:57 [Info]: Hidden file: c:\Program Files\Movie Maker\Shared\Sample1.jpg
02/01/08 11:53:57 [Note]: 10002 3
02/01/08 11:53:57 [Info]: Hidden file: c:\Program Files\Movie Maker\Shared\Sample2.jpg
02/01/08 11:53:57 [Note]: 10002 3
02/01/08 11:53:57 [Info]: Hidden file: c:\Program Files\Movie Maker\Shared\Sample3.jpg
02/01/08 11:53:57 [Note]: 10002 3
02/01/08 11:53:57 [Info]: Hidden file: c:\Program Files\Movie Maker\Shared\Sample4.jpg
02/01/08 11:53:57 [Note]: 10002 3
02/01/08 11:53:57 [Note]: 10002 2
02/01/08 11:53:57 [Note]: 10002 2
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\340238.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\383122.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\516784.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\164627.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\176234.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\180383.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\181382.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\199650.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\203955.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\215920.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\223377.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\228931.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\235343.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\240787.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\246731.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\251754.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\254531.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\259476.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\264156.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\265061.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\272299.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\277307.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\284062.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\326525.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\327539.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\332250.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\333233.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\334575.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\337289.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\341174.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\343685.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\344309.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\346213.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\350534.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\351782.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\355713.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\358006.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\358708.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\359629.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\359863.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\360393.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\362000.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\363451.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\363997.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\364699.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\366025.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\368333.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\368911.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\369691.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\369893.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\372405.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\377943.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\385774.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\400158.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\402264.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\406881.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\411405.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\413324.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\414151.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\414619.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\417333.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\430063.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\432746.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\445913.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\450936.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\453370.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\453760.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\454696.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\457270.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\460873.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\465569.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\466240.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\467722.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\469687.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\471762.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\471825.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\479749.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\483166.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\483961.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\484585.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\486801.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\489515.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\492261.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\505583.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\509936.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\512868.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\515832.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\518625.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\524709.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\527907.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\529592.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\533804.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\534116.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\534693.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\535816.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\536737.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\538437.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\538718.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\539404.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\548125.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\553413.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\554224.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\559310.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\560074.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\564723.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\565690.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\571135.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\586750.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\622880.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\627732.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\down\644237.exe
02/01/08 11:55:52 [Note]: 10002 3
02/01/08 11:55:52 [Note]: 10002 2
02/01/08 11:55:52 [Note]: 10002 2
02/01/08 11:55:52 [Info]: Hidden file: C:\Windows\System32\drivers\hldrrr.exe
02/01/08 11:55:52 [Note]: 10002 2
02/01/08 11:55:52 [Info]: Hidden file: c:\Windows\System32\drivers\srosa.sys
02/01/08 11:55:52 [Note]: 10002 2
02/01/08 11:56:36 [Info]: Hidden file: c:\Windows\System32\IME\shared\IMCCPHR.exe
02/01/08 11:56:36 [Note]: 10002 3
02/01/08 11:56:36 [Info]: Hidden file: c:\Windows\System32\IME\shared\IMEAPIS.DLL
02/01/08 11:56:36 [Note]: 10002 3
02/01/08 11:56:36 [Info]: Hidden file: c:\Windows\System32\IME\shared\imecfm.dll
02/01/08 11:56:36 [Note]: 10002 3
02/01/08 11:56:36 [Info]: Hidden file: c:\Windows\System32\IME\shared\IMEPADSM.DLL
02/01/08 11:56:36 [Note]: 10002 3
02/01/08 11:56:36 [Info]: Hidden file: c:\Windows\System32\IME\shared\IMEPADSV.EXE
02/01/08 11:56:36 [Note]: 10002 3
02/01/08 11:56:36 [Info]: Hidden file: c:\Windows\System32\IME\shared\IMETIP.DLL
02/01/08 11:56:36 [Note]: 10002 3
02/01/08 11:56:36 [Info]: Hidden file: c:\Windows\System32\IME\shared\imever.dll
02/01/08 11:56:36 [Note]: 10002 3
02/01/08 11:56:36 [Info]: Hidden file: c:\Windows\System32\IME\shared\IMJKAPI.DLL
02/01/08 11:56:36 [Note]: 10002 3
02/01/08 11:56:36 [Info]: Hidden file: c:\Windows\System32\IME\shared\MSCAND20.DLL
02/01/08 11:56:36 [Note]: 10002 3
02/01/08 11:56:36 [Info]: Hidden file: c:\Windows\System32\IME\shared\res\padrs404.dll
02/01/08 11:56:36 [Note]: 10002 3
02/01/08 11:56:36 [Info]: Hidden file: c:\Windows\System32\IME\shared\res\padrs411.dll
02/01/08 11:56:36 [Note]: 10002 3
02/01/08 11:56:36 [Info]: Hidden file: c:\Windows\System32\IME\shared\res\padrs412.dll
02/01/08 11:56:36 [Note]: 10002 3
02/01/08 11:56:36 [Info]: Hidden file: c:\Windows\System32\IME\shared\res\padrs804.dll
02/01/08 11:56:36 [Note]: 10002 3
02/01/08 11:56:36 [Note]: 10002 2
02/01/08 11:56:36 [Note]: 10002 2

[update]
i have 2 SO's in the computer.. the one infested is vista... I went to my xp and run NOD32 from there... here's the result:

C:\Users\JOJO\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\09LKKF0X\b64_1[2].jpg - Win32/Bagle.LY worm - cleaned by deleting - quarantined [1]
C:\Users\JOJO\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VC1RY9GL\b64_2[1].jpg - Win32/Bagle.LF worm - cleaned by deleting - quarantined [1]
C:\Windows\System32\mdelk.exe - Win32/Bagle.MI worm - cleaned by deleting - quarantined [1]
C:\Windows\System32\drivers\hldrrr.exe - Win32/Bagle.MP worm - cleaned by deleting - quarantined [1]
C:\Windows\System32\drivers\srosa.sys - Win32/Bagle.MP worm - cleaned by deleting - quarantined [1]
C:\Windows\System32\drivers\down\164627.exe - Win32/Bagle.MI worm - cleaned by deleting - quarantined [1]
C:\Windows\System32\drivers\down\176234.exe - Win32/Bagle.LF worm - cleaned by deleting - quarantined [1]
C:\Windows\System32\drivers\down\203955.exe - Win32/Bagle.LY worm - cleaned by deleting - quarantined [1]
C:\Windows\System32\drivers\down\215920.exe - Win32/Bagle.MI worm - cleaned by deleting - quarantined [1]
C:\Windows\System32\drivers\down\223377.exe - Win32/Bagle.MI worm - cleaned by deleting - quarantined [1]
C:\Windows\System32\drivers\down\228931.exe - Win32/Bagle.LF worm - cleaned by deleting - quarantined [1]
C:\Windows\System32\drivers\down\240787.exe - Win32/Bagle.LY worm - cleaned by deleting - quarantined [1]
C:\Windows\System32\drivers\down\254531.exe - Win32/Bagle.LF worm - cleaned by deleting - quarantined [1]
C:\Windows\System32\drivers\down\265061.exe - Win32/Bagle.LY worm - cleaned by deleting - quarantined [1]
C:\Windows\System32\drivers\down\272299.exe - Win32/Bagle.MI worm - cleaned by deleting - quarantined [1]
C:\Windows\System32\drivers\down\358006.exe - Win32/Bagle.LF worm - cleaned by deleting - quarantined [1]
C:\Windows\System32\drivers\down\359629.exe - Win32/Bagle.LF worm - cleaned by deleting - quarantined [1]
C:\Windows\System32\drivers\down\362000.exe - Win32/Bagle.LY worm - cleaned by deleting - quarantined [1]
C:\Windows\System32\drivers\down\368911.exe - Win32/Bagle.LF worm - cleaned by deleting - quarantined [1]
C:\Windows\System32\drivers\down\377943.exe - Win32/Bagle.LF worm - cleaned by deleting - quarantined [1]
C:\Windows\System32\drivers\down\402264.exe - Win32/Bagle.LY worm - cleaned by deleting - quarantined [1]
C:\Windows\System32\drivers\down\457270.exe - Win32/Bagle.MI worm - cleaned by deleting - quarantined [1]

anyway... when i go to my windows vista again... i can't install any security product... always say the "..not valid win32 application" ...


I need help...
Thanks
João

[Katana]

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.

Download and Run ComboFix

• Download Combofix from the link below :
  
  ComboFix.exe
  
  
• You must download it to and run it from your Desktop
  
• Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  
• Right-click combofix.exe >> Run as Administrator & follow the prompts.
  
• When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  
• Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
ComboFix SHOULD NOT be used unless requested by a forum helper

[arengajojo]

Hi Katana and thank u for helping me...

[combo-fix LOG]

ComboFix 08-01-30.1 - JOJO 2008-02-01 16:51:42.1 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.396 [GMT -1:00]
Running from: C:\Users\JOJO\Desktop\Combo-Fix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\drivers\down
C:\Windows\system32\drivers\down\180383.exe
C:\Windows\system32\drivers\down\181382.exe
C:\Windows\system32\drivers\down\199650.exe
C:\Windows\system32\drivers\down\235343.exe
C:\Windows\system32\drivers\down\246731.exe
C:\Windows\system32\drivers\down\251754.exe
C:\Windows\system32\drivers\down\259476.exe
C:\Windows\system32\drivers\down\264156.exe
C:\Windows\system32\drivers\down\277307.exe
C:\Windows\system32\drivers\down\284062.exe
C:\Windows\system32\drivers\down\326525.exe
C:\Windows\system32\drivers\down\327539.exe
C:\Windows\system32\drivers\down\332250.exe
C:\Windows\system32\drivers\down\333233.exe
C:\Windows\system32\drivers\down\334575.exe
C:\Windows\system32\drivers\down\337289.exe
C:\Windows\system32\drivers\down\340238.exe
C:\Windows\system32\drivers\down\341174.exe
C:\Windows\system32\drivers\down\343685.exe
C:\Windows\system32\drivers\down\344309.exe
C:\Windows\system32\drivers\down\346213.exe
C:\Windows\system32\drivers\down\350534.exe
C:\Windows\system32\drivers\down\351782.exe
C:\Windows\system32\drivers\down\355713.exe
C:\Windows\system32\drivers\down\358708.exe
C:\Windows\system32\drivers\down\359863.exe
C:\Windows\system32\drivers\down\360393.exe
C:\Windows\system32\drivers\down\363451.exe
C:\Windows\system32\drivers\down\363997.exe
C:\Windows\system32\drivers\down\364699.exe
C:\Windows\system32\drivers\down\366025.exe
C:\Windows\system32\drivers\down\368333.exe
C:\Windows\system32\drivers\down\369691.exe
C:\Windows\system32\drivers\down\369893.exe
C:\Windows\system32\drivers\down\372405.exe
C:\Windows\system32\drivers\down\383122.exe
C:\Windows\system32\drivers\down\385774.exe
C:\Windows\system32\drivers\down\400158.exe
C:\Windows\system32\drivers\down\406881.exe
C:\Windows\system32\drivers\down\411405.exe
C:\Windows\system32\drivers\down\413324.exe
C:\Windows\system32\drivers\down\414151.exe
C:\Windows\system32\drivers\down\414619.exe
C:\Windows\system32\drivers\down\417333.exe
C:\Windows\system32\drivers\down\430063.exe
C:\Windows\system32\drivers\down\432746.exe
C:\Windows\system32\drivers\down\445913.exe
C:\Windows\system32\drivers\down\450936.exe
C:\Windows\system32\drivers\down\453370.exe
C:\Windows\system32\drivers\down\453760.exe
C:\Windows\system32\drivers\down\454696.exe
C:\Windows\system32\drivers\down\460873.exe
C:\Windows\system32\drivers\down\465569.exe
C:\Windows\system32\drivers\down\466240.exe
C:\Windows\system32\drivers\down\467722.exe
C:\Windows\system32\drivers\down\469687.exe
C:\Windows\system32\drivers\down\471762.exe
C:\Windows\system32\drivers\down\471825.exe
C:\Windows\system32\drivers\down\479749.exe
C:\Windows\system32\drivers\down\483166.exe
C:\Windows\system32\drivers\down\483961.exe
C:\Windows\system32\drivers\down\484585.exe
C:\Windows\system32\drivers\down\486801.exe
C:\Windows\system32\drivers\down\489515.exe
C:\Windows\system32\drivers\down\492261.exe
C:\Windows\system32\drivers\down\505583.exe
C:\Windows\system32\drivers\down\509936.exe
C:\Windows\system32\drivers\down\512868.exe
C:\Windows\system32\drivers\down\515832.exe
C:\Windows\system32\drivers\down\516784.exe
C:\Windows\system32\drivers\down\518625.exe
C:\Windows\system32\drivers\down\524709.exe
C:\Windows\system32\drivers\down\527907.exe
C:\Windows\system32\drivers\down\529592.exe
C:\Windows\system32\drivers\down\533804.exe
C:\Windows\system32\drivers\down\534116.exe
C:\Windows\system32\drivers\down\534693.exe
C:\Windows\system32\drivers\down\535816.exe
C:\Windows\system32\drivers\down\536737.exe
C:\Windows\system32\drivers\down\538437.exe
C:\Windows\system32\drivers\down\538718.exe
C:\Windows\system32\drivers\down\539404.exe
C:\Windows\system32\drivers\down\548125.exe
C:\Windows\system32\drivers\down\553413.exe
C:\Windows\system32\drivers\down\554224.exe
C:\Windows\system32\drivers\down\559310.exe
C:\Windows\system32\drivers\down\560074.exe
C:\Windows\system32\drivers\down\564723.exe
C:\Windows\system32\drivers\down\565690.exe
C:\Windows\system32\drivers\down\571135.exe
C:\Windows\system32\drivers\down\586750.exe
C:\Windows\system32\drivers\down\622880.exe
C:\Windows\system32\drivers\down\627732.exe
C:\Windows\system32\drivers\down\644237.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_SROSA
-------\srosa


((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 )))))))))))))))))))))))))))))))
.

2008-02-01 16:29 . 2008-02-01 16:29 <DIR> dr------- C:\Windows\System32\config\systemprofile\Videos
2008-02-01 16:29 . 2008-02-01 16:29 <DIR> dr------- C:\Windows\System32\config\systemprofile\Searches
2008-02-01 16:29 . 2008-02-01 16:29 <DIR> dr------- C:\Windows\System32\config\systemprofile\Saved Games
2008-02-01 16:29 . 2008-02-01 16:29 <DIR> dr------- C:\Windows\System32\config\systemprofile\Pictures
2008-02-01 16:29 . 2008-02-01 16:29 <DIR> dr------- C:\Windows\System32\config\systemprofile\Music
2008-02-01 16:29 . 2008-02-01 16:29 <DIR> dr------- C:\Windows\System32\config\systemprofile\Links
2008-02-01 16:29 . 2008-02-01 16:29 <DIR> dr------- C:\Windows\System32\config\systemprofile\Downloads
2008-02-01 16:29 . 2008-02-01 16:29 <DIR> dr------- C:\Windows\System32\config\systemprofile\Documents
2008-02-01 15:47 . 2008-02-01 15:47 <DIR> d-------- C:\Program Files\Common Files\Stardock
2008-02-01 15:42 . 2008-02-01 15:52 524,288 --ahs---- C:\ntuser.dat{990fcd23-d0e2-11dc-b66a-00e0910c9b98}.TMContainer00000000000000000002.regtrans-ms
2008-02-01 15:42 . 2008-02-01 15:52 524,288 --ahs---- C:\ntuser.dat{990fcd23-d0e2-11dc-b66a-00e0910c9b98}.TMContainer00000000000000000001.regtrans-ms
2008-02-01 15:42 . 2008-02-01 15:52 65,536 --ahs---- C:\ntuser.dat{990fcd23-d0e2-11dc-b66a-00e0910c9b98}.TM.blf
2008-02-01 14:41 . 2008-02-01 15:52 262,144 --a------ C:\ntuser.dat
2008-02-01 14:41 . 2008-02-01 15:52 5,120 --ah----- C:\ntuser.dat.LOG1
2008-02-01 14:41 . 2008-02-01 15:42 0 --ah----- C:\ntuser.dat.LOG2
2008-02-01 13:36 . 2007-01-18 11:00 3,968 --a------ C:\Windows\System32\drivers\AvgArCln.sys
2008-02-01 11:39 . 2008-02-01 11:41 <DIR> d-------- C:\Users\JOJO\AppData\Roaming\PrevxCSI
2008-02-01 11:39 . 2008-02-01 11:39 <DIR> d-------- C:\Users\All Users\Prevx
2008-02-01 11:39 . 2008-02-01 11:39 <DIR> d-------- C:\ProgramData\Prevx
2008-01-31 22:17 . 2008-01-31 22:17 1,687 --a------ C:\Windows\WallPapers.reg
2008-01-31 17:39 . 2008-01-31 17:39 <DIR> d-------- C:\Program Files\Stardock
2008-01-31 00:58 . 2008-02-01 09:24 <DIR> d-------- C:\Program Files\MediaMonkey
2008-01-29 00:52 . 2008-01-29 00:52 <DIR> d-------- C:\Users\JOJO\AppData\Roaming\Flickr
2008-01-29 00:51 . 2008-01-29 00:53 <DIR> d-------- C:\Program Files\Flickr Uploadr
2008-01-27 16:37 . 2008-02-01 09:25 <DIR> d-------- C:\Windows\System32\ShellExt
2008-01-20 01:04 . 2008-02-01 09:23 <DIR> d-------- C:\Program Files\Common Files\muvee Technologies
2008-01-20 00:05 . 2008-01-20 00:05 <DIR> d-------- C:\Users\All Users\ATI
2008-01-20 00:05 . 2008-01-20 00:05 <DIR> d-------- C:\ProgramData\ATI
2008-01-19 23:54 . 2008-01-19 23:54 0 --a------ C:\Windows\ativpsrm.bin
2008-01-19 23:52 . 2007-12-21 01:44 9,773,056 --a------ C:\Windows\System32\atioglxx.dll
2008-01-19 23:52 . 2007-12-21 02:55 3,478,528 --------- C:\Windows\System32\drivers\atikmdag.sys
2008-01-19 23:52 . 2007-12-21 01:53 1,519,616 --a------ C:\Windows\System32\atidxx32.dll
2008-01-19 23:52 . 2007-12-21 02:02 368,640 --a------ C:\Windows\System32\ATIDEMGX.dll
2008-01-19 23:52 . 2007-12-21 02:01 237,568 --a------ C:\Windows\System32\Oemdspif.dll
2008-01-19 23:52 . 2007-11-08 21:54 159,146 --a------ C:\Windows\System32\atiicdxx.dat
2008-01-19 23:52 . 2007-09-09 02:37 52,400 --------- C:\Windows\System32\drivers\ativvpxx.vp
2008-01-19 23:52 . 2007-12-21 01:09 49,152 --------- C:\Windows\System32\drivers\ati2erec.dll
2008-01-19 23:52 . 2007-12-21 01:23 47,104 --a------ C:\Windows\System32\amdpcom32.dll
2008-01-19 23:52 . 2007-11-20 07:23 11,874 --a------ C:\Windows\atiogl.xml
2008-01-17 03:13 . 2008-01-28 16:25 540 --a------ C:\Windows\System32\PDBootState
2008-01-16 21:13 . 2007-12-12 01:15 2,032,128 --a------ C:\Windows\System32\win32k.sys
2008-01-15 21:25 . 2008-01-15 21:26 <DIR> d-------- C:\ca51e978c6f89aad6389fe
2008-01-15 14:21 . 2008-01-15 14:21 <DIR> d-------- C:\PerfLogs
2008-01-15 03:56 . 2007-11-30 09:27 1,675,370 --a------ C:\Windows\System32\wlan.tmf
2008-01-15 03:56 . 2007-11-30 09:31 206,830 --a------ C:\Windows\System32\eaphost.tmf
2008-01-15 03:54 . 2007-11-30 09:45 12,038,656 --a------ C:\Windows\System32\NlsLexicons0007.dll
2008-01-15 03:52 . 2007-11-30 11:07 2,515,968 --a------ C:\Windows\System32\accessibilitycpl.dll
2008-01-15 01:37 . 2008-01-15 01:37 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-01-11 15:19 . 2008-01-07 14:29 352 --ah----- C:\Windows\nod32fixtemdono.reg
2008-01-10 04:19 . 2008-01-15 01:36 <DIR> d-------- C:\Program Files\FeedStation
2008-01-03 19:27 . 2008-01-03 19:27 <DIR> d-------- C:\Program Files\Common Files\SpellEx

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-01 16:42 --------- d-----w C:\ProgramData\Spybot - Search & Destroy
2008-02-01 10:24 --------- d-----w C:\Program Files\Windows Sidebar
2008-02-01 10:24 --------- d-----w C:\Program Files\Windows Journal
2008-02-01 10:24 --------- d-----w C:\Program Files\Windows Defender
2008-02-01 10:24 --------- d-----w C:\Program Files\Windows Collaboration
2008-02-01 10:24 --------- d-----w C:\Program Files\Windows Calendar
2008-02-01 10:24 --------- d-----w C:\Program Files\SopCast
2008-02-01 10:24 --------- d-----w C:\Program Files\RocketDock
2008-02-01 10:24 --------- d-----w C:\Program Files\Real Alternative
2008-02-01 10:24 --------- d-----w C:\Program Files\Opera
2008-02-01 10:23 --------- d-----w C:\Program Files\Windows Live
2008-02-01 10:23 --------- d-----w C:\Program Files\TuneUp Utilities 2008
2008-02-01 10:23 --------- d-----w C:\Program Files\Lavasoft
2008-02-01 10:23 --------- d-----w C:\Program Files\K-Lite Codec Pack
2008-02-01 10:23 --------- d-----w C:\Program Files\Google
2008-02-01 10:23 --------- d-----w C:\Program Files\Corel
2008-02-01 10:23 --------- d-----w C:\Program Files\Common Files\Nero
2008-02-01 10:23 --------- d-----w C:\Program Files\Common Files\Corel
2008-02-01 10:23 --------- d-----w C:\Program Files\CodeGazer
2008-02-01 10:23 --------- d-----w C:\Program Files\CD Art Display
2008-02-01 02:20 --------- d-----w C:\ProgramData\Kaspersky Lab
2008-01-31 22:58 --------- d-----w C:\ProgramData\FLEXnet
2008-01-31 22:58 --------- d-----w C:\Program Files\SpeedFan
2008-01-31 22:58 --------- d-----w C:\Program Files\SAPO Messenger
2008-01-31 22:58 --------- d-----w C:\Program Files\Nokia
2008-01-31 22:58 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-31 22:01 --------- d-----w C:\ProgramData\Installations
2008-01-31 18:40 --------- d-----w C:\Program Files\eMule
2008-01-29 02:01 --------- d-----w C:\Program Files\Common Files\ACD Systems
2008-01-20 02:12 --------- d-----w C:\Program Files\Common Files\Nokia
2008-01-20 00:57 --------- d-----w C:\Program Files\ATI Technologies
2008-01-18 21:27 --------- d-----w C:\ProgramData\Microsoft Help
2008-01-15 23:32 --------- d-----w C:\ProgramData\DassaultSystemes
2008-01-15 15:39 174 --sha-w C:\Program Files\desktop.ini
2008-01-15 15:23 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-01-15 15:23 --------- d-----w C:\Program Files\Windows Mail
2008-01-15 02:36 --------- d-----w C:\Program Files\FeedDemon
2008-01-12 18:57 --------- d-----w C:\Program Files\TVAnts
2008-01-07 04:49 --------- d-----w C:\Program Files\TrafNet
2008-01-05 02:03 --------- d---a-w C:\ProgramData\TEMP
2008-01-03 20:27 --------- d-----w C:\Program Files\TI Education
2008-01-03 20:27 --------- d-----w C:\Program Files\Common Files\TI Shared
2007-12-28 19:36 --------- d-----w C:\Users\JOJO\AppData\Roaming\DassaultSystemes
2007-12-28 19:35 --------- d-----w C:\Program Files\Common Files\eDrawings2008
2007-12-21 09:21 71,176 ----a-w C:\Windows\system32\drivers\epfw.sys
2007-12-21 09:21 53,768 ----a-w C:\Windows\system32\drivers\epfwtdi.sys
2007-12-21 09:21 30,728 ----a-w C:\Windows\system32\drivers\epfwndis.sys
2007-12-21 09:20 30,216 ----a-w C:\Windows\system32\drivers\easdrv.sys
2007-12-21 09:19 39,944 ----a-w C:\Windows\system32\drivers\eamon.sys
2007-12-18 22:57 --------- d-----w C:\Users\JOJO\AppData\Roaming\CD Art Display
2007-12-18 14:50 --------- d-----w C:\Users\JOJO\AppData\Roaming\CodeGazer
2007-12-15 03:24 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-07 02:36 --------- d-----w C:\Users\JOJO\AppData\Roaming\Comodo
2007-12-04 20:42 --------- d-----w C:\Program Files\TVUPlayer
2007-12-01 02:33 --------- d-----w C:\Program Files\LG Software
2007-11-30 12:08 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2007-11-30 12:07 58,880 ----a-w C:\Windows\bfsvc.exe
2007-11-30 12:07 540,672 ----a-w C:\Windows\AppPatch\AcLayers.dll
2007-11-30 12:07 498,176 ----a-w C:\Windows\HelpPane.exe
2007-11-30 12:07 456,704 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2007-11-30 12:07 40,960 ----a-w C:\Windows\AppPatch\apihex86.dll
2007-11-30 12:07 237,568 ----a-w C:\Windows\AppPatch\AcRedir.dll
2007-11-30 12:07 2,921,984 ----a-w C:\Windows\explorer.exe
2007-11-30 12:07 2,153,984 ----a-w C:\Windows\AppPatch\AcGenral.dll
2007-11-30 12:07 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2007-11-30 12:07 151,040 ----a-w C:\Windows\notepad.exe
2007-11-30 12:07 134,656 ----a-w C:\Windows\regedit.exe
2007-11-30 12:07 13,312 ----a-w C:\Windows\fveupdate.exe
2007-09-18 20:56 88 --sh--r C:\Windows\System32\D1CFD8B35A.sys
2007-06-13 16:57 23 --sha-w C:\Windows\System32\eddeffec_r.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-11-07 17:48 5724184]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2007-11-30 11:07 1233920]
"RocketDock"="C:\Program Files\RocketDock\RocketDock.exe" [2007-09-02 12:58 495616]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-03-20 14:34 213936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KeybdUtility"="C:\Program Files\LG Software\On Screen Display\Hotkey.exe" [2005-07-26 08:18 81920]
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [2007-12-21 08:21 1443072]
"combofix"="C:\Combo-Fix\kmd.exe" [2007-11-30 11:07 318464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"AllowLegacyWebView"= 1 (0x1)
"AllowUnhashedWebView"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"GreyMSIAds"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\Windows\pss\Adobe Acrobat Speed Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=C:\Windows\pss\Logitech SetPoint.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Nokia Nseries PC Suite.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Nokia Nseries PC Suite.lnk
backup=C:\Windows\pss\Nokia Nseries PC Suite.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^JOJO^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=C:\Users\JOJO\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=C:\Windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AAWTray]
--a------ 2007-08-08 15:53 88024 C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
--a------ 2006-03-20 14:34 213936 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
--a------ 2007-04-11 13:32 56080 C:\Windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
--a------ 2007-04-11 13:32 56080 C:\Windows\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NokiaMServer]
C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ooccctrl.exe]
C:\Program Files\OO Software\CleverCache\ooccctrl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RocketDock]
--a------ 2007-09-02 12:58 495616 C:\Program Files\RocketDock\RocketDock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 12:35 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-06-14 16:32 132760 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Userinit]
C:\Windows\system32\cologsver.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VistaBatterySaver]
C:\Program Files\SharpSoft\Vista Battery Saver\VistaBatterySaver.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2007-11-30 11:13 1008184 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe
"StartCCC"=C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
"Cmaudio"=RunDll32 cmicnfg.cpl,CMICtrlWnd
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
"SAFEPRO2007 HotKeys"="C:\Program Files\Steganos Safe Professional 2007\SteganosHotKeyService.exe"
"SAFEPRO2007 Agent"="C:\Program Files\Steganos Safe Professional 2007\SteganosAgent.exe"
"SAFEPRO2007 File Redirection Starter"="C:\Program Files\Steganos Safe Professional 2007\fredirstarter.exe"
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
"NeroFilterCheck"=C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
"AAWTray"=C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
"NokiaMServer"=C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer /watchfiles

R1 SLEE_15_DRIVER;Steganos Live Encryption Engine 15 [Driver];C:\Windows\system32\drivers\Sleen15.sys [2007-02-21 11:33]
R2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2006-11-02 14:51]
R2 UxTuneUp;TuneUp Theme Extension;C:\Windows\System32\svchost.exe [2007-11-30 11:07]
R3 atikmdag;atikmdag;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-12-21 02:55]
R3 camvid20;Philips ToUcam Camera; Video;C:\Windows\system32\DRIVERS\camdrv21.sys []
R3 cmudax;C-Media High Definition Audio Interface;C:\Windows\system32\drivers\cmudax.sys [2005-05-12 04:39]
R3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;C:\Windows\system32\DRIVERS\NETw2v32.sys [2007-03-06 17:08]
R3 SMSCIRDA;SMSC Infrared Device Driver;C:\Windows\system32\DRIVERS\SMSCirda.sys [2006-11-02 06:30]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2006-11-02 06:30]
S3 exfat;exFAT File System Driver;C:\Windows\system32\drivers\exfat.sys [2007-11-30 09:01]
S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2007-12-21 02:55]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\Windows\System32\TuneUpDefragService.exe [2007-12-21 21:05]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-01-25 18:21:14 C:\Windows\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-01 17:01:29
Windows 6.0.6001 Service Pack 1, v.668 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.EXE [6.00.6001.17052]
-> C:\Program Files\RocketDock\RocketDock.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\Ati2evxx.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Windows\system32\PSIService.exe
C:\Windows\system32\conime.exe
C:\Program Files\LG Software\On Screen Display\HotKey.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Windows\system32\msiexec.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
.
**************************************************************************
.
Completion time: 2008-02-01 17:04:35 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-01 18:04:30
.
2008-01-16 22:14:37 --- E O F ---

-> then i ran the HiJackthis_v2
[Hijackthis LOG]

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 17:08:04, on 01-02-2008
Platform: Windows Vista SP1, v.668 (WinNT 6.00.1905)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\conime.exe
C:\Program Files\LG Software\On Screen Display\HotKey.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Opera\Opera.exe
C:\Users\JOJO\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Programa Auxiliar de Início de Sessão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: SYSTRAN Toolbar - {95daa571-4def-4a6d-97d8-98a346672a24} - mscoree.dll (file missing)
O4 - HKLM\..\Run: [KeybdUtility] "C:\Program Files\LG Software\On Screen Display\Hotkey.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Pesquisar (SYSTRAN) - res://C:\Program Files\SYSTRAN\6\\GUIres.dll/lookup.js
O8 - Extra context menu item: Traduzir (SYSTRAN) - res://C:\Program Files\SYSTRAN\6\\GUIres.dll/translate.js
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {070CA17A-4BD2-4612-83B4-32B1B9159B47} (ULiveCtrl Control) - http://uc.sina.com.cn/download/live/weblive2.4.0.0.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {664088B0-6AF3-4514-AF9D-A0DC3A3DF24A} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols3beta/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O20 - AppInit_DLLs:
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: Remote Procedure Call (RPC) Locator (RpcLocator) - Unknown owner - C:\Windows\C:\Windows\system32\locator.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe

--
End of file - 6218 bytes

awating new instructions...

Thks,
João

[Katana]

With all those files still in the
C:\Windows\system32\drivers\down folder, it looks like something is still active


Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total

Please visit Virustotal
Copy/paste the the following file path into the window
C:\Windows\System32\D1CFD8B35A.sys
Click Submit/Send File
Please post back, to let me know the results.

Please do the same for the following file
C:\Windows\System32\eddeffec_r.dll

If Virustotal is too busy please try Jotti

TotalScan
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
Please go to this site Link >> TotalScan << LINK

• Under Scan Now click the Full Scan button
• Follow the prompts to install the Active X if necessary
• Go and make a cup of tea/coffee/beverage of your choice and watch some TV
• When the scan is finished, a report will be generated
• Next to Scan Details click the small Save button and save the report to your desktop.
• Please post the report in your reply.

[arengajojo]

hello again..

I scanned the 2 files in Jotti and both files are OK!

File: D1CFD8B35A.sys
Status: OK
MD5: 0819b5477910bd5625128561af7d2453
Packers detected: -
Bit9 reports: File not found

File: eddeffec_r.dll
Status: OK
MD5: 176c1dbb57d68694b62ae8c96b905137
Packers detected: -
Bit9 reports: File not found

In the TotalScan only a few cookies appear...

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-02-01 20:05:06
PROTECTIONS: 1
MALWARE: 25
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
ESET Smart Security 3.0 3.0 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No D:\Documents and Settings\JOJO\Cookies\jojo@casalemedia[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No D:\Documents and Settings\JOJO\Cookies\jojo@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Program Files\FirefoxPortable\Data\profile\cookies.txt[.doubleclick.net/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No D:\Documents and Settings\JOJO\Cookies\jojo@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Program Files\FirefoxPortable\Data\profile\cookies.txt[.atdmt.com/]
00145453 Cookie/Bfast TrackingCookie No 0 Yes No D:\Documents and Settings\JOJO\Cookies\jojo@bfast[1].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No D:\Documents and Settings\JOJO\Cookies\jojo@fastclick[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No D:\Documents and Settings\JOJO\Cookies\jojo@tribalfusion[2].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No D:\Documents and Settings\JOJO\Cookies\jojo@mediaplex[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Program Files\FirefoxPortable\Data\profile\cookies.txt[.mediaplex.com/]
00159564 Cookie/WUpd TrackingCookie No 0 Yes No D:\Documents and Settings\JOJO\Cookies\jojo@revenue[2].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Program Files\FirefoxPortable\Data\profile\cookies.txt[.com.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Users\JOJO\AppData\Roaming\Microsoft\Windows\Cookies\jojo@com[2].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No D:\Documents and Settings\JOJO\Cookies\jojo@com[1].txt
00167749 Cookie/Toplist TrackingCookie No 0 Yes No D:\Documents and Settings\JOJO\Cookies\jojo@toplist[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Program Files\FirefoxPortable\Data\profile\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Program Files\FirefoxPortable\Data\profile\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No D:\Documents and Settings\JOJO\Cookies\jojo@statcounter[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Program Files\FirefoxPortable\Data\profile\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Program Files\FirefoxPortable\Data\profile\cookies.txt[.statcounter.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No D:\Documents and Settings\JOJO\Cookies\jojo@ad.yieldmanager[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Program Files\FirefoxPortable\Data\profile\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Program Files\FirefoxPortable\Data\profile\cookies.txt[ad.yieldmanager.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Program Files\FirefoxPortable\Data\profile\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Program Files\FirefoxPortable\Data\profile\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Program Files\FirefoxPortable\Data\profile\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Program Files\FirefoxPortable\Data\profile\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Program Files\FirefoxPortable\Data\profile\cookies.txt[.serving-sys.com/]
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Program Files\FirefoxPortable\Data\profile\cookies.txt[.serving-sys.com/]
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Program Files\FirefoxPortable\Data\profile\cookies.txt[.bs.serving-sys.com/]
00168106 Cookie/Weborama TrackingCookie No 0 Yes No C:\Program Files\FirefoxPortable\Data\profile\cookies.txt[.weborama.fr/]
00168106 Cookie/Weborama TrackingCookie No 0 Yes No D:\Documents and Settings\JOJO\Cookies\jojo@weborama[2].txt
00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Users\JOJO\AppData\Roaming\Microsoft\Windows\Cookies\jojo@adtech[1].txt
00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Program Files\FirefoxPortable\Data\profile\cookies.txt[.adtech.de/]
00168109 Cookie/Adtech TrackingCookie No 0 Yes No D:\Documents and Settings\JOJO\Cookies\jojo@adtech[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No D:\Documents and Settings\JOJO\Cookies\jojo@advertising[1].txt
00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No D:\Documents and Settings\JOJO\Cookies\jojo@media.adrevolver[3].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Program Files\FirefoxPortable\Data\profile\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Program Files\FirefoxPortable\Data\profile\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Program Files\FirefoxPortable\Data\profile\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Program Files\FirefoxPortable\Data\profile\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Program Files\FirefoxPortable\Data\profile\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Program Files\FirefoxPortable\Data\profile\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Program Files\FirefoxPortable\Data\profile\cookies.txt[.ads.pointroll.com/]
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No D:\Documents and Settings\JOJO\Cookies\jojo@realmedia[2].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Program Files\FirefoxPortable\Data\profile\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No D:\Documents and Settings\JOJO\Cookies\jojo@zedo[1].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No D:\Documents and Settings\JOJO\Cookies\jojo@adrevolver[1].txt
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No D:\Documents and Settings\JOJO\Cookies\jojo@searchportal.information[2].txt
00382737 HackTool/Zapgon.A HackTools No 0 Yes No C:\Program Files\xtreme9\dlls\stdio.dll
01262593 Application/NirCmd.A HackTools No 0 No No C:\Users\JOJO\Desktop\ANTI-VIRUS\Combo-Fix.exe[327882R2FWJFW\nircmd.cfexe]
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\Windows\Nircmd.exe
01262593 Application/NirCmd.A HackTools No 0 No No C:\Users\JOJO\Desktop\ANTI-VIRUS\Combo-Fix.exe[327882R2FWJFW\nircmd.com]
;===================================================================================================================================================================================
SUSPECTS
Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================

Do u think that my PC is clean now? Sould I try to install the Eset Smart Security again?

[Katana]

Do u think that my PC is clean now? Sould I try to install the Eset Smart Security again?

It certainly looks clean from that
Try the reinstall and let me know how you get on.


Installed Programs
Please could you give me a list of the programs that are installed.

• Start HijackThis
• Click on the Config button
• Click on the Misc Tools button
• Click on the Open Uninstall Manager button.

You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.

[arengajojo]

nice.. the reinstall went OK ... sucessful installed and run Eset Smart Security, S&D, Lavasoft Adware and Hosts-man... All seems to be ok now...

[programs installed]

2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
Ad-Aware 2007
Adobe Acrobat 8 Professional - English, Français, Deutsch
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Assistente de Início de Sessão do Windows Live
Azureus Vuze
CCleaner (remove only)
CD Art Display 1.0
CDDRV_Installer
C-Media High Definition Audio Driver
Collectorz.com Movie Collector
Corel Paint Shop Pro Photo X2
Dash Command 0.92.5 Trial
eDrawings 2008
eMulev0.48a.-MorphXTv10.4
ESET Smart Security
FeedDemon
FeedStation
Flickr Uploadr 3.0.5
Genie Backup Manager Pro 8.0
GMail Drive Shell Extension
Google Earth
Handy Safe Desktop 5.04
HijackThis 2.0.0
HostsMan 3.0
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6 Update 1
JPTorrent 3
KhalInstallWrapper
K-Lite Codec Pack 3.5.3 Full
Logitech SetPoint
MediaMonkey 3.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB929729)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access MUI (Portuguese (Portugal)) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Excel MUI (Portuguese (Portugal)) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove MUI (Portuguese (Portugal)) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office InfoPath MUI (Portuguese (Portugal)) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office OneNote MUI (Portuguese (Portugal)) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office Outlook MUI (Portuguese (Portugal)) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint MUI (Portuguese (Portugal)) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Portuguese (Portugal)) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Proofing (Portuguese (Portugal)) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Publisher MUI (Portuguese (Portugal)) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared MUI (Portuguese (Portugal)) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office Word MUI (Portuguese (Portugal)) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable
mIRC
Mozilla Firefox (2.0.0.6)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
Nero 8
neroxml
Nokia Connectivity Cable Driver
Nokia Device Status
Nokia Device Status
Nokia Device Status
Nokia Download!
Nokia Map Loader
Nokia NSeries Application Installer
Nokia NSeries Application Installer 6.83.9
Nokia NSeries Content Copier
Nokia NSeries Content Copier 6.83.9
Nokia NSeries Music Manager
Nokia NSeries Music Manager 6.83.11
Nokia NSeries One Touch Access
Nokia NSeries One Touch Access 6.83.11
Nokia Nseries PC Suite
Nokia NSeries System Utilities
Nokia NSeries System Utilities 6.83.9
Nokia Nseries Video Manager
Nokia Photos
Nokia Software Updater
NSeries Root Help
Nuclear Coffee - VideoGet 2.0.2.26 Trial
On Screen Display
One-click Ringtone Converter
Opera 9.25
Panda TotalScan
PC Connectivity Solution
PerfectDisk 2008 Professional
PowerDVD
QuickTime Alternative 1.90
Real Alternative 1.60
RocketDock 1.3.5
ShellExView
SopCast 1.1.2
SpeedFan (remove only)
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
Steganos Safe Professional 2007
Steganos Safe Professional 2007
Symbian Developer Certificate Request
Texas Instruments PCIxx21/x515/xx12 drivers.
TI Connect 1.6
TI NoteFolio Creator
TrafNet 2.0 Beta 18
TuneUp Utilities 2008
TVAnts 1.0
TVUPlayer 2.3.3.2
Update for Outlook 2007 Junk Email Filter (kb943597)
VCRedistSetup
VideoLAN VLC media player 0.8.6d
VistaGlazz
WinAVI Video Converter
Windows Driver Package - Nokia (WUDFRd) WPD (06/01/2007 6.84.33.0)
Windows Driver Package - Nokia Modem (02/15/2007 3.1)
Windows Driver Package - Nokia Modem (02/15/2007 3.1)
Windows Driver Package - Nokia Modem (05/24/2007 6.84.0.1)
Windows Driver Package - Nokia Modem (08/08/2007 3.3)
Windows Live installer
Windows Live Messenger
WinRAR archiver

If its everything ok and as u will soon close the thread i must THANK U!!! and say u all provide a great work!

[Katana]

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

Azureus Vuze
eMulev0.48a.-MorphXTv10.4
JPTorrent 3

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Also available here.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6u4
http://java.sun.com/javase/downloads/index.jsp
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check for any item with Java Runtime Environment (JRE or J2SE) in the name.

Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) SE Runtime Environment 6 Update 1

Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.

Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.

---

Congratulations your logs look clean

Let's see if I can help you keep it that way

First lets tidy up

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  • 

You can also delete any logs we have produced, and empty your Recycle bin.

The following is some info to help you stay safe and clean.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.nanoscan.com
http://www.pandasoftware.com/activescan ... ncipal.htm
http://www.kaspersky.com/kos/eng/partne ... bscan.html

AntiSpyware

AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
All the programs in this list have a free version.
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.

• Spybot - Search & Destroy <<< A must have program
  • It includes host protection and registry protection
  • A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
• a-squared Free <<< A good "realtime" or "on demand" scanner
• AVG Anti-Spyware 7.5 <<< A good "realtime" or "on demand" scanner
• superantispyware <<< A good "realtime" or "on demand" scanner

Prevention

These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one

• Winpatrol
  • An excellent startup manager and then some !!
  • Notifies you if programs are added to startup
  • Allows delayed startup
  • A must have addition
• SpywareBlaster 3.5.1
  • SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
• SpywareGuard 2.2
  • SpywareGuard provides real-time protection against spyware.
  • Not required if you have other "realtime" antispyware or Winpatrol
• ZonedOut
  • Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
• MVPS HOSTS
  • This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
  • For information on how to download and install, please read this tutorial by WinHelp2002.
  • Not required if you are using other host file protections

Internet Browsers

Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.

• Make your Internet Explorer more secure - This can be done by following these simple instructions:
  1. From within Internet Explorer click on the Tools menu and then click on Options.
     
  2. Click once on the Security tab
  3. Click once on the Internet icon so it becomes highlighted.
  4. Click once on the Custom Level button.
     
     • Change the Download signed ActiveX controls to Prompt
     • Change the Download unsigned ActiveX controls to Disable
     • Change the Initialise and script ActiveX controls not marked as safe to Disable
     • Change the Installation of desktop items to Prompt
     • Change the Launching programs and files in an IFRAME to Prompt
     • Change the Navigate sub-frames across different domains to Prompt
     • When all these settings have been made, click on the OK button.
     • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  5. Next press the Apply button and then the OK to exit the Internet Properties page.
If you are still using IE6 then either update, or get one of the following.
• FireFox
  • With many addons available that make customization easy this is a very popular choice
  • NoScript and AdBlockPlus addons are essential
• Opera
  • Another popular alternative
• Netscape
  • Another popular alternative
  • Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies

Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.

Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

Both of these can be cleaned manually, but a quicker option is to use a program

• ATF Cleaner
  • Free and very simple to use
• CCleaner
  • Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.......So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again


If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'

[arengajojo]

HI,

I have updated my java instalation, unninstall combo-fix... and about p2p... I will be more carefull with the programs that I download.

Again, thank u very much for the help
João

[Gary R]

This topic is now closed.

If you are the originator of this topic, and you need it re-opened please send an email to 'admin at malwareremoval.com', including a link to this topic.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.

Gary R