I don´t know how to track viruses and stuff, so any help would be welcome. One thing I know, the more information I can give, the better help I can get, so I will try to explain everything I can, without missing the subject.
I´m pretty sure the GbpSv is the plugin to safe access to my bank account, because I use it for a long time now, and the real problem started a few weeks ago, when I start to experience weird things with my PC.

All started when i unninstalled Microsoft Visual Studio 2005, and now my Windows always show some messages about debugging, wich was done by visual studio before without alert messages, and now the files are missing and alert messages pops out when it is needed (I uninstalled it by its own Unninstalling Tool). But i think this might not be the right forum for this issue.

The new things that happenned was this "cisc.exe" and i guess there are more "svchost.exe" running than a few weeks ago. There were also a process named DrvGuard32.exe that i found today, and tried removing it from msconfig -> Init Settings and its registry calls.

Besides all that, whenever I start my computer and explorer.exe is about to start running, a windows appears with some "Defining personalized features for: C:\Restore\S - a bunch of numbers that i don´t have any clue about -".
The same thing happens if I KILL explorer.exe and then start it again, the same window, but with different numbers. I tried accessing this folder, but (even with Occult Files ON) its unaccessible. I also tried deleting it with KillBox, but no results.
Another problem is some suspicious files in my C:\Windows\Temp\ folder, i can´t erase them, even with KillBox.
An image showing it is attached to this message, or can be accessed through this link. (the image is taken right before explorer.exe loads, as i said, a window in the left-top corner appears with that message).

Hi tesshu,



My name is Tomk. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

• I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for the issues on this machine.
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
• It's often worth reading through these instructions and printing them for ease of reference.
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
• Please reply to this thread. Do not start a new topic.

Please be sure to include the complete log. The HijackThis log you provided is only a partial log. It doesn't include the header information.

Also, please do not put the log in a quote box.

Download Rooter.exe to your desktop

• Then doubleclick it to start the tool
  
• A Notepad file containing the report will open, also found at %systemdrive%\Rooter.txt. Post that here

Download TFC to your desktop

• Close any open windows.
• Double click the TFC icon to run the program
• TFC will close all open programs itself in order to run,
• Click the Start button to begin the process.
• Allow TFC to run uninterrupted.
• The program should not take long to finish it's job
• Once its finished it should automatically reboot your machine,
• if it doesn't, manually reboot to ensure a complete clean

Then

Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform quick scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
• Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot (shut down your computer then restart it).

Also "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

Hello Tomk.
I would like to thank you for your time before anything else, you from WTT do a really great job helping people here.

Well, during the time I was waiting for an answer my friend advised me to run ComboFix, I runned it and it successfuly fixed the C:\Restore problem, so, when explorer.exe runs, there is no more messages about "C:\Restore\S- lot of numbers -".

But now that you answered I´m following your instructions.

Here is the Rooter log:

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP . (5.1.2600) Service Pack 3
[32_bits] - x86 Family 16 Model 2 Stepping 3, AuthenticAMD
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Disabled !
.
Internet Explorer 7.0.5730.11
.
C:\ [Fixed-NTFS] .. ( Total:249 Go - Free:59 Go )
D:\ [Fixed-NTFS] .. ( Total:199 Go - Free:161 Go )
E:\ [CD_Rom]
F:\ [CD_Rom]
.
Scan : 18:42.24
Path : C:\Documents and Settings\Administrador\Desktop\Rooter.exe
User : Administrador ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (736)
______ \??\C:\WINDOWS\system32\csrss.exe (784)
______ \??\C:\WINDOWS\system32\winlogon.exe (808)
______ C:\WINDOWS\system32\services.exe (852)
______ C:\WINDOWS\system32\lsass.exe (864)
______ C:\ARQUIV~1\GbPlugin\GbpSv.exe (1068)
______ C:\WINDOWS\system32\svchost.exe (1100)
______ C:\WINDOWS\system32\svchost.exe (1148)
______ C:\WINDOWS\System32\svchost.exe (1236)
______ C:\WINDOWS\system32\svchost.exe (1280)
______ C:\WINDOWS\system32\svchost.exe (1480)
______ C:\WINDOWS\system32\svchost.exe (1564)
Locked vsmon.exe (1616)
______ C:\WINDOWS\Explorer.EXE (1772)
______ C:\WINDOWS\system32\spoolsv.exe (288)
______ C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe (324)
______ C:\WINDOWS\system32\svchost.exe (464)
______ C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe (488)
______ C:\Arquivos de programas\Java\jre6\bin\jqs.exe (732)
______ C:\WINDOWS\system32\nvsvc32.exe (788)
______ C:\WINDOWS\system32\svchost.exe (1216)
Locked zlclient.exe (2260)
______ C:\Arquivos de programas\Babylon\Babylon-Pro\Babylon.exe (2288)
______ C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe (2368)
______ C:\Arquivos de programas\Java\jre6\bin\jusched.exe (2388)
______ C:\WINDOWS\system32\ctfmon.exe (2464)
______ C:\Arquivos de programas\DNA\btdna.exe (2476)
______ C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe (2508)
______ C:\WINDOWS\System32\alg.exe (2520)
______ C:\WINDOWS\System32\svchost.exe (3392)
______ C:\Arquivos de programas\Windows Live\Contacts\wlcomm.exe (3772)
______ C:\Arquivos de programas\Mozilla Firefox\firefox.exe (308)
______ C:\WINDOWS\system32\wscntfy.exe (4024)
______ C:\Documents and Settings\Administrador\Desktop\Rooter.exe (1088)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:268431980544)
\Device\Harddisk0\Partition0 (Start_Offset:268432012800 | Length:231665011200)
\Device\Harddisk0\Partition2 (Start_Offset:268432045056 | Length:214745577984)
.
----------------------\\ Scheduled Tasks
.
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\SA.DAT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 18:43.07
.
C:\Rooter$\Rooter_1.txt - (09/07/2009 | 18:43.07)







And now the Malwarebytes' Log:

Malwarebytes' Anti-Malware 1.38
Database version: 2401
Windows 5.1.2600 Service Pack 3

7/9/2009 7:26:35 PM
mbam-log-2009-07-09 (19-26-35).txt

Scan type: Quick Scan
Objects scanned: 89633
Time elapsed: 1 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

My internet connextion seems a little too slow, I click on a page and it only starts loading after some time. Also, it is taking several seconds to completely load the page, and it was almost instantly before. This wasn't happening a few weeks ago.
Another thing is that when I start my computer, it experiences a little time hanging. Like, I open FireFox, and the window hangs for about half a sec, then return executing, hang again for about half a sec, and after some time it becames normal.


Here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:35:51 PM, on 7/9/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\ARQUIV~1\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe
C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe
C:\Arquivos de programas\Babylon\Babylon-Pro\Babylon.exe
C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe
C:\Arquivos de programas\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\DNA\btdna.exe
C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Arquivos de programas\HijackThis\HijackThis.exe
C:\Arquivos de programas\Avira\AntiVir Desktop\avwsc.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.babylon.com/home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\Arquivos de programas\GbPlugin\gbieh.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Babylon - {965B54B0-71E0-4611-8DE7-F73FA0B20E26} - C:\Arquivos de programas\Babylon\Babylon Toolbar\BabylonIEToolBar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Arquivos de programas\AskBarDis\bar\bin\askBar.dll (file missing)
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Babylon Client] C:\Arquivos de programas\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Arquivos de programas\DNA\btdna.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\ARQUIV~1\ARQUIV~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://C:\Arquivos de programas\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{39657CA2-C168-4ADF-B88F-76DEDDE18941}: NameServer = 200.189.88.23,200.246.46.132
O20 - Winlogon Notify: GbPluginBb - C:\Arquivos de programas\GbPlugin\gbieh.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Gbp Service (GbpSv) - - C:\ARQUIV~1\GbPlugin\GbpSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6666 bytes

tesshu,

Please:

• Right click on START on the left end of your Windows toolbar (lower left corner of your screen)
• Click on Explore
• Click on Local Disk (C:) in the left-hand window pane
• Look for ComboFix.txt in the right-hand window pane and right click on it
• Put your cursor (arrow) on Open With
• Move your cursor to the new menu that opens and click on Choose Program...
• Click on Notepad

When file opens, Copy/Paste text here

I translated the file so you can read it without any problem, this may be a little different from the original English file lines. The original file, in Portuguese, is also attached to this reply.

I also decided to attach the file Combofix-quarantined-files, wich is a resume auto-generated of the quarantined files after the scan. Because it may be useful to quickly see what it found and 'corrected'.

ComboFix log TRANSLATED:

ComboFix 09-07-06.02 - Administrador 07/07/2009 21:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.1918.1427 [GMT -4:00]
Executando de: c:\documents and settings\Administrador\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
ADS - drivers: deleted 204 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((( Other Exclusions )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrador\Dados de aplicativos\inst.exe
c:\documents and settings\Administrador\DrvGuard32.exe
c:\documents and settings\Administrador\NewAge.txt
C:\restore
c:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
c:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\Taquito.exe

.
(((((((((((((((( Files created from 2009-06-08 to 2009-07-08 ))))))))))))))))))))))))))))
.

2009-07-03 23:03 . 2009-07-03 23:03 -------- d-----w- C:\Nova pasta
2009-07-03 22:57 . 2009-07-03 23:47 -------- d-----w- C:\!KillBox
2009-07-03 03:42 . 2009-07-03 03:44 81963 ----a-w- c:\windows\kush.exe
2009-06-28 21:21 . 2009-06-28 21:21 -------- d-----w- c:\arquivos de programas\CSL Arm Toolchain
2009-06-28 21:02 . 2009-06-28 21:02 -------- d-----w- c:\documents and settings\Administrador\.Nokia
2009-06-28 20:58 . 2009-06-28 20:58 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\InstallShield
2009-06-28 16:17 . 2009-06-28 16:39 152576 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-28 07:49 . 2009-06-28 21:08 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Symbian
2009-06-28 07:44 . 2009-06-28 07:44 -------- d-----w- C:\S60
2009-06-28 07:30 . 2009-06-28 20:52 -------- d-----w- C:\Perl
2009-06-27 18:04 . 2009-06-28 20:56 -------- d-----w- c:\arquivos de programas\Aptana
2009-06-23 13:02 . 2009-04-29 12:59 26800 ----a-w- c:\windows\system32\drivers\gbpkm.sys
2009-06-23 13:02 . 2009-06-24 02:27 -------- d-----w- c:\arquivos de programas\GbPlugin
2009-06-22 22:08 . 2009-06-22 22:08 -------- d-----w- c:\documents and settings\Administrador\.idlerc
2009-06-21 15:08 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-06-21 15:08 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-06-21 15:08 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-06-21 15:08 . 2009-06-21 15:08 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Avira
2009-06-21 15:08 . 2009-06-21 15:08 -------- d-----w- c:\arquivos de programas\Avira
2009-06-19 22:13 . 2009-06-19 22:13 -------- d-----w- c:\arquivos de programas\Arquivos comuns\PCSuite
2009-06-19 22:12 . 2009-06-19 22:12 -------- d-----w- c:\arquivos de programas\PC Connectivity Solution
2009-06-19 22:12 . 2009-02-09 12:37 7808 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2009-06-19 22:12 . 2009-02-09 12:37 7808 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2009-06-19 22:12 . 2009-02-09 12:37 22016 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2009-06-19 22:12 . 2009-02-09 12:37 659968 ----a-w- c:\windows\system32\nmwcdcocls.dll
2009-06-19 22:12 . 2009-02-09 12:37 17664 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2009-06-19 22:12 . 2009-02-09 12:32 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2009-06-19 22:12 . 2009-06-19 22:00 33781176 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Nokia_PC_Suite_7_1_30_8_por_br.exe
2009-06-19 21:23 . 2009-06-19 21:23 95232 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Installer\CommonCustomActions\pcswpcsi.exe
2009-06-19 21:23 . 2009-06-19 21:23 8192 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Installer\CommonCustomActions\UninstCCD.exe
2009-06-19 21:23 . 2009-06-19 21:23 61440 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-06-19 21:23 . 2009-06-19 21:23 10240 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Installer\CommonCustomActions\UninstPCS.exe
2009-06-17 02:59 . 2009-06-20 03:09 -------- d-----w- c:\arquivos de programas\PdfToDjvuGUI
2009-06-12 01:41 . 2009-06-12 16:16 -------- d-----w- c:\windows\SxsCaPendDel
2009-06-12 00:33 . 2009-06-12 01:25 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\eBook Organizer
2009-06-12 00:33 . 2009-06-12 00:34 -------- d-----w- c:\arquivos de programas\eBook Organizer
2009-06-11 18:14 . 2009-06-11 18:14 -------- d-----w- c:\windows\Downloaded Installations
2009-06-10 01:28 . 2009-06-10 01:28 -------- d-----w- C:\Python26

.
((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-08 01:18 . 2008-11-16 19:15 25767968 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-07-08 01:16 . 2008-11-22 01:32 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\DNA
2009-07-07 23:26 . 2008-11-16 19:28 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Babylon
2009-07-07 22:26 . 2008-11-22 01:32 -------- d-----w- c:\arquivos de programas\DNA
2009-07-07 13:18 . 2008-11-16 19:15 303836 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-07-07 01:59 . 2008-11-18 00:24 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Microsoft Help
2009-07-06 20:21 . 2009-07-06 20:31 1971712 ----a-w- c:\windows\Internet Logs\xDB8.tmp
2009-07-06 13:04 . 2008-11-22 01:32 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\BitTorrent
2009-07-06 02:10 . 2009-04-29 03:09 -------- d-----w- c:\arquivos de programas\Diablo II
2009-07-03 13:08 . 2009-07-03 13:08 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
2009-07-03 13:08 . 2009-07-03 13:08 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-06-29 00:52 . 2008-10-19 13:54 473796 ----a-w- c:\windows\system32\perfh016.dat
2009-06-29 00:52 . 2008-10-19 13:54 79490 ----a-w- c:\windows\system32\perfc016.dat
2009-06-28 20:58 . 2008-11-16 19:00 -------- d--h--w- c:\arquivos de programas\InstallShield Installation Information
2009-06-28 20:58 . 2009-03-28 03:39 -------- d-----w- c:\arquivos de programas\eclipse
2009-06-28 17:02 . 2009-03-23 02:36 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-28 16:19 . 2009-03-23 02:36 -------- d-----w- c:\arquivos de programas\Java
2009-06-27 16:54 . 2009-06-27 16:55 706048 ----a-w- c:\windows\Internet Logs\xDB7.tmp
2009-06-27 16:12 . 2009-03-26 22:44 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\GbPlugin
2009-06-23 02:15 . 2009-02-03 16:08 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\pdf995
2009-06-23 02:15 . 2009-02-03 16:08 60 ----a-w- c:\windows\wpd99.drv
2009-06-22 01:40 . 2009-02-21 23:03 7853151 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-06-19 22:24 . 2009-04-26 05:05 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\Nokia
2009-06-19 22:13 . 2009-04-26 03:22 -------- d-----w- c:\arquivos de programas\Nokia
2009-06-19 22:13 . 2009-04-26 03:22 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Nokia
2009-06-19 19:42 . 2009-04-26 03:19 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Installations
2009-06-13 04:02 . 2009-06-02 02:36 249856 ------w- c:\windows\Setup1.exe
2009-06-13 04:02 . 2009-06-02 02:36 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-06-12 01:55 . 2009-03-25 09:49 1042 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-06-12 01:40 . 2009-06-05 15:52 -------- d-----w- c:\arquivos de programas\RoboWorks Demo 3.0
2009-06-12 01:32 . 2008-11-21 01:43 -------- d-----w- c:\arquivos de programas\Microsoft SQL Server
2009-06-09 04:18 . 2009-02-09 19:01 -------- d-----w- c:\arquivos de programas\Burn4Free
2009-06-02 02:36 . 2009-06-02 02:36 -------- d-----w- c:\arquivos de programas\Hero Editor
2009-06-01 00:09 . 2009-04-24 03:29 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\Vso
2009-05-29 08:43 . 2009-05-29 08:44 1881600 ----a-w- c:\windows\Internet Logs\xDB6.tmp
2009-05-29 08:43 . 2009-05-29 08:44 2982400 ----a-w- c:\windows\Internet Logs\xDB5.tmp
2009-05-28 16:30 . 2009-05-28 16:30 -------- d-----w- c:\arquivos de programas\WinDjView
2009-05-25 10:28 . 2008-11-20 01:01 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\mIRC
2009-05-24 14:42 . 2008-11-18 18:37 -------- d-----w- c:\arquivos de programas\mIRC
2009-05-14 23:20 . 2008-11-20 14:22 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\uTorrent
2009-05-13 01:22 . 2009-02-18 01:53 -------- d-----w- c:\arquivos de programas\Teamspeak2_RC2(server)
2009-05-11 16:47 . 2009-05-11 16:47 1302600 ----a-w- c:\windows\system32\WUDFUpdate_01007.dll
2009-05-07 15:33 . 2008-10-19 13:50 347136 ----a-w- c:\windows\system32\localspl.dll
2009-05-01 14:35 . 2008-11-17 12:19 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-05-01 06:10 . 2009-04-29 03:21 40905 ----a-w- c:\windows\DIIUnin.dat
2009-05-01 05:41 . 2008-11-17 06:36 21840 ----atw- c:\windows\system32\SIntfNT.dll
2009-05-01 05:41 . 2008-11-17 06:36 17212 ----atw- c:\windows\system32\SIntf32.dll
2009-05-01 05:41 . 2008-11-17 06:36 12067 ----atw- c:\windows\system32\SIntf16.dll
2009-04-29 04:45 . 2008-10-19 13:58 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:45 . 2008-10-19 13:49 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-29 03:21 . 2009-04-29 03:21 94208 ----a-w- c:\windows\DIIUnin.exe
2009-04-29 03:21 . 2009-04-29 03:21 2829 ----a-w- c:\windows\DIIUnin.pif
2009-04-28 21:24 . 2009-04-20 22:01 0 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\GRETECH\GomPlayer\GrLauncherTempSetup.exe
2009-04-26 18:38 . 2009-04-26 18:38 8192 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstCCD.exe
2009-04-26 18:38 . 2009-04-26 18:38 61440 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-04-26 18:38 . 2009-04-26 18:38 10240 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstPCS.exe
2009-04-26 18:37 . 2009-04-26 18:38 34511040 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Nokia_PC_Suite_7_1_26_0_por_br.exe
2009-04-26 05:00 . 2009-04-26 05:00 8192 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Installations\{58FB2F9A-5F2D-40E8-82DF-4987E60AD8BD}\Installer\CommonCustomActions\UninstCCD.exe
2009-04-26 05:00 . 2009-04-26 05:00 61440 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Installations\{58FB2F9A-5F2D-40E8-82DF-4987E60AD8BD}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-04-26 05:00 . 2009-04-26 05:00 10240 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Installations\{58FB2F9A-5F2D-40E8-82DF-4987E60AD8BD}\Installer\CommonCustomActions\UninstPCS.exe
2009-04-26 04:59 . 2009-04-26 05:00 33806080 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Installations\{58FB2F9A-5F2D-40E8-82DF-4987E60AD8BD}\Nokia_PC_Suite_7_1_18_0_wu_por_br.exe
2009-04-26 03:19 . 2009-04-26 03:19 36864 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Installations\{3741689E-584D-40C9-B011-373A0371846D}\Installer\CommonCustomActions\Sleep.exe
2009-04-26 03:19 . 2009-04-26 03:19 3181612 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Installations\{3741689E-584D-40C9-B011-373A0371846D}\Installer\CommonCustomActions\vcredistExec.exe
2009-04-24 18:30 . 2009-04-24 03:29 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-04-24 18:30 . 2009-04-24 03:29 47360 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\pcouffin.sys
2009-04-24 18:30 . 2009-04-24 03:29 47360 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\pcouffin.sys
2009-04-19 19:50 . 2008-10-19 13:58 1847296 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:53 . 2008-10-19 13:55 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-15 02:42 . 2009-04-15 02:42 2134016 ----a-w- c:\windows\system32\python26.dll
.

------- Sigcheck -------

[-] 2008-10-19 13:56 1571840 1D01C384F3BA123EB6F09769DEA005AC c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((( Register Loading* Points )))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty and ligitim entries won't be listed.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-10-19 15360]
"BitTorrent DNA"="c:\arquivos de programas\DNA\btdna.exe" [2008-12-16 342848]
"MsnMsgr"="c:\arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"Babylon Client"="c:\arquivos de programas\Babylon\Babylon-Pro\Babylon.exe" [2008-09-24 3165920]
"avgnt"="c:\arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\arquivos de programas\Java\jre6\bin\jusched.exe" [2009-06-28 148888]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-10-19 15360]
"DWQueuedReporting"="c:\arquiv~1\ARQUIV~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]
2009-04-29 12:55 294192 ----a-w- c:\arquivos de programas\GbPlugin\gbieh.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ServiceLayer"=3 (0x3)
"MySQL"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Arquivos de programas\\Valve\\hl.exe"=
"c:\\Arquivos de programas\\Warcraft III\\lancraft.exe"=
"c:\\Arquivos de programas\\mIRC\\mirc.exe"=
"c:\\Arquivos de programas\\uTorrent\\uTorrent.exe"=
"c:\\Arquivos de programas\\DNA\\btdna.exe"=
"c:\\Arquivos de programas\\BitTorrent\\bittorrent.exe"=
"c:\\Arquivos de programas\\Warcraft III\\Frozen Throne.exe"=
"c:\\Arquivos de programas\\Warcraft III\\Warcraft III.exe"=
"c:\\Arquivos de programas\\Messenger\\msmsgs.exe"=
"c:\\Arquivos de programas\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24200:TCP"= 24200:TCP:BitTorrent - TCP

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\gbpkm.sys [6/23/2009 9:02 AM 26800]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\arquivos de programas\Avira\AntiVir Desktop\sched.exe [6/21/2009 11:08 AM 108289]
R2 GbpSv;Gbp Service;c:\arquiv~1\GbPlugin\GbpSv.exe [6/23/2009 9:02 AM 53552]
S3 XDva205;XDva205;\??\c:\windows\system32\XDva205.sys --> c:\windows\system32\XDva205.sys [?]
.
Content of folder 'Scheduled Tasks'
.
- - - - ORPHANS REMOVED - - - -

BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\arquivos de programas\AskBarDis\bar\bin\askBar.dll


.
------- Suplementary Scan -------
.
uStart Page = hxxp://search.babylon.com/home
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Translate with &Babylon - c:\arquivos de programas\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
TCP: {39657CA2-C168-4ADF-B88F-76DEDDE18941} = 200.189.88.23,200.246.46.132
DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} - hxxps://www14.bancobrasil.com.br/plugin/GbpDist.cab
FF - ProfilePath - c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\urh6a92f.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101761&gct=&gc=1&q=
FF - component: c:\arquivos de programas\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
FF - component: c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\urh6a92f.default\extensions\{87F8774F-B485-47E2-A755-A40A8A5E886C}\components\GbMzhBb.dll
FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\arquivos de programas\Mozilla Firefox\plugins\npbittorrent.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\arquivos de programas\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-07 21:18
Windows 5.1.2600 Service Pack 3 NTFS

Looking for hidden process ...

Looking for hidden entries auto initializables ...

Looking for hidden files ...

Full Scan with sucess
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\arquivos de programas\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\arquivos de programas\MySQL\MySQL Server 5.1\my.ini\" MySQL"
.
--------------------- BLOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1078081533-1060284298-1801674531-500\Software\SecuROM\License information*]
"datasecu"=hex:07,2b,f0,4d,88,8d,cf,23,f6,00,06,98,27,18,e6,85,f6,21,e7,64,e2,
10,e0,13,01,fb,fa,97,c0,81,d6,4a,9f,ed,75,96,82,c1,b7,5a,9c,55,bd,0b,c8,2b,\
"rkeysecu"=hex:f8,c1,ad,c2,e8,70,5b,c6,f2,51,fe,50,3c,ff,91,ff
.
--------------------- Loaded DLLs Under the Executing* Process --------------------- *Better Translation would be: Active Process

- - - - - - - > 'winlogon.exe'(812)
c:\arquivos de programas\GbPlugin\gbieh.dll
.
Conclusion Time: 2009-07-08 21:19
ComboFix-quarantined-files.txt 2009-07-08 01:19

Pré-execução: 12 pasta(s) 63,233,703,936 bytes disponíveis
Pós execução: 12 pasta(s) 64,036,945,920 bytes disponíveis

245 --- E O F --- 2009-07-04 17:57




ComboFix Original Log in Portuguese:

ComboFix 09-07-06.02 - Administrador 07/07/2009 21:15.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.1918.1427 [GMT -4:00]
Executando de: c:\documents and settings\Administrador\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
ADS - drivers: deleted 204 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrador\Dados de aplicativos\inst.exe
c:\documents and settings\Administrador\DrvGuard32.exe
c:\documents and settings\Administrador\NewAge.txt
C:\restore
c:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini
c:\restore\S-1-5-21-1482476501-1644491937-682003330-1013\Taquito.exe

.
(((((((((((((((( Arquivos/Ficheiros criados de 2009-06-08 to 2009-07-08 ))))))))))))))))))))))))))))
.

2009-07-03 23:03 . 2009-07-03 23:03 -------- d-----w- C:\Nova pasta
2009-07-03 22:57 . 2009-07-03 23:47 -------- d-----w- C:\!KillBox
2009-07-03 03:42 . 2009-07-03 03:44 81963 ----a-w- c:\windows\kush.exe
2009-06-28 21:21 . 2009-06-28 21:21 -------- d-----w- c:\arquivos de programas\CSL Arm Toolchain
2009-06-28 21:02 . 2009-06-28 21:02 -------- d-----w- c:\documents and settings\Administrador\.Nokia
2009-06-28 20:58 . 2009-06-28 20:58 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\InstallShield
2009-06-28 16:17 . 2009-06-28 16:39 152576 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\Sun\Java\jre1.6.0_14\lzma.dll
2009-06-28 07:49 . 2009-06-28 21:08 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Symbian
2009-06-28 07:44 . 2009-06-28 07:44 -------- d-----w- C:\S60
2009-06-28 07:30 . 2009-06-28 20:52 -------- d-----w- C:\Perl
2009-06-27 18:04 . 2009-06-28 20:56 -------- d-----w- c:\arquivos de programas\Aptana
2009-06-23 13:02 . 2009-04-29 12:59 26800 ----a-w- c:\windows\system32\drivers\gbpkm.sys
2009-06-23 13:02 . 2009-06-24 02:27 -------- d-----w- c:\arquivos de programas\GbPlugin
2009-06-22 22:08 . 2009-06-22 22:08 -------- d-----w- c:\documents and settings\Administrador\.idlerc
2009-06-21 15:08 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-06-21 15:08 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-06-21 15:08 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-06-21 15:08 . 2009-06-21 15:08 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Avira
2009-06-21 15:08 . 2009-06-21 15:08 -------- d-----w- c:\arquivos de programas\Avira
2009-06-19 22:13 . 2009-06-19 22:13 -------- d-----w- c:\arquivos de programas\Arquivos comuns\PCSuite
2009-06-19 22:12 . 2009-06-19 22:12 -------- d-----w- c:\arquivos de programas\PC Connectivity Solution
2009-06-19 22:12 . 2009-02-09 12:37 7808 ----a-w- c:\windows\system32\drivers\usbser_lowerfltj.sys
2009-06-19 22:12 . 2009-02-09 12:37 7808 ----a-w- c:\windows\system32\drivers\usbser_lowerflt.sys
2009-06-19 22:12 . 2009-02-09 12:37 22016 ----a-w- c:\windows\system32\drivers\ccdcmbo.sys
2009-06-19 22:12 . 2009-02-09 12:37 659968 ----a-w- c:\windows\system32\nmwcdcocls.dll
2009-06-19 22:12 . 2009-02-09 12:37 17664 ----a-w- c:\windows\system32\drivers\ccdcmb.sys
2009-06-19 22:12 . 2009-02-09 12:32 1112288 ----a-w- c:\windows\system32\wdfcoinstaller01007.dll
2009-06-19 22:12 . 2009-06-19 22:00 33781176 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Nokia_PC_Suite_7_1_30_8_por_br.exe
2009-06-19 21:23 . 2009-06-19 21:23 95232 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Installer\CommonCustomActions\pcswpcsi.exe
2009-06-19 21:23 . 2009-06-19 21:23 8192 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Installer\CommonCustomActions\UninstCCD.exe
2009-06-19 21:23 . 2009-06-19 21:23 61440 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-06-19 21:23 . 2009-06-19 21:23 10240 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Installations\{55495E65-7C5B-48E4-BC7D-DE54F3DE5ED6}\Installer\CommonCustomActions\UninstPCS.exe
2009-06-17 02:59 . 2009-06-20 03:09 -------- d-----w- c:\arquivos de programas\PdfToDjvuGUI
2009-06-12 01:41 . 2009-06-12 16:16 -------- d-----w- c:\windows\SxsCaPendDel
2009-06-12 00:33 . 2009-06-12 01:25 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\eBook Organizer
2009-06-12 00:33 . 2009-06-12 00:34 -------- d-----w- c:\arquivos de programas\eBook Organizer
2009-06-11 18:14 . 2009-06-11 18:14 -------- d-----w- c:\windows\Downloaded Installations
2009-06-10 01:28 . 2009-06-10 01:28 -------- d-----w- C:\Python26

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-08 01:18 . 2008-11-16 19:15 25767968 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-07-08 01:16 . 2008-11-22 01:32 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\DNA
2009-07-07 23:26 . 2008-11-16 19:28 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Babylon
2009-07-07 22:26 . 2008-11-22 01:32 -------- d-----w- c:\arquivos de programas\DNA
2009-07-07 13:18 . 2008-11-16 19:15 303836 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-07-07 01:59 . 2008-11-18 00:24 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Microsoft Help
2009-07-06 20:21 . 2009-07-06 20:31 1971712 ----a-w- c:\windows\Internet Logs\xDB8.tmp
2009-07-06 13:04 . 2008-11-22 01:32 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\BitTorrent
2009-07-06 02:10 . 2009-04-29 03:09 -------- d-----w- c:\arquivos de programas\Diablo II
2009-07-03 13:08 . 2009-07-03 13:08 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
2009-07-03 13:08 . 2009-07-03 13:08 0 ---ha-w- c:\windows\system32\drivers\MsftWdf_user_01_07_00.Wdf
2009-06-29 00:52 . 2008-10-19 13:54 473796 ----a-w- c:\windows\system32\perfh016.dat
2009-06-29 00:52 . 2008-10-19 13:54 79490 ----a-w- c:\windows\system32\perfc016.dat
2009-06-28 20:58 . 2008-11-16 19:00 -------- d--h--w- c:\arquivos de programas\InstallShield Installation Information
2009-06-28 20:58 . 2009-03-28 03:39 -------- d-----w- c:\arquivos de programas\eclipse
2009-06-28 17:02 . 2009-03-23 02:36 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-28 16:19 . 2009-03-23 02:36 -------- d-----w- c:\arquivos de programas\Java
2009-06-27 16:54 . 2009-06-27 16:55 706048 ----a-w- c:\windows\Internet Logs\xDB7.tmp
2009-06-27 16:12 . 2009-03-26 22:44 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\GbPlugin
2009-06-23 02:15 . 2009-02-03 16:08 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\pdf995
2009-06-23 02:15 . 2009-02-03 16:08 60 ----a-w- c:\windows\wpd99.drv
2009-06-22 01:40 . 2009-02-21 23:03 7853151 ----a-w- c:\windows\Internet Logs\tvDebug.zip
2009-06-19 22:24 . 2009-04-26 05:05 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\Nokia
2009-06-19 22:13 . 2009-04-26 03:22 -------- d-----w- c:\arquivos de programas\Nokia
2009-06-19 22:13 . 2009-04-26 03:22 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Nokia
2009-06-19 19:42 . 2009-04-26 03:19 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Installations
2009-06-13 04:02 . 2009-06-02 02:36 249856 ------w- c:\windows\Setup1.exe
2009-06-13 04:02 . 2009-06-02 02:36 73216 ----a-w- c:\windows\ST6UNST.EXE
2009-06-12 01:55 . 2009-03-25 09:49 1042 ----a-w- c:\windows\system32\ealregsnapshot1.reg
2009-06-12 01:40 . 2009-06-05 15:52 -------- d-----w- c:\arquivos de programas\RoboWorks Demo 3.0
2009-06-12 01:32 . 2008-11-21 01:43 -------- d-----w- c:\arquivos de programas\Microsoft SQL Server
2009-06-09 04:18 . 2009-02-09 19:01 -------- d-----w- c:\arquivos de programas\Burn4Free
2009-06-02 02:36 . 2009-06-02 02:36 -------- d-----w- c:\arquivos de programas\Hero Editor
2009-06-01 00:09 . 2009-04-24 03:29 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\Vso
2009-05-29 08:43 . 2009-05-29 08:44 1881600 ----a-w- c:\windows\Internet Logs\xDB6.tmp
2009-05-29 08:43 . 2009-05-29 08:44 2982400 ----a-w- c:\windows\Internet Logs\xDB5.tmp
2009-05-28 16:30 . 2009-05-28 16:30 -------- d-----w- c:\arquivos de programas\WinDjView
2009-05-25 10:28 . 2008-11-20 01:01 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\mIRC
2009-05-24 14:42 . 2008-11-18 18:37 -------- d-----w- c:\arquivos de programas\mIRC
2009-05-14 23:20 . 2008-11-20 14:22 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\uTorrent
2009-05-13 01:22 . 2009-02-18 01:53 -------- d-----w- c:\arquivos de programas\Teamspeak2_RC2(server)
2009-05-11 16:47 . 2009-05-11 16:47 1302600 ----a-w- c:\windows\system32\WUDFUpdate_01007.dll
2009-05-07 15:33 . 2008-10-19 13:50 347136 ----a-w- c:\windows\system32\localspl.dll
2009-05-01 14:35 . 2008-11-17 12:19 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-05-01 06:10 . 2009-04-29 03:21 40905 ----a-w- c:\windows\DIIUnin.dat
2009-05-01 05:41 . 2008-11-17 06:36 21840 ----atw- c:\windows\system32\SIntfNT.dll
2009-05-01 05:41 . 2008-11-17 06:36 17212 ----atw- c:\windows\system32\SIntf32.dll
2009-05-01 05:41 . 2008-11-17 06:36 12067 ----atw- c:\windows\system32\SIntf16.dll
2009-04-29 04:45 . 2008-10-19 13:58 827392 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:45 . 2008-10-19 13:49 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-04-29 03:21 . 2009-04-29 03:21 94208 ----a-w- c:\windows\DIIUnin.exe
2009-04-29 03:21 . 2009-04-29 03:21 2829 ----a-w- c:\windows\DIIUnin.pif
2009-04-28 21:24 . 2009-04-20 22:01 0 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\GRETECH\GomPlayer\GrLauncherTempSetup.exe
2009-04-26 18:38 . 2009-04-26 18:38 8192 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstCCD.exe
2009-04-26 18:38 . 2009-04-26 18:38 61440 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-04-26 18:38 . 2009-04-26 18:38 10240 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Installer\CommonCustomActions\UninstPCS.exe
2009-04-26 18:37 . 2009-04-26 18:38 34511040 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Installations\{7694EC32-CB0E-4B35-9088-7B320CB1F4FE}\Nokia_PC_Suite_7_1_26_0_por_br.exe
2009-04-26 05:00 . 2009-04-26 05:00 8192 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Installations\{58FB2F9A-5F2D-40E8-82DF-4987E60AD8BD}\Installer\CommonCustomActions\UninstCCD.exe
2009-04-26 05:00 . 2009-04-26 05:00 61440 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Installations\{58FB2F9A-5F2D-40E8-82DF-4987E60AD8BD}\Installer\CommonCustomActions\UninstPCSFEMsi.exe
2009-04-26 05:00 . 2009-04-26 05:00 10240 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Installations\{58FB2F9A-5F2D-40E8-82DF-4987E60AD8BD}\Installer\CommonCustomActions\UninstPCS.exe
2009-04-26 04:59 . 2009-04-26 05:00 33806080 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Installations\{58FB2F9A-5F2D-40E8-82DF-4987E60AD8BD}\Nokia_PC_Suite_7_1_18_0_wu_por_br.exe
2009-04-26 03:19 . 2009-04-26 03:19 36864 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Installations\{3741689E-584D-40C9-B011-373A0371846D}\Installer\CommonCustomActions\Sleep.exe
2009-04-26 03:19 . 2009-04-26 03:19 3181612 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Installations\{3741689E-584D-40C9-B011-373A0371846D}\Installer\CommonCustomActions\vcredistExec.exe
2009-04-24 18:30 . 2009-04-24 03:29 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-04-24 18:30 . 2009-04-24 03:29 47360 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\pcouffin.sys
2009-04-24 18:30 . 2009-04-24 03:29 47360 ----a-w- c:\documents and settings\Administrador\Dados de aplicativos\pcouffin.sys
2009-04-19 19:50 . 2008-10-19 13:58 1847296 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:53 . 2008-10-19 13:55 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-15 02:42 . 2009-04-15 02:42 2134016 ----a-w- c:\windows\system32\python26.dll
.

------- Sigcheck -------

[-] 2008-10-19 13:56 1571840 1D01C384F3BA123EB6F09769DEA005AC c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-10-19 15360]
"BitTorrent DNA"="c:\arquivos de programas\DNA\btdna.exe" [2008-12-16 342848]
"MsnMsgr"="c:\arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="c:\arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe" [2008-07-09 919016]
"Babylon Client"="c:\arquivos de programas\Babylon\Babylon-Pro\Babylon.exe" [2008-09-24 3165920]
"avgnt"="c:\arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"SunJavaUpdateSched"="c:\arquivos de programas\Java\jre6\bin\jusched.exe" [2009-06-28 148888]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-10-07 13574144]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-10-19 15360]
"DWQueuedReporting"="c:\arquiv~1\ARQUIV~1\MICROS~1\DW\dwtrig20.exe" [2007-08-24 437160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]
2009-04-29 12:55 294192 ----a-w- c:\arquivos de programas\GbPlugin\gbieh.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ServiceLayer"=3 (0x3)
"MySQL"=3 (0x3)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Arquivos de programas\\Valve\\hl.exe"=
"c:\\Arquivos de programas\\Warcraft III\\lancraft.exe"=
"c:\\Arquivos de programas\\mIRC\\mirc.exe"=
"c:\\Arquivos de programas\\uTorrent\\uTorrent.exe"=
"c:\\Arquivos de programas\\DNA\\btdna.exe"=
"c:\\Arquivos de programas\\BitTorrent\\bittorrent.exe"=
"c:\\Arquivos de programas\\Warcraft III\\Frozen Throne.exe"=
"c:\\Arquivos de programas\\Warcraft III\\Warcraft III.exe"=
"c:\\Arquivos de programas\\Messenger\\msmsgs.exe"=
"c:\\Arquivos de programas\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"24200:TCP"= 24200:TCP:BitTorrent - TCP

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\gbpkm.sys [6/23/2009 9:02 AM 26800]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\arquivos de programas\Avira\AntiVir Desktop\sched.exe [6/21/2009 11:08 AM 108289]
R2 GbpSv;Gbp Service;c:\arquiv~1\GbPlugin\GbpSv.exe [6/23/2009 9:02 AM 53552]
S3 XDva205;XDva205;\??\c:\windows\system32\XDva205.sys --> c:\windows\system32\XDva205.sys [?]
.
Conteúdo da pasta 'Tarefas Agendadas'
.
- - - - ORFÃOS REMOVIDOS - - - -

BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed} - c:\arquivos de programas\AskBarDis\bar\bin\askBar.dll


.
------- Scan Suplementar -------
.
uStart Page = hxxp://search.babylon.com/home
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Translate with &Babylon - c:\arquivos de programas\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
TCP: {39657CA2-C168-4ADF-B88F-76DEDDE18941} = 200.189.88.23,200.246.46.132
DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} - hxxps://www14.bancobrasil.com.br/plugin/GbpDist.cab
FF - ProfilePath - c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\urh6a92f.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101761&gct=&gc=1&q=
FF - component: c:\arquivos de programas\Nokia\Nokia PC Suite 7\bkmrksync\components\BkMrkExt.dll
FF - component: c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\urh6a92f.default\extensions\{87F8774F-B485-47E2-A755-A40A8A5E886C}\components\GbMzhBb.dll
FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\arquivos de programas\Mozilla Firefox\plugins\npbittorrent.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\arquivos de programas\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-07 21:18
Windows 5.1.2600 Service Pack 3 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\arquivos de programas\MySQL\MySQL Server 5.1\bin\mysqld\" --defaults-file=\"c:\arquivos de programas\MySQL\MySQL Server 5.1\my.ini\" MySQL"
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

[HKEY_USERS\S-1-5-21-1078081533-1060284298-1801674531-500\Software\SecuROM\License information*]
"datasecu"=hex:07,2b,f0,4d,88,8d,cf,23,f6,00,06,98,27,18,e6,85,f6,21,e7,64,e2,
10,e0,13,01,fb,fa,97,c0,81,d6,4a,9f,ed,75,96,82,c1,b7,5a,9c,55,bd,0b,c8,2b,\
"rkeysecu"=hex:f8,c1,ad,c2,e8,70,5b,c6,f2,51,fe,50,3c,ff,91,ff
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(812)
c:\arquivos de programas\GbPlugin\gbieh.dll
.
Tempo para conclusão: 2009-07-08 21:19
ComboFix-quarantined-files.txt 2009-07-08 01:19

Pré-execução: 12 pasta(s) 63,233,703,936 bytes disponíveis
Pós execução: 12 pasta(s) 64,036,945,920 bytes disponíveis

245 --- E O F --- 2009-07-04 17:57

tesshu,


Please go to Kaspersky website and perform an online antivirus scan.

• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
• Please post this log in your next reply.

Sorry the late, but I was having some problems during the scan.
It was running for about 8hours and still in 18%, so I noticed that some big .rar files were taking about 1h to be scanned. I extracted the files and the folder was scanned much more faster than the original .rar file.
The second time the power was gone in the middle of the scan.

But here it is, the Kaspersky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, July 11, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, July 11, 2009 14:01:18
Records in database: 2459993
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 138951
Threat name: 3
Infected objects: 6
Suspicious objects: 0
Duration of the scan: 03:40:28


File name / Threat name / Threats count
C:\!KillBox\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Taquito.exe Infected: Trojan.Win32.VB.sas 1
C:\Arquivos de programas\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1
C:\Documents and Settings\Administrador\Bruno Mendes\Configurações locais\Temp\mirc635.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1
C:\Documents and Settings\Administrador\Meus documentos\Downloads\Collection of Computer, Technology and Engineering eBooks\Books5.rar Infected: HackTool.Win32.Agent.gi 1
C:\Qoobox\Quarantine\C\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Taquito.exe.vir Infected: Trojan.Win32.VB.sas 1
D:\Programas\Mirc 6.35\mirc635.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.g 1

The selected area was scanned.

Please download the OTM by OldTimer.

• Save it to your desktop.
• Please double-click OTM.exe to run it.
  (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines inside the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  CODE
  :Processes
  explorer.exe
  
  :Files
  C:\!KillBox\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Taquito.exe
  C:\Documents and Settings\Administrador\Meus documentos\Downloads\Collection of Computer, Technology and Engineering eBooks\Books5.rar
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]
  
  
• Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Please let me have a new HijackThis log and tell me how things are operating now.

Hello again.
Well, my internet connection is still bad. I used to play Warcraft and other stuff with my friends (from the same city), but now it is impossible, my ping is always over 500ms. The thing is that we all use the same ISP, so I don´t think the problem is the ISP, besides, their ping is about 100ms playing with each other, just mine is over 500 and even 1000 sometimes. In the past, I was the one who hosted the games, and now I can´t even play on other´s games.
The system itself is faster, still hanging for a few milisseconds sometimes but it is acceptable.

Now for the logs...

OTM log:

All processes killed
========== PROCESSES ==========
No active process named explorer.exe was found!
========== FILES ==========
C:\!KillBox\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\Taquito.exe moved successfully.
C:\Documents and Settings\Administrador\Meus documentos\Downloads\Collection of Computer, Technology and Engineering eBooks\Books5.rar moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrador
->Temp folder emptied: 1234947077 bytes
->Temporary Internet Files folder emptied: 1029483 bytes
->Java cache emptied: 283179 bytes
->FireFox cache emptied: 55923937 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Configurações locais\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\NetworkService\Configurações locais\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
File delete failed. C:\WINDOWS\temp\ZLT01fda.TMP scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\ZLT05789.TMP scheduled to be deleted on reboot.
Windows Temp folder emptied: 52195 bytes
RecycleBin emptied: 2581057845 bytes

Total Files Cleaned = -402.08 mb


OTM by OldTimer - Version 3.0.0.5 log created on 07132009_014256

Files moved on Reboot...
File C:\WINDOWS\temp\ZLT01fda.TMP not found!
File C:\WINDOWS\temp\ZLT05789.TMP not found!

Registry entries deleted on Reboot...


The log just finished with these "...", strange.
Are these two .TMP files malicious?
Because they are there again, now named ZLT01c04.TMP and ZLT01c04.TMP

Now the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:48:28 AM, on 7/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\ARQUIV~1\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe
C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\notepad.exe
C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe
C:\Arquivos de programas\Babylon\Babylon-Pro\Babylon.exe
C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe
C:\Arquivos de programas\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\DNA\btdna.exe
C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Arquivos de programas\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.babylon.com/home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\Arquivos de programas\GbPlugin\gbieh.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Babylon - {965B54B0-71E0-4611-8DE7-F73FA0B20E26} - C:\Arquivos de programas\Babylon\Babylon Toolbar\BabylonIEToolBar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Arquivos de programas\AskBarDis\bar\bin\askBar.dll (file missing)
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Babylon Client] C:\Arquivos de programas\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Arquivos de programas\DNA\btdna.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\ARQUIV~1\ARQUIV~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://C:\Arquivos de programas\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{39657CA2-C168-4ADF-B88F-76DEDDE18941}: NameServer = 200.189.88.23,200.246.46.132
O20 - Winlogon Notify: GbPluginBb - C:\Arquivos de programas\GbPlugin\gbieh.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Gbp Service (GbpSv) - - C:\ARQUIV~1\GbPlugin\GbpSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6264 bytes


Well, in your first post you told me I could ask if I didn´t understand something. Well, I was curious about:
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll What is this thing? Should I remove it?
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Arquivos de programas\AskBarDis\bar\bin\askBar.dll (file missing) I´ve already unninstaled this 'program', can I delete this entry?

What are these two lines about?
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\ARQUIV~1\ARQUIV~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

tesshu,

NetWare client service. Don't remove it unless you don't use netware. It's not malware.

It is now orphaned. We can remove it.

This is legit. System Event Notification Services.

This is the network diagnostics routine built into XP.

I'm not seeing any malware. Therefore I suggest that you post in the windows forum and let the Tech Team try to help. Please post a link there back to this thread so that they can see the logs and what we've done here.

Meanwhile, Log looks good


Time for some housekeeping

• Click START then RUN
• Now type Combofix /u in the runbox and click OK
• Note the space between the X and the U, it needs to be there.
• 

The above procedure will:

• Implement some cleanup procedures.
• Reset System Restore.

Please re-enable any security that was disabled.

Cleanup

1. Double click on OTM to run it.
2. Click on CleanUp!
3. When done, you will be prompted to restart your computer. Please restart your computer.

The following is my standard advice for the future. Use what you can and pat yourself on the back for what you're already doing.

Please take time to read Preventing Malware - Tools and Practices for Safe Computing. Very important information for your consideration is contained therein.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein


Also: "How to prevent malware"
by miekiemoes

Please respond back that you understand the above and let me know if you have any questions. Otherwise, this thread will be closed Resolved.

Thank you very much Tomk for your time and advices.
My PC is working more stable and faster. The major problems were fixed thanks to you.

I´ll read these links when I have the time.
The thread can be closed ^^.
See you.

tesshu,

You are very welcome.

Good Luck and Be Well.

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.