[Resolved] HijackThis Log - PC with a C:\Restore folder unac

Welcome! Register for a free account (or login) > How does it work?

Quickly register. It will only take 60 seconds.
Start a new topic. Ask your question. Wait for an email reply.
Is your system infected? Begin reading the malware removal guide.

What the Tech > Spyware / Malware / Virus Removal > Infections Removal

[Resolved] HijackThis Log - PC with a C:\Restore folder unac

Options

tesshu

Jul 3 2009, 09:44 PM

Post #1

New Member

Group: Authentic Member
Posts: 8
Joined: 3-July 09
Member No.: 86,533
Operating System: Windows XP SP3

I don´t know how to track viruses and stuff, so any help would be welcome. One thing I know, the more information I can give, the better help I can get, so I will try to explain everything I can, without missing the subject.
I´m pretty sure the GbpSv is the plugin to safe access to my bank account, because I use it for a long time now, and the real problem started a few weeks ago, when I start to experience weird things with my PC.

All started when i unninstalled Microsoft Visual Studio 2005, and now my Windows always show some messages about debugging, wich was done by visual studio before without alert messages, and now the files are missing and alert messages pops out when it is needed (I uninstalled it by its own Unninstalling Tool). But i think this might not be the right forum for this issue.

The new things that happenned was this "cisc.exe" and i guess there are more "svchost.exe" running than a few weeks ago. There were also a process named DrvGuard32.exe that i found today, and tried removing it from msconfig -> Init Settings and its registry calls.

Besides all that, whenever I start my computer and explorer.exe is about to start running, a windows appears with some "Defining personalized features for: C:\Restore\S - a bunch of numbers that i don´t have any clue about -".
The same thing happens if I KILL explorer.exe and then start it again, the same window, but with different numbers. I tried accessing this folder, but (even with Occult Files ON) its unaccessible. I also tried deleting it with KillBox, but no results.
Another problem is some suspicious files in my C:\Windows\Temp\ folder, i can´t erase them, even with KillBox.
An image showing it is attached to this message, or can be accessed through this link. (the image is taken right before explorer.exe loads, as i said, a window in the left-top corner appears with that message).

QUOTE

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\ARQUIV~1\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe
C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\cisvc.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.exe
C:\Arquivos de programas\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.babylon.com/home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Cursors\lsass.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Arquivos de programas\AskBarDis\bar\bin\askBar.dll (file missing)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\Arquivos de programas\GbPlugin\gbieh.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Babylon - {965B54B0-71E0-4611-8DE7-F73FA0B20E26} - C:\Arquivos de programas\Babylon\Babylon Toolbar\BabylonIEToolBar.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Arquivos de programas\AskBarDis\bar\bin\askBar.dll (file missing)
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Babylon Client] C:\Arquivos de programas\Babylon\Babylon-Pro\Babylon.exe -AutoStart
O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Arquivos de programas\DNA\btdna.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://C:\Arquivos de programas\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{39657CA2-C168-4ADF-B88F-76DEDDE18941}: NameServer = 200.189.88.23,200.246.46.132
O20 - Winlogon Notify: GbPluginBb - C:\Arquivos de programas\GbPlugin\gbieh.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Gbp Service (GbpSv) - - C:\ARQUIV~1\GbPlugin\GbpSv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6802 bytes

Attached thumbnail(s)

Replies

tesshu View Member Profile	Jul 9 2009, 05:34 PM Post #2
New Member Group: Authentic Member Posts: 8 Joined: 3-July 09 Member No.: 86,533 Operating System: Windows XP SP3	Hello Tomk. I would like to thank you for your time before anything else, you from WTT do a really great job helping people here. Well, during the time I was waiting for an answer my friend advised me to run ComboFix, I runned it and it successfuly fixed the C:\Restore problem, so, when explorer.exe runs, there is no more messages about "C:\Restore\S- lot of numbers -". But now that you answered I´m following your instructions. Here is the Rooter log: Rooter.exe (v1.0.2) by Eric_71 . SeDebugPrivilege granted successfully ... . Windows XP . (5.1.2600) Service Pack 3 [32_bits] - x86 Family 16 Model 2 Stepping 3, AuthenticAMD . [wscsvc] (Security Center) RUNNING (state:4) [SharedAccess] RUNNING (state:4) Windows Firewall -> Disabled ! . Internet Explorer 7.0.5730.11 . C:\ [Fixed-NTFS] .. ( Total:249 Go - Free:59 Go ) D:\ [Fixed-NTFS] .. ( Total:199 Go - Free:161 Go ) E:\ [CD_Rom] F:\ [CD_Rom] . Scan : 18:42.24 Path : C:\Documents and Settings\Administrador\Desktop\Rooter.exe User : Administrador ( Administrator -> YES ) . ----------------------\\ Processes . Locked [System Process] (0) ______ System (4) ______ \SystemRoot\System32\smss.exe (736) ______ \??\C:\WINDOWS\system32\csrss.exe (784) ______ \??\C:\WINDOWS\system32\winlogon.exe (808) ______ C:\WINDOWS\system32\services.exe (852) ______ C:\WINDOWS\system32\lsass.exe (864) ______ C:\ARQUIV~1\GbPlugin\GbpSv.exe (1068) ______ C:\WINDOWS\system32\svchost.exe (1100) ______ C:\WINDOWS\system32\svchost.exe (1148) ______ C:\WINDOWS\System32\svchost.exe (1236) ______ C:\WINDOWS\system32\svchost.exe (1280) ______ C:\WINDOWS\system32\svchost.exe (1480) ______ C:\WINDOWS\system32\svchost.exe (1564) Locked vsmon.exe (1616) ______ C:\WINDOWS\Explorer.EXE (1772) ______ C:\WINDOWS\system32\spoolsv.exe (288) ______ C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe (324) ______ C:\WINDOWS\system32\svchost.exe (464) ______ C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe (488) ______ C:\Arquivos de programas\Java\jre6\bin\jqs.exe (732) ______ C:\WINDOWS\system32\nvsvc32.exe (788) ______ C:\WINDOWS\system32\svchost.exe (1216) Locked zlclient.exe (2260) ______ C:\Arquivos de programas\Babylon\Babylon-Pro\Babylon.exe (2288) ______ C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe (2368) ______ C:\Arquivos de programas\Java\jre6\bin\jusched.exe (2388) ______ C:\WINDOWS\system32\ctfmon.exe (2464) ______ C:\Arquivos de programas\DNA\btdna.exe (2476) ______ C:\Arquivos de programas\Windows Live\Messenger\MsnMsgr.Exe (2508) ______ C:\WINDOWS\System32\alg.exe (2520) ______ C:\WINDOWS\System32\svchost.exe (3392) ______ C:\Arquivos de programas\Windows Live\Contacts\wlcomm.exe (3772) ______ C:\Arquivos de programas\Mozilla Firefox\firefox.exe (308) ______ C:\WINDOWS\system32\wscntfy.exe (4024) ______ C:\Documents and Settings\Administrador\Desktop\Rooter.exe (1088) . ----------------------\\ Device\Harddisk0\ . \Device\Harddisk0 [Sectors : 63 x 512 Bytes] . \Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 \| Length:268431980544) \Device\Harddisk0\Partition0 (Start_Offset:268432012800 \| Length:231665011200) \Device\Harddisk0\Partition2 (Start_Offset:268432045056 \| Length:214745577984) . ----------------------\\ Scheduled Tasks . C:\WINDOWS\Tasks\desktop.ini C:\WINDOWS\Tasks\SA.DAT . ----------------------\\ Registry . . ----------------------\\ Files & Folders . ----------------------\\ Scan completed at 18:43.07 . C:\Rooter$\Rooter_1.txt - (09/07/2009 \| 18:43.07) And now the Malwarebytes' Log: Malwarebytes' Anti-Malware 1.38 Database version: 2401 Windows 5.1.2600 Service Pack 3 7/9/2009 7:26:35 PM mbam-log-2009-07-09 (19-26-35).txt Scan type: Quick Scan Objects scanned: 89633 Time elapsed: 1 minute(s), 54 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) Attached File(s) Rooter_1.txt ( 3.04K ) Number of downloads: 19 mbam_log_2009_07_09__19_26_35_.txt ( 832bytes ) Number of downloads: 15

Posts in this topic

tesshu [Resolved] HijackThis Log - PC with a C:\Restore folder unac Jul 3 2009, 09:44 PM

Tomk Hi tesshu, My name is Tomk. I would be glad t... Jul 7 2009, 12:32 PM

tesshu Hello Tomk. I would like to thank you for your tim... Jul 9 2009, 05:34 PM

tesshu My internet connextion seems a little too slow, I ... Jul 9 2009, 05:43 PM

Tomk tesshu, Please: Right click on START on the left ... Jul 9 2009, 06:07 PM

tesshu I translated the file so you can read it without a... Jul 9 2009, 06:44 PM

Tomk tesshu, Please go to Kaspersky website and perfo... Jul 9 2009, 07:04 PM

tesshu Sorry the late, but I was having some problems dur... Jul 11 2009, 11:18 AM

Tomk Please download the OTM by OldTimer. Save it to y... Jul 12 2009, 08:27 PM

tesshu Hello again. Well, my internet connection is still... Jul 13 2009, 12:11 AM

tesshu Now the HijackThis log: Logfile of Trend Micro Hi... Jul 13 2009, 12:21 AM

Tomk tesshu, QUOTE O10 - Unknown file in Winsock LSP: ... Jul 13 2009, 08:53 AM

tesshu Thank you very much Tomk for your time and advices... Jul 14 2009, 08:55 PM

Tomk tesshu, You are very welcome. Good Luck and Be W... Jul 14 2009, 10:02 PM

Tomk Since this issue appears to be resolved ... this T... Jul 14 2009, 10:07 PM

« Next Oldest · Infections Removal · Next Newest »

Topic Title	Replies	Topic Starter	Views	Last Action
Infections Removal Google Redirect - help with hijackthis	5	tomryan222	74	Yesterday, 04:52 PM Last post by: oldman960
Microsoft Windows™ Windows System Restore Issues	3	ErinMatthews	51	Yesterday, 08:49 AM Last post by: paws
Infections Removal [Resolved] antivirus vista 2010 infection	15	tiancheng	481	Yesterday, 06:46 AM Last post by: Blade81
Infections Removal [Resolved] Extremely Slow	15	Angel2121	497	Yesterday, 05:46 AM Last post by: jpshortstuff