Even following instructions, still get malware on pc. Need help, please!

Unknown

Hey guys and gals, I have been trying very hard to remove this adaware from my computer and so far have had no luck. I am running X-Cleaner freeware which detects and removes it but once I reboot it comes right back up and popups a annoying advertisment popup when I open IE.

I have also performed all steps listed that one has to do BEFORE posting a new thread. So, after following all steps, below is the hijackthis logfile along the report from the online scan with Panda.

Could someone please help?
Thank you !
********************
Logfile of HijackThis v1.99.1
Scan saved at 23:22:46, on 6/2/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\ARQUIV~1\Nero\NERO7~1\NEROTO~1\DRIVES~1.EXE
C:\WINDOWS\Mixer.exe
C:\Arquivos de programas\Java\jre1.5.0_10\bin\jusched.exe
C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCD.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Arquivos de programas\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
c:\arquiv~1\intern~1\iexplore.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\Canon\CAL\CALMAIN.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Disco2\SPYWARE REMOVERS\1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/capa/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\WINDOWS\System32\scpsssh2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar4.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Arquivos de programas\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Arquivos de programas\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Arquivos de programas\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Nero DriveSpeed] C:\ARQUIV~1\Nero\NERO7~1\NEROTO~1\DRIVES~1.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus C67 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAL.EXE /P23 "EPSON Stylus C67 Series" /O6 "USB002" /M "Stylus C67"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Ulead Quick-Drop] "C:\Arquivos de programas\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator TBYB\Ulead Quick-Drop 1.0\Quick-Drop.exe" WINDOWCALL
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Arquivos de programas\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DaleMfcdPileBat] C:\Documents and Settings\All Users\Dados de aplicativos\BIKE SAFE DALE MFCD\Intra for.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Clean Traces - C:\Arquivos de programas\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Arquivos de programas\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Arquivos de programas\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {2E3C3651-B19C-4DD9-A979-901EC3E930AF} (ssh2 Class) - https://cpib.bradesco.com.br/scpsssh2.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/25dd2ed73dec76ef9421/netzip/RdxIE601_br.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1146450374513
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152550746931
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B968195-CA22-4ED7-9EC2-A5A69EFD30C8}: NameServer = 201.10.120.3 201.10.1.2
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Arquivos de programas\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Arquivos de programas\Arquivos comuns\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

Panda report:


Incident Status Location

Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Dados de aplicativos\BIKE SAFE DALE MFCD\Intra for.exe
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Marco\Cookies\marco@google.com[1].txt
Spyware:Cookie/myaffiliateprogram Not disinfected C:\Documents and Settings\Marco\Cookies\marco@www.myaffiliateprogram[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Marco\Cookies\marco@com[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Marco\Cookies\marco@atdmt[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Marco\Cookies\marco@ad.yieldmanager[1].txt
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Marco\Dados de aplicativos\burn admin bolt\Bind 1.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Marco\Dados de aplicativos\burn admin bolt\PLQOSAMK.EXE
Adware:Adware/Lop Not disinfected C:\Documents and Settings\Marco\Dados de aplicativos\burn admin bolt\stupid vga hope.exe

---

Thanks once more!

Rahina-Rescue

Hello Marcop2007!

My Name Is Rahina Rescue and i will be helping you here. :smiles:


Please Download NoLop to your desktop.

First close any other programs you have running as this will require a reboot
Double click NoLop.exe to run it
Now click the button labelled "Search and Destroy"

<<Your computer will now be scanned for infected files>>

When scanning is finished you will be prompted to reboot only if infected, Click OK
Now click the "REBOOT" Button.
A Message should popup from NoLop. If not, double click the program again and it will finish

Please Post the contents of C:\NoLop.log along with a fresh HijackThis log.

If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program

Marcop2007

Hello, Rahina Rescue.. thanks a lot for helping.

Bellow is the NOLOP info you asked:

NoLop! Log by Skate_Punk_21

Fix running from: C:\Disco2\SPYWARE REMOVERS\6
[7/2/2007]
[17:01:29]

---Infection Files Found/Removed---
C:\WINDOWS\tasks\AA1CD9B2909B5712.job

Beginning Removal...
Rebooting...
Removing Lop's Leftover Files/Folders...
Editing Registry...
**Fix Complete!**

---Listing AppData sub directories---

C:\Documents and Settings\Marco\Application Data\Microsoft

---

And the HIJACKTHIS info:

Logfile of HijackThis v1.99.1
Scan saved at 17:08:02, on 7/2/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Arquivos de programas\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\ARQUIV~1\Nero\NERO7~1\NEROTO~1\DRIVES~1.EXE
C:\WINDOWS\Mixer.exe
C:\Arquivos de programas\Java\jre1.5.0_10\bin\jusched.exe
C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCD.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Arquivos de programas\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
c:\arquiv~1\intern~1\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Disco2\SPYWARE REMOVERS\1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\WINDOWS\System32\scpsssh2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar4.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Arquivos de programas\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Arquivos de programas\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Arquivos de programas\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Nero DriveSpeed] C:\ARQUIV~1\Nero\NERO7~1\NEROTO~1\DRIVES~1.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus C67 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAL.EXE /P23 "EPSON Stylus C67 Series" /O6 "USB002" /M "Stylus C67"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Ulead Quick-Drop] "C:\Arquivos de programas\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator TBYB\Ulead Quick-Drop 1.0\Quick-Drop.exe" WINDOWCALL
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Arquivos de programas\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DaleMfcdPileBat] C:\Documents and Settings\All Users\Dados de aplicativos\BIKE SAFE DALE MFCD\Intra for.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Clean Traces - C:\Arquivos de programas\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Arquivos de programas\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Arquivos de programas\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {2E3C3651-B19C-4DD9-A979-901EC3E930AF} (ssh2 Class) - https://cpib.bradesco.com.br/scpsssh2.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1146450374513
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152550746931
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B968195-CA22-4ED7-9EC2-A5A69EFD30C8}: NameServer = 201.10.120.3 201.10.1.2
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Arquivos de programas\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Arquivos de programas\Arquivos comuns\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

Will be waiting to hear from you again. Thanks.

Rahina-Rescue

Please open HiJackThis and scan. Check the boxes next to all the entries listed below

O4 - HKLM\..\Run: [DaleMfcdPileBat] C:\Documents and Settings\All Users\Dados de aplicativos\BIKE SAFE DALE MFCD\Intra for.exe

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Please go Here to see how to show hidden files in windows.

Now, Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete the following folder (if present):

C:\Documents and Settings\All Users\Dados de aplicativos\BIKE SAFE DALE MFCD



Download ATF-Cleaner by Atribune to your desktop.

Do NOT run it yet.

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.



Kaspersky On-line Scanner

When you are prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files
When the files finish downloading click on NEXT
Now click on Scan Settings
In Scan Settings make sure that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases

Click OK

Now under select a target to scan:
Select My Computer
This program will start and scan your system.
Online scan can take a long time to complete and the time is impacted by the speed of your internet connection. Be patient and let it run. It is best not to do anything else while the scan is running. This will help it to complete faster.
When the scan has completed, it will display whether your system has been infected or not
Click on the Save as Text button:
Save the file to your desktop or another folder where you can locate it later.
Attach this file to your next message.

Please Post a Fresh HJT-Log & Kaspersky Report

Marcop2007

OK, Log and report as asked:

Logfile of HijackThis v1.99.1
Scan saved at 02:57:09, on 9/2/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Arquivos de programas\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\ARQUIV~1\Nero\NERO7~1\NEROTO~1\DRIVES~1.EXE
C:\WINDOWS\Mixer.exe
C:\Arquivos de programas\Java\jre1.5.0_10\bin\jusched.exe
C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCD.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Arquivos de programas\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
c:\arquiv~1\intern~1\iexplore.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Disco2\SPYWARE REMOVERS\1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\WINDOWS\System32\scpsssh2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar4.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Arquivos de programas\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Arquivos de programas\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Arquivos de programas\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Nero DriveSpeed] C:\ARQUIV~1\Nero\NERO7~1\NEROTO~1\DRIVES~1.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus C67 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAL.EXE /P23 "EPSON Stylus C67 Series" /O6 "USB002" /M "Stylus C67"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Ulead Quick-Drop] "C:\Arquivos de programas\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator TBYB\Ulead Quick-Drop 1.0\Quick-Drop.exe" WINDOWCALL
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Arquivos de programas\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Clean Traces - C:\Arquivos de programas\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Arquivos de programas\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Arquivos de programas\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2E3C3651-B19C-4DD9-A979-901EC3E930AF} (ssh2 Class) - https://cpib.bradesco.com.br/scpsssh2.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1146450374513
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152550746931
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B968195-CA22-4ED7-9EC2-A5A69EFD30C8}: NameServer = 201.10.120.3 201.10.1.2
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Arquivos de programas\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Arquivos de programas\Arquivos comuns\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

Kaspersky:

---

KASPERSKY ONLINE SCANNER REPORT
Friday, February 09, 2007 2:52:38 AM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 9/02/2007
Kaspersky Anti-Virus database records: 266194

---

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 50984
Number of viruses found: 11
Number of infected objects: 35 / 0
Number of suspicious objects: 1
Duration of the scan process: 01:13:21

Infected Object Name / Virus Name / Last Action
C:\Arquivos de programas\Disney\Conexao Disney\setup.exe/WISE0018.BIN/WISE0008.BIN Infected: not-a-virus:Downloader.Win32.DigStream skipped
C:\Arquivos de programas\Disney\Conexao Disney\setup.exe/WISE0018.BIN Infected: not-a-virus:Downloader.Win32.DigStream skipped
C:\Arquivos de programas\Disney\Conexao Disney\setup.exe WiseSFX: infected - 2 skipped
C:\Arquivos de programas\Disney\Conexao Disney\setup.exe WiseSFX Dropper: infected - 2 skipped
C:\Arquivos de programas\Kazaa Lite Resurrection\killproc.exe Infected: not-a-virus:FraudTool.Win32.RegistryDoc.2006 skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Temp\ZLT007d3.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT03bfe.TMP Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\WINGATE-KJWLAFT.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\Documents and Settings\All Users\Dados de aplicativos\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Marco\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\Marco\Configurações locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Marco\Configurações locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Marco\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Marco\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Marco\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Marco\Dados de aplicativos\Thunderbird\Profiles\cbhl8fez.default\Mail\Local Folders-2\Inbox/[From patifreitas <patifreitas@ig.com.br>][Date Mon, 26 Jun 2006 12:46:28 -0300]/UNNAMED/[From "Marcop" <marcop@i.com.ua>][Date Thu, 29 Jun 2006 02:37:28 +0900]/html Suspicious: Email-Worm.Win32.Bagle.mail skipped
C:\Documents and Settings\Marco\Dados de aplicativos\Thunderbird\Profiles\cbhl8fez.default\Mail\Local Folders-2\Inbox/[From patifreitas <patifreitas@ig.com.br>][Date Mon, 26 Jun 2006 12:46:28 -0300]/UNNAMED/[From "Marcop" <marcop@i.com.ua>][Date Thu, 29 Jun 2006 02:37:28 +0900]/Martha.zip Infected: Email-Worm.Win32.Bagle.gen skipped
C:\Documents and Settings\Marco\Dados de aplicativos\Thunderbird\Profiles\cbhl8fez.default\Mail\Local Folders-2\Inbox/[From patifreitas <patifreitas@ig.com.br>][Date Mon, 26 Jun 2006 12:46:28 -0300]/UNNAMED/[From Microsoft <windowsupdate@microsoft.com>][Date 24 Jul 2006 15:53:59 -0700]/html Infected: Trojan-Downloader.HTML.Agent.ay skipped
C:\Documents and Settings\Marco\Dados de aplicativos\Thunderbird\Profiles\cbhl8fez.default\Mail\Local Folders-2\Inbox/[From patifreitas <patifreitas@ig.com.br>][Date Mon, 26 Jun 2006 12:46:28 -0300]/UNNAMED/[From Microsoft <windowsupdate@microsoft.com>][Date 24 Jul 2006 17:45:27 -0700]/html Infected: Trojan-Downloader.HTML.Agent.ay skipped
C:\Documents and Settings\Marco\Dados de aplicativos\Thunderbird\Profiles\cbhl8fez.default\Mail\Local Folders-2\Inbox/[From patifreitas <patifreitas@ig.com.br>][Date Mon, 26 Jun 2006 12:46:28 -0300]/UNNAMED/[From Te AMO meu amor <uepaaaaaa@bol.com.br>][Date Mon, 06 Nov 2006 08:12:16 -0200]/html Infected: Trojan-Downloader.HTML.Banload.a skipped
C:\Documents and Settings\Marco\Dados de aplicativos\Thunderbird\Profiles\cbhl8fez.default\Mail\Local Folders-2\Inbox/[From patifreitas <patifreitas@ig.com.br>][Date Mon, 26 Jun 2006 12:46:28 -0300]/UNNAMED Infected: Trojan-Downloader.HTML.Banload.a skipped
C:\Documents and Settings\Marco\Dados de aplicativos\Thunderbird\Profiles\cbhl8fez.default\Mail\Local Folders-2\Inbox/[From "auditec" <ermigsaqfjx@emails.ru>][Date Tue, 07 Nov 2006 09:02:58 -0300]/UNNAMED/html Infected: Exploit.JS.ADODB.Stream.e skipped
C:\Documents and Settings\Marco\Dados de aplicativos\Thunderbird\Profiles\cbhl8fez.default\Mail\Local Folders-2\Inbox/[From "auditec" <ermigsaqfjx@emails.ru>][Date Tue, 07 Nov 2006 09:02:58 -0300]/UNNAMED/[From =?ISO-8859-1?Q?Marco_Aur=E9lio_Pereira?= <marcop2001@bol.com.br>][Date Fri, 24 Nov 2006 15:27:12 -0200]/UNNAMED/[From "Hollis X. Jock" <udrl@hildebrandtewes.com>][Date Tue, 06 Feb 2007 16:50:32 -0500]/greeting Infected: Email-Worm.Win32.Zhelatin.r skipped
C:\Documents and Settings\Marco\Dados de aplicativos\Thunderbird\Profiles\cbhl8fez.default\Mail\Local Folders-2\Inbox/[From "auditec" <ermigsaqfjx@emails.ru>][Date Tue, 07 Nov 2006 09:02:58 -0300]/UNNAMED/[From =?ISO-8859-1?Q?Marco_Aur=E9lio_Pereira?= <marcop2001@bol.com.br>][Date Fri, 24 Nov 2006 15:27:12 -0200]/UNNAMED/[From "" <CENTRAL GLOBO.COM>][Date Thu, 08 Feb 2007 01:08:02 +0000 (=?UNKNOWN?Q?Hor=E1rio?=)]/html Infected: Exploit.JS.ADODB.Stream.e skipped
C:\Documents and Settings\Marco\Dados de aplicativos\Thunderbird\Profiles\cbhl8fez.default\Mail\Local Folders-2\Inbox/[From "auditec" <ermigsaqfjx@emails.ru>][Date Tue, 07 Nov 2006 09:02:58 -0300]/UNNAMED/[From =?ISO-8859-1?Q?Marco_Aur=E9lio_Pereira?= <marcop2001@bol.com.br>][Date Fri, 24 Nov 2006 15:27:12 -0200]/UNNAMED/[From "" <CENTRAL GLOBO.COM>][Date Thu, 08 Feb 2007 15:30:39 +0000 (=?UNKNOWN?Q?Hor=E1rio?=)]/html Infected: Exploit.JS.ADODB.Stream.e skipped
C:\Documents and Settings\Marco\Dados de aplicativos\Thunderbird\Profiles\cbhl8fez.default\Mail\Local Folders-2\Inbox/[From "auditec" <ermigsaqfjx@emails.ru>][Date Tue, 07 Nov 2006 09:02:58 -0300]/UNNAMED/[From =?ISO-8859-1?Q?Marco_Aur=E9lio_Pereira?= <marcop2001@bol.com.br>][Date Fri, 24 Nov 2006 15:27:12 -0200]/UNNAMED Infected: Exploit.JS.ADODB.Stream.e skipped
C:\Documents and Settings\Marco\Dados de aplicativos\Thunderbird\Profiles\cbhl8fez.default\Mail\Local Folders-2\Inbox/[From "auditec" <ermigsaqfjx@emails.ru>][Date Tue, 07 Nov 2006 09:02:58 -0300]/UNNAMED Infected: Exploit.JS.ADODB.Stream.e skipped
C:\Documents and Settings\Marco\Dados de aplicativos\Thunderbird\Profiles\cbhl8fez.default\Mail\Local Folders-2\Inbox Mail Berkeley mbox: infected - 11, suspicious - 1 skipped
C:\Documents and Settings\Marco\Dados de aplicativos\burn admin bolt\plqosamk.exe Infected: Trojan.Win32.Inject.au skipped
C:\Documents and Settings\Marco\ntuser.dat Object is locked skipped
C:\System Volume Information\_restore{5AE41F42-CAAC-4884-8180-4AF238BA66A5}\RP389\A0124791.exe Infected: not-a-virus:Downloader.Win32.DigStream.a skipped
C:\System Volume Information\_restore{5AE41F42-CAAC-4884-8180-4AF238BA66A5}\RP415\A0136317.exe Infected: Trojan.Win32.Inject.au skipped
C:\System Volume Information\_restore{5AE41F42-CAAC-4884-8180-4AF238BA66A5}\RP415\A0136322.exe Infected: Trojan.Win32.Inject.au skipped
C:\System Volume Information\_restore{5AE41F42-CAAC-4884-8180-4AF238BA66A5}\RP416\change.log Object is locked skipped
C:\Disco2\BURLAR MICROSOFT VALIDATION\MAGICAL JELLY BEAN\keyfinder.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Disco2\BURLAR MICROSOFT VALIDATION\MAGICAL JELLY BEAN\keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Disco2\BURLAR MICROSOFT VALIDATION\MAGICAL JELLY BEAN\keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Disco2\BURLAR MICROSOFT VALIDATION\MAGICAL JELLY BEAN\keyfinder.exe RarSFX: infected - 3 skipped
C:\Disco2\Kazaa Lite\KLR0076F.exe/Stream/data0010 Infected: not-a-virus:FraudTool.Win32.RegistryDoc.2006 skipped
C:\Disco2\Kazaa Lite\KLR0076F.exe/Stream Infected: not-a-virus:FraudTool.Win32.RegistryDoc.2006 skipped
C:\Disco2\Kazaa Lite\KLR0076F.exe Inno: infected - 2 skipped
C:\Disco2\Kazaa Lite\KLR008.exe/Stream/data0010 Infected: not-a-virus:FraudTool.Win32.RegistryDoc.2006 skipped
C:\Disco2\Kazaa Lite\KLR008.exe/Stream Infected: not-a-virus:FraudTool.Win32.RegistryDoc.2006 skipped
C:\Disco2\Kazaa Lite\KLR008.exe Inno: infected - 2 skipped
C:\Disco2\DISNEY - TERRA\dmcsetup.exe/WISE0018.BIN/WISE0008.BIN Infected: not-a-virus:Downloader.Win32.DigStream skipped
C:\Disco2\DISNEY - TERRA\dmcsetup.exe/WISE0018.BIN Infected: not-a-virus:Downloader.Win32.DigStream skipped
C:\Disco2\DISNEY - TERRA\dmcsetup.exe WiseSFX: infected - 2 skipped
C:\Disco2\DISNEY - TERRA\dmcsetup.exe WiseSFX Dropper: infected - 2 skipped

Scan process completed.

I'll be waiting for further instructions. Thank you!

Rahina-Rescue

Sorry For the delay, i've been busy.

click start-run copy paste "C:\Documents and Settings\All Users\Dados de aplicativos\BIKE SAFE DALE MFCD\Intra for.exe" -uninstall and hit enter

Search and delete the following files, ( if Present )

C:\Arquivos de programas\Disney\Conexao Disney\setup.exe
C:\Arquivos de programas\Kazaa Lite Resurrection\killproc.exe
C:\Disco2\BURLAR MICROSOFT VALIDATION\MAGICAL JELLY BEAN\keyfinder.exe
C:\Disco2\Kazaa Lite\KLR0076F.exe
C:\Disco2\Kazaa Lite\KLR008.exe
C:\Disco2\DISNEY - TERRA\dmcsetup.exe

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!


Follow the Instruction Here for installation.
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.

Also post a HJT Log in your next reply.

Marcop2007

Hello, Rahina Rescue

The F-Secure Online Scanner didn't work for me. I have installed the activeX and followed the instructions. But at a certain point of the scan, it reports that an error occured and that the user should close and restart the internet browser. Tried half a dozen times, got the same error over and over again, at different moments of the scan. I just doesn't reach the end.

About the HJT Log, here it goes:

Logfile of HijackThis v1.99.1
Scan saved at 18:01:49, on 11/2/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\ARQUIV~1\Nero\NERO7~1\NEROTO~1\DRIVES~1.EXE
C:\WINDOWS\Mixer.exe
C:\Arquivos de programas\Java\jre1.5.0_10\bin\jusched.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCD.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Arquivos de programas\Arquivos comuns\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\wdfmgr.exe
c:\arquiv~1\intern~1\iexplore.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Arquivos de programas\Canon\CAL\CALMAIN.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\Grisoft\AVG Free\avgcc.exe
C:\Disco2\SPYWARE REMOVERS\1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

&http://home.microsoft.com/intl/br/access/allinone.asp
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de

programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\WINDOWS\System32\scpsssh2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search

& Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de

programas\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de

programas\google\googletoolbar4.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Arquivos de

programas\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Arquivos de

programas\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de

programas\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Arquivos de programas\Alcatel\SpeedTouch

USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6

"USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Nero DriveSpeed] C:\ARQUIV~1\Nero\NERO7~1\NEROTO~1\DRIVES~1.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus C67 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAL.EXE

/P23 "EPSON Stylus C67 Series" /O6 "USB002" /M "Stylus C67"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Ulead Quick-Drop] "C:\Arquivos de programas\Ulead Systems\Ulead DVD MovieFactory 4.0

Disc Creator TBYB\Ulead Quick-Drop 1.0\Quick-Drop.exe" WINDOWCALL
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Arquivos de programas\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Clean Traces - C:\Arquivos de programas\DAP\Privacy

Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Arquivos de programas\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Arquivos de programas\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de

programas\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de

programas\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2E3C3651-B19C-4DD9-A979-901EC3E930AF} (ssh2 Class) -

https://cpib.bradesco.com.br/scpsssh2.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1146450374513
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152550746931
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) -

http://support.f-secure.com/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B968195-CA22-4ED7-9EC2-A5A69EFD30C8}: NameServer =

201.10.120.3 201.10.1.2
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Arquivos de

programas\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google

Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Arquivos de

programas\Arquivos comuns\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

C:\WINDOWS\system32\ZONELABS\vsmon.exe

Thanks!

Rahina-Rescue

Please run


Kaspersky On-line Scanner

When you are prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files
When the files finish downloading click on NEXT
Now click on Scan Settings
In Scan Settings make sure that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:

Scan Archives
Scan Mail Bases

Click OK

Now under select a target to scan:
Select My Computer
This program will start and scan your system.
Online scan can take a long time to complete and the time is impacted by the speed of your internet connection. Be patient and let it run. It is best not to do anything else while the scan is running. This will help it to complete faster.
When the scan has completed, it will display whether your system has been infected or not
Click on the Save as Text button:
Save the file to your desktop or another folder where you can locate it later.
Attach this file to your next message.



Please Post a Fresh HJT-Log ( Without edting it )& Kaspersky Report

Marcop2007

Sorry for the delay !

---

KASPERSKY ONLINE SCANNER REPORT
Saturday, February 17, 2007 4:21:59 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 17/02/2007
Kaspersky Anti-Virus database records: 269086

---

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 52520
Number of viruses found: 10
Number of infected objects: 37 / 0
Number of suspicious objects: 1
Duration of the scan process: 01:20:41

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Temp\ZLT06acf.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT05c71.TMP Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\WINGATE-KJWLAFT.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Dados de aplicativos\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Marco\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\Marco\Configurações locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Marco\Configurações locais\Histórico\History.IE5\MSHist012007021720070218\index.dat Object is locked skipped
C:\Documents and Settings\Marco\Configurações locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Marco\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Marco\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Marco\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Marco\Dados de aplicativos\Thunderbird\Profiles\cbhl8fez.default\Mail\Local Folders-2\Inbox/[From patifreitas <patifreitas@ig.com.br>][Date Mon, 26 Jun 2006 12:46:28 -0300]/UNNAMED/[From "Marcop" <marcop@i.com.ua>][Date Thu, 29 Jun 2006 02:37:28 +0900]/html Suspicious: Email-Worm.Win32.Bagle.mail skipped
C:\Documents and Settings\Marco\Dados de aplicativos\Thunderbird\Profiles\cbhl8fez.default\Mail\Local Folders-2\Inbox/[From patifreitas <patifreitas@ig.com.br>][Date Mon, 26 Jun 2006 12:46:28 -0300]/UNNAMED/[From "Marcop" <marcop@i.com.ua>][Date Thu, 29 Jun 2006 02:37:28 +0900]/Martha.zip Infected: Email-Worm.Win32.Bagle.gen skipped
C:\Documents and Settings\Marco\Dados de aplicativos\Thunderbird\Profiles\cbhl8fez.default\Mail\Local Folders-2\Inbox/[From patifreitas <patifreitas@ig.com.br>][Date Mon, 26 Jun 2006 12:46:28 -0300]/UNNAMED/[From Microsoft <windowsupdate@microsoft.com>][Date 24 Jul 2006 15:53:59 -0700]/html Infected: Trojan-Downloader.HTML.Agent.ay skipped
C:\Documents and Settings\Marco\Dados de aplicativos\Thunderbird\Profiles\cbhl8fez.default\Mail\Local Folders-2\Inbox/[From patifreitas <patifreitas@ig.com.br>][Date Mon, 26 Jun 2006 12:46:28 -0300]/UNNAMED/[From Microsoft <windowsupdate@microsoft.com>][Date 24 Jul 2006 17:45:27 -0700]/html Infected: Trojan-Downloader.HTML.Agent.ay skipped
C:\Documents and Settings\Marco\Dados de aplicativos\Thunderbird\Profiles\cbhl8fez.default\Mail\Local Folders-2\Inbox/[From patifreitas <patifreitas@ig.com.br>][Date Mon, 26 Jun 2006 12:46:28 -0300]/UNNAMED/[From Te AMO meu amor <uepaaaaaa@bol.com.br>][Date Mon, 06 Nov 2006 08:12:16 -0200]/html Infected: Trojan-Downloader.HTML.Banload.a skipped
C:\Documents and Settings\Marco\Dados de aplicativos\Thunderbird\Profiles\cbhl8fez.default\Mail\Local Folders-2\Inbox/[From patifreitas <patifreitas@ig.com.br>][Date Mon, 26 Jun 2006 12:46:28 -0300]/UNNAMED Infected: Trojan-Downloader.HTML.Banload.a skipped
C:\Documents and Settings\Marco\Dados de aplicativos\Thunderbird\Profiles\cbhl8fez.default\Mail\Local Folders-2\Inbox/[From "auditec" <ermigsaqfjx@emails.ru>][Date Tue, 07 Nov 2006 09:02:58 -0300]/UNNAMED/html Infected: Exploit.JS.ADODB.Stream.e skipped
C:\Documents and Settings\Marco\Dados de aplicativos\Thunderbird\Profiles\cbhl8fez.default\Mail\Local Folders-2\Inbox/[From "auditec" <ermigsaqfjx@emails.ru>][Date Tue, 07 Nov 2006 09:02:58 -0300]/UNNAMED/[From =?ISO-8859-1?Q?Marco_Aur=E9lio_Pereira?= <marcop2001@bol.com.br>][Date Fri, 24 Nov 2006 15:27:12 -0200]/UNNAMED/[From "Hollis X. Jock" <udrl@hildebrandtewes.com>][Date Tue, 06 Feb 2007 16:50:32 -0500]/greeting Infected: Email-Worm.Win32.Zhelatin.r skipped
C:\Documents and Settings\Marco\Dados de aplicativos\Thunderbird\Profiles\cbhl8fez.default\Mail\Local Folders-2\Inbox/[From "auditec" <ermigsaqfjx@emails.ru>][Date Tue, 07 Nov 2006 09:02:58 -0300]/UNNAMED/[From =?ISO-8859-1?Q?Marco_Aur=E9lio_Pereira?= <marcop2001@bol.com.br>][Date Fri, 24 Nov 2006 15:27:12 -0200]/UNNAMED/[From "" <CENTRAL GLOBO.COM>][Date Thu, 08 Feb 2007 01:08:02 +0000 (=?UNKNOWN?Q?Hor=E1rio?=)]/html Infected: Exploit.JS.ADODB.Stream.e skipped
C:\Documents and Settings\Marco\Dados de aplicativos\Thunderbird\Profiles\cbhl8fez.default\Mail\Local Folders-2\Inbox/[From "auditec" <ermigsaqfjx@emails.ru>][Date Tue, 07 Nov 2006 09:02:58 -0300]/UNNAMED/[From =?ISO-8859-1?Q?Marco_Aur=E9lio_Pereira?= <marcop2001@bol.com.br>][Date Fri, 24 Nov 2006 15:27:12 -0200]/UNNAMED/[From "" <CENTRAL GLOBO.COM>][Date Thu, 08 Feb 2007 15:30:39 +0000 (=?UNKNOWN?Q?Hor=E1rio?=)]/html Infected: Exploit.JS.ADODB.Stream.e skipped
C:\Documents and Settings\Marco\Dados de aplicativos\Thunderbird\Profiles\cbhl8fez.default\Mail\Local Folders-2\Inbox/[From "auditec" <ermigsaqfjx@emails.ru>][Date Tue, 07 Nov 2006 09:02:58 -0300]/UNNAMED/[From =?ISO-8859-1?Q?Marco_Aur=E9lio_Pereira?= <marcop2001@bol.com.br>][Date Fri, 24 Nov 2006 15:27:12 -0200]/UNNAMED/[From F-PROT Antivirus Alert Service <support@f-prot.com>][Date Fri, 9 Feb 2007 08:43:48 +0000 (GMT)]/text/[From Terra Intersena <intersena@terra.com.br>][Date Fri, 9 Feb 2007 09:39:55 -0200 (BRST)]/html/[From eCS-2?B?Y3Jpcw<cris@terra.com.br>][Date Fri, 09 Feb 2007 10:59:15 -0300]/html Infected: Exploit.JS.ADODB.Stream.e skipped
C:\Documents and Settings\Marco\Dados de aplicativos\Thunderbird\Profiles\cbhl8fez.default\Mail\Local Folders-2\Inbox/[From "auditec" <ermigsaqfjx@emails.ru>][Date Tue, 07 Nov 2006 09:02:58 -0300]/UNNAMED/[From =?ISO-8859-1?Q?Marco_Aur=E9lio_Pereira?= <marcop2001@bol.com.br>][Date Fri, 24 Nov 2006 15:27:12 -0200]/UNNAMED/[From F-PROT Antivirus Alert Service <support@f-prot.com>][Date Fri, 9 Feb 2007 08:43:48 +0000 (GMT)]/text/[From Terra Intersena <intersena@terra.com.br>][Date Fri, 9 Feb 2007 09:39:55 -0200 (BRST)]/html Infected: Exploit.JS.ADODB.Stream.e skipped
C:\Documents and Settings\Marco\Dados de aplicativos\Thunderbird\Profiles\cbhl8fez.default\Mail\Local Folders-2\Inbox/[From "auditec" <ermigsaqfjx@emails.ru>][Date Tue, 07 Nov 2006 09:02:58 -0300]/UNNAMED/[From =?ISO-8859-1?Q?Marco_Aur=E9lio_Pereira?= <marcop2001@bol.com.br>][Date Fri, 24 Nov 2006 15:27:12 -0200]/UNNAMED/[From F-PROT Antivirus Alert Service <support@f-prot.com>][Date Fri, 9 Feb 2007 08:43:48 +0000 (GMT)]/text Infected: Exploit.JS.ADODB.Stream.e skipped
C:\Documents and Settings\Marco\Dados de aplicativos\Thunderbird\Profiles\cbhl8fez.default\Mail\Local Folders-2\Inbox/[From "auditec" <ermigsaqfjx@emails.ru>][Date Tue, 07 Nov 2006 09:02:58 -0300]/UNNAMED/[From =?ISO-8859-1?Q?Marco_Aur=E9lio_Pereira?= <marcop2001@bol.com.br>][Date Fri, 24 Nov 2006 15:27:12 -0200]/UNNAMED Infected: Exploit.JS.ADODB.Stream.e skipped
C:\Documents and Settings\Marco\Dados de aplicativos\Thunderbird\Profiles\cbhl8fez.default\Mail\Local Folders-2\Inbox/[From "auditec" <ermigsaqfjx@emails.ru>][Date Tue, 07 Nov 2006 09:02:58 -0300]/UNNAMED Infected: Exploit.JS.ADODB.Stream.e skipped
C:\Documents and Settings\Marco\Dados de aplicativos\Thunderbird\Profiles\cbhl8fez.default\Mail\Local Folders-2\Inbox Mail Berkeley mbox: infected - 14, suspicious - 1 skipped
C:\Documents and Settings\Marco\Dados de aplicativos\burn admin bolt\plqosamk.exe Infected: Trojan.Win32.Inject.au skipped
C:\Documents and Settings\Marco\ntuser.dat Object is locked skipped
C:\System Volume Information\_restore{5AE41F42-CAAC-4884-8180-4AF238BA66A5}\RP434\change.log Object is locked skipped
C:\System Volume Information\_restore{5AE41F42-CAAC-4884-8180-4AF238BA66A5}\RP415\A0136317.exe Infected: Trojan.Win32.Inject.au skipped
C:\System Volume Information\_restore{5AE41F42-CAAC-4884-8180-4AF238BA66A5}\RP415\A0136322.exe Infected: Trojan.Win32.Inject.au skipped
C:\System Volume Information\_restore{5AE41F42-CAAC-4884-8180-4AF238BA66A5}\RP417\A0136635.exe/WISE0018.BIN/WISE0008.BIN Infected: not-a-virus:Downloader.Win32.DigStream skipped
C:\System Volume Information\_restore{5AE41F42-CAAC-4884-8180-4AF238BA66A5}\RP417\A0136635.exe/WISE0018.BIN Infected: not-a-virus:Downloader.Win32.DigStream skipped
C:\System Volume Information\_restore{5AE41F42-CAAC-4884-8180-4AF238BA66A5}\RP417\A0136635.exe WiseSFX: infected - 2 skipped
C:\System Volume Information\_restore{5AE41F42-CAAC-4884-8180-4AF238BA66A5}\RP417\A0136635.exe WiseSFX Dropper: infected - 2 skipped
C:\System Volume Information\_restore{5AE41F42-CAAC-4884-8180-4AF238BA66A5}\RP417\A0136636.exe Infected: not-a-virus:FraudTool.Win32.RegistryDoc.2006 skipped
C:\System Volume Information\_restore{5AE41F42-CAAC-4884-8180-4AF238BA66A5}\RP417\A0136637.exe/Stream/data0010 Infected: not-a-virus:FraudTool.Win32.RegistryDoc.2006 skipped
C:\System Volume Information\_restore{5AE41F42-CAAC-4884-8180-4AF238BA66A5}\RP417\A0136637.exe/Stream Infected: not-a-virus:FraudTool.Win32.RegistryDoc.2006 skipped
C:\System Volume Information\_restore{5AE41F42-CAAC-4884-8180-4AF238BA66A5}\RP417\A0136637.exe Inno: infected - 2 skipped
C:\System Volume Information\_restore{5AE41F42-CAAC-4884-8180-4AF238BA66A5}\RP417\A0136638.exe/Stream/data0010 Infected: not-a-virus:FraudTool.Win32.RegistryDoc.2006 skipped
C:\System Volume Information\_restore{5AE41F42-CAAC-4884-8180-4AF238BA66A5}\RP417\A0136638.exe/Stream Infected: not-a-virus:FraudTool.Win32.RegistryDoc.2006 skipped
C:\System Volume Information\_restore{5AE41F42-CAAC-4884-8180-4AF238BA66A5}\RP417\A0136638.exe Inno: infected - 2 skipped
C:\System Volume Information\_restore{5AE41F42-CAAC-4884-8180-4AF238BA66A5}\RP417\A0136639.exe/WISE0018.BIN/WISE0008.BIN Infected: not-a-virus:Downloader.Win32.DigStream skipped
C:\System Volume Information\_restore{5AE41F42-CAAC-4884-8180-4AF238BA66A5}\RP417\A0136639.exe/WISE0018.BIN Infected: not-a-virus:Downloader.Win32.DigStream skipped
C:\System Volume Information\_restore{5AE41F42-CAAC-4884-8180-4AF238BA66A5}\RP417\A0136639.exe WiseSFX: infected - 2 skipped
C:\System Volume Information\_restore{5AE41F42-CAAC-4884-8180-4AF238BA66A5}\RP417\A0136639.exe WiseSFX Dropper: infected - 2 skipped
C:\System Volume Information\_restore{5AE41F42-CAAC-4884-8180-4AF238BA66A5}\RP417\A0136640.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\System Volume Information\_restore{5AE41F42-CAAC-4884-8180-4AF238BA66A5}\RP417\A0136640.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\System Volume Information\_restore{5AE41F42-CAAC-4884-8180-4AF238BA66A5}\RP417\A0136640.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\System Volume Information\_restore{5AE41F42-CAAC-4884-8180-4AF238BA66A5}\RP417\A0136640.exe RarSFX: infected - 3 skipped

Scan process completed.

and the HJT-Log:

Logfile of HijackThis v1.99.1
Scan saved at 16:24:46, on 17/2/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\ARQUIV~1\Nero\NERO7~1\NEROTO~1\DRIVES~1.EXE
C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Ulead Systems\DVD\ULCDRSvr.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCD.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Arquivos de programas\Java\jre1.5.0_10\bin\jusched.exe
C:\Arquivos de programas\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
c:\arquiv~1\intern~1\iexplore.exe
C:\Arquivos de programas\Canon\CAL\CALMAIN.exe
C:\Arquivos de programas\Grisoft\AVG Free\avgcc.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Disco2\SPYWARE REMOVERS\1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\WINDOWS\System32\scpsssh2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de programas\google\googletoolbar4.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Arquivos de programas\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Arquivos de programas\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de programas\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Arquivos de programas\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320 Series" /O6 "USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Nero DriveSpeed] C:\ARQUIV~1\Nero\NERO7~1\NEROTO~1\DRIVES~1.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [EPSON Stylus C67 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAL.EXE /P23 "EPSON Stylus C67 Series" /O6 "USB002" /M "Stylus C67"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Ulead Quick-Drop] "C:\Arquivos de programas\Ulead Systems\Ulead DVD MovieFactory 4.0 Disc Creator TBYB\Ulead Quick-Drop 1.0\Quick-Drop.exe" WINDOWCALL
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Arquivos de programas\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_10\bin\jusched.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Clean Traces - C:\Arquivos de programas\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Arquivos de programas\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Arquivos de programas\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2E3C3651-B19C-4DD9-A979-901EC3E930AF} (ssh2 Class) - https://cpib.bradesco.com.br/scpsssh2.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1146450374513
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1152550746931
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B968195-CA22-4ED7-9EC2-A5A69EFD30C8}: NameServer = 201.10.120.3 201.10.1.2
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Arquivos de programas\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Arquivos de programas\Arquivos comuns\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

Thanks!

Rahina-Rescue

Please Empty Your Thunderbird Mail inbox.

Located here:

C:\Documents and Settings\Marco\Dados de aplicativos\Thunderbird\Profiles\cbhl8fez.default\ Mail\Local Folders-2\Inbox

When ready please re-scan using kaspersky online scanner.

In your next reply please post Kaspersky online scanner report along with a new Hijackthis Logfile.

Trogan

Whilst we appreciate that you may be busy, it has been 7 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Spyware & Virus Removal Forum

If you wish this topic reopened, please send a Private Message (PM) to one of the Spyware Mods with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required.
If you are not the user who started this thread, you must start a new Thread instead

Trogan

Thread reopened.

Marcop2007

Sorry, I've been away on abusiness trip. Here is the data requested:

---

KASPERSKY ONLINE SCANNER REPORT
Monday, February 26, 2007 1:42:19 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 26/02/2007
Kaspersky Anti-Virus database records: 273450

---

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 48619
Number of viruses found: 1
Number of infected objects: 1 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:19:14

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Temp\ZLT01390.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT01397.TMP Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\WINGATE-KJWLAFT.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Dados de aplicativos\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Marco\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\Marco\Configurações locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Marco\Configurações locais\Histórico\History.IE5\MSHist012007022620070227\index.dat Object is locked skipped
C:\Documents and Settings\Marco\Configurações locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Marco\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Marco\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Marco\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Marco\Dados de aplicativos\burn admin bolt\plqosamk.exe Infected: Trojan.Win32.Inject.au skipped
C:\Documents and Settings\Marco\ntuser.dat Object is locked skipped
C:\System Volume Information\_restore{5AE41F42-CAAC-4884-8180-4AF238BA66A5}\RP443\change.log Object is locked skipped

Scan process completed.

And Hijacjthis:

Logfile of HijackThis v1.99.1
Scan saved at 10:11:54, on 27/2/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\ARQUIV~1\Nero\NERO7~1\NEROTO~1\DRIVES~1.EXE
C:\WINDOWS\Mixer.exe
C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe
C:\Arquivos de programas\Canon\CAL\CALMAIN.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCD.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Arquivos de programas\Java\jre1.5.0_11\bin\jusched.exe
C:\Arquivos de

programas\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Disco2\SPYWARE REMOVERS\1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.terra.com.br/capa/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

&http://home.microsoft.com/intl/br/access/allinone.asp
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} -

C:\WINDOWS\System32\scpsssh2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de

programas\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de

programas\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de

programas\google\googletoolbar4.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Arquivos

de programas\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Arquivos de

programas\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de

programas\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Arquivos de programas\Alcatel\SpeedTouch

USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320

Series" /O6 "USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Nero DriveSpeed] C:\ARQUIV~1\Nero\NERO7~1\NEROTO~1\DRIVES~1.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [EPSON Stylus C67 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAL.EXE /P23 "EPSON Stylus C67 Series" /O6

"USB002" /M "Stylus C67"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Arquivos de programas\Zone

Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Ulead Quick-Drop] "C:\Arquivos de programas\Ulead Systems\Ulead DVD

MovieFactory 4.0 Disc Creator TBYB\Ulead Quick-Drop 1.0\Quick-Drop.exe" WINDOWCALL
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos

comuns\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Arquivos de programas\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de

programas\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Clean Traces - C:\Arquivos de programas\DAP\Privacy

Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Arquivos de

programas\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Arquivos de

programas\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2E3C3651-B19C-4DD9-A979-901EC3E930AF} (ssh2 Class) -

https://cpib.bradesco.com.br/scpsssh2.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} -

http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1146450

374513
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?11525

50746931
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) -

http://support.f-secure.com/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B968195-CA22-4ED7-9EC2-A5A69EFD30C8}: NameServer =

201.10.120.3 201.10.1.2
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. -

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Arquivos de

programas\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de

programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Nero\Nero

7\InCD\InCDsrv.exe
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero

BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Arquivos

de programas\Arquivos comuns\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

C:\WINDOWS\system32\ZONELABS\vsmon.exe

***THANKS***

Rahina-Rescue

Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions! I Suggest you print these Instructions out.

First thing i nead you to do:

Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

only copy the bolded text. make sure you also add those quotes

click start-run copy paste "C:\Documents and Settings\Marco\Dados de aplicativos\burn admin bolt\plqosamk.exe" -uninstall and hit enter

Reboot your computer to Normal mode.


==

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

• Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
  
  You can find instructions on how to enable and reenable system restore here:
  
  Managing Windows Millenium System Restore
  
  or
  
  Windows XP System Restore Guide
  
  Reenable system restore with instructions from tutorial above
• Make your Internet Explorer more secure - This can be done by following these simple instructions:
  1. From within Internet Explorer click on the Tools menu and then click on Options.
  2. Click once on the Security tab
  3. Click once on the Internet icon so it becomes highlighted.
  4. Click once on the Custom Level button.
  5. Change the Download signed ActiveX controls to Prompt
  6. Change the Download unsigned ActiveX controls to Disable
  7. Change the Initialize and script ActiveX controls not marked as safe to Disable
  8. Change the Installation of desktop items to Prompt
  9. Change the Launching programs and files in an IFRAME to Prompt
  10. Change the Navigate sub-frames across different domains to Prompt
  11. When all these settings have been made, click on the OK button.
  12. If it prompts you as to whether or not you want to save the settings, press the Yes button.
• Next press the Apply button and then the OK to exit the Internet Properties page.

[*]Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources

[*]Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

[*]Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls

[*]Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

[*]Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an antivirus software.

A tutorial on installing & using this product can be found here:

Using Spybot - Search & Destroy to remove Spyware , Malware, and Hijackers

[*]Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

[*]Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware

[*]Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

here are some additional utilities that will enhance your safety

• IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
• MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
• Google Toolbar <= Get the free google toolbar to help stop pop up windows.
• Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

Please post a new HijackThis log. Let me know if you still receive problems

Marcop2007

Hello !
About uninstalling "plqosamk.exe", I had already deleted the entire "burn admin bolt" folder. Tried to restore the system to a date before that, but had no sucess.

I'll do the rest of the entire process this sunday and will post the result on the same day.

Thanks and regards.

Rahina-Rescue

Alright good work

see you on Sunday

Marcop2007

Hi,

I have done everything listed in the last tutorial.

Here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 22:59:47, on 5/3/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\ARQUIV~1\Nero\NERO7~1\NEROTO~1\DRIVES~1.EXE
C:\WINDOWS\Mixer.exe
C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCD.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Arquivos de programas\Java\jre1.5.0_11\bin\jusched.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
C:\Arquivos de

programas\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Arquivos de programas\Canon\CAL\CALMAIN.exe
C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Disco2\SPYWARE REMOVERS\1\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.terra.com.br/capa/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

&http://home.microsoft.com/intl/br/access/allinone.asp
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} -

C:\WINDOWS\System32\scpsssh2.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -

C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de

programas\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\arquivos de

programas\google\googletoolbar4.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Arquivos

de programas\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} -

C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Arquivos de

programas\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\arquivos de

programas\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Arquivos de programas\Alcatel\SpeedTouch

USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [EPSON Stylus Photo R320 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9FA.EXE /P30 "EPSON Stylus Photo R320

Series" /O6 "USB001" /M "Stylus Photo R320"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Nero DriveSpeed] C:\ARQUIV~1\Nero\NERO7~1\NEROTO~1\DRIVES~1.EXE
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [EPSON Stylus C67 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAL.EXE /P23 "EPSON Stylus C67 Series" /O6

"USB002" /M "Stylus C67"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Arquivos de programas\Zone

Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Ulead Quick-Drop] "C:\Arquivos de programas\Ulead Systems\Ulead DVD

MovieFactory 4.0 Disc Creator TBYB\Ulead Quick-Drop 1.0\Quick-Drop.exe" WINDOWCALL
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Arquivos de programas\Arquivos

comuns\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Arquivos de programas\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\ARQUIV~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de

programas\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpybotSnD] "C:\Arquivos de programas\Spybot - Search &

Destroy\SpybotSD.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Clean Traces - C:\Arquivos de programas\DAP\Privacy

Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Arquivos de

programas\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Arquivos de

programas\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O15 - Trusted Zone: http://www.sexzool.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2E3C3651-B19C-4DD9-A979-901EC3E930AF} (ssh2 Class) -

https://cpib.bradesco.com.br/scpsssh2.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} -

http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1146450

374513
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?11525

50746931
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) -

http://support.f-secure.com/ols/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B968195-CA22-4ED7-9EC2-A5A69EFD30C8}: NameServer =

201.10.120.3 201.10.1.2
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} -

C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. -

C:\ARQUIV~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Arquivos de

programas\Canon\CAL\CALMAIN.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Arquivos de

programas\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Nero\Nero

7\InCD\InCDsrv.exe
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero

BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Arquivos

de programas\Arquivos comuns\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

C:\WINDOWS\system32\ZONELABS\vsmon.exe

Thanks!

Rahina-Rescue

Please open HiJackThis and scan. Check the boxes next to all the entries listed below

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O15 - Trusted Zone: http://www.sexzool.com

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Please run Panda's ActiveScan You will need to use Internet Explorer to run it.

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button

o If it wants to install an ActiveX component allow it
o It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
o When download is complete, click on My Computer to start the scan
o When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Let me know how things are running now :smiles:

Marcop2007

OK, here's the Report from Panda:


Incident
Spyware:Cookie/Com.com Status Location
Not disinfected C:\Documents and Settings\Marco\Cookies\marco@terra.com[1].txt
That's the only infection, I guess. Should I erase it?

Things are pretty close to normal, again.
Yesterday I've downloaded a program designed to manage the RAM (I was getting a message from windows, saying that there wasn't enough to run some programs), it's called FreeRAM XP Pro 1.52. Since nothing was found in the Panda scan moments ago nor AVG Antivirus, is it safe to assume that the program is virus/spyware free?

Thanks!

Rahina-Rescue

Congratulations your system is clean , Cookies are harmless no nead to worry about that

Download CCleaner If you don't want the Yahoo toolbar, be sure to UNcheck that option when installing the software or update.

Instructions for using CCleaner:

1. Launch CCleaner and under Options > Advanced > UNcheck "Only delete files in Windows Temp folder older than 48 hours".
2. A pop up box will appear advising this process will permanently delete files from your system.
3. To protect logon cookies that you wish to retain, under Options > Cookies. Select and using the arrow move those cookies to the "Cookies to keep" column.
4. Then select the items you wish to clean up.
   1. In the Windows Tab:
      • Clean all entries in the "Internet Explorer" section.
      • Clean all the entries in the "Windows Explorer" section.
      • Clean all entries in the "System" section.
      • Clean all entries in the "Advanced" section.
      • Clean any others that you choose.
   2. In the Applications Tab:
      • Clean all in the Firefox/Mozilla section if you use it.
      • Clean all in the Opera section if you use it.
      • Clean Sun Java in the Internet Section.
      • Please UNcheck "Utilities" (i.e., Ad-Aware, ewido and other security program logs.)
5. Click the "Run Cleaner" button and it will scan and clean your system.
6. Click exit.
7. Shutdown/restart the computer.

Rahina-Rescue

Whilst we appreciate that you may be busy, it has been 7 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Spyware & Virus Removal Forum

If you wish this topic reopened, please send a Private Message (PM) to one of the Spyware Mods with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required.
If you are not the user who started this thread, you must start a new Thread instead