Start New Discussion within our Information Security Community

Yesterday I downloaded this: Infected Executable File Removed.

My Panda antivirus didn't see anything wrong with it, but it is some sort of spyware or trojan. Since I ran it last night, my IE opens up sometimes with an IQ test page '=)
Today I ran a quick scan with Windows Defender and it found a Win32/Renos.MQ (more info here ->
It gave me the option to remove it, so I did. It took several minutes... And, how lovely, while it was doing it, my antivirus said "Virus neutralized!" and when I checked it, xxxxxxxx which was INSIDE Windows Defender's LocalCopy folder - I assume Panda just got in the way of Defender's task.
After it finished, the dangerous file that Defender wanted to send to Microsoft was dangerous link removed
Now I ran another quick scan on Defender and it didn't find anything. Still, I would like to double check. I remember using Hijack This a few years ago and all... Does anybody have any suggestions? I arrived in this forum through this topic, very relevant to my problem ->

Thanks a lot for your attention!

Oh, no. I have news. The trojan, or whatever it is, is not gone. IE just opened up on a page called KizMe.

Sorry, I don't mean to be bumping this up... I think it's not possible to edit an existing post, unless I missed something... Anyway, my antivirus is now detecting JS/Agent.NRU in a file called in[1].htm. The file is inside IE's Temporary Internet Files folder, and it's trying to open itself on Google Chrome (my default browser). The antivirus says it was not possible to disinfect it, and directs me to this page for instructions -> unauthorized link removed
The instructions are in Portuguese though... Not that I don't understand it ;-) But I just wanted to share... They must have it in English too, I'm sure.

Hey, thanks!
I couldn't get GMER Two.log '=/ I left it alone doing its thing, went for lunch, did the dishes... when I came back I had a blue screen complaing about kxlyikog.sys
But here are the others (and thanks again!):

-MalwareBytes’ Anti-Malware log-
Malwarebytes' Anti-Malware 1.46

Database version: 4363

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

28/07/2010 21:44:03
mbam-log-2010-07-28 (21-44-03).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 348218
Time elapsed: 4 hour(s), 52 minute(s), 54 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
C:\Users\bernardo\AppData\Local\Temp\Tnh.exe (Trojan.Downloader) -> Unloaded process successfully.
C:\Users\bernardo\AppData\Local\Temp\Tng.exe (Trojan.Downloader) -> Failed to unload process.

Memory Modules Infected:
C:\Users\bernardo\AppData\Local\Temp\sshnas21.dll (Trojan.Downloader) -> Delete on reboot.

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\5DR8ZAD8GX (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\TG0PTF86JH (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\5dr8zad8gx (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\halo2 (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\bernardo\AppData\Local\Temp\Tnh.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\bernardo\AppData\Local\Temp\Tng.exe (Trojan.Downloader) -> Delete on reboot.
C:\Users\bernardo\AppData\Local\Temp\sshnas21.dll (Trojan.Downloader) -> Delete on reboot.
C:\Users\bernardo\AppData\Local\Temp\Tnf.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\Setup\SCRIPTS\Install.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Bernardo\Downloads\Adobe CS4 Activation Patch\Adobe CS4 Keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
D:\Bernardo\Downloads\Adobe.CS4.Master.Collection.Keygen.Only\Adobe CS4 Keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.

Rootkit quick scan 2010-07-28 14:22:12
Windows 6.1.7600
Running: uoc0xb1w.exe; Driver: C:\Users\bernardo\AppData\Local\Temp\kxlyikog.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


DDS (Ver_10-03-17.01) - NTFSx86
Run by bernardo at 21:50:25,89 on 28/07/2010
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 1.6.0_20
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.55.1033.18.2046.1164 [GMT -3:00]

============== Running Processes ===============

C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\svchost.exe -k Akamai
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUNMain.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServicePeerNet

============== Pseudo HJT Report ===============

uSearch Page = hxxp://
uStart Page =
uSearch Bar = hxxp://
uDefault_Search_URL = hxxp://
uSearchAssistant = hxxp://
uSearchURL,(Default) = hxxp://
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Programme d'aide de l'Assistant de connexion Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared

\windows live\WindowsLiveLogin.dll
BHO: GbIehObj Class: {c41a1c0e-ea6c-11d4-b1b8-444553540003} - c:\program files\gbplugin\gbiehcef.dll
BHO: FDMIECookiesBHO Class: {cc59e0f9-7e43-44fa-9faa-8377850bf205} - c:\program files\free download manager\iefdm2.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
uRun: [Google Update] "c:\users\bernardo\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [AdobeBridge]
uRun: [Cyberlink.exe] c:\users\bernardo\appdata\Cyberlink.exe
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [RtHDVCpl] c:\program files\realtek\audio\hda\RtHDVCpl.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MaxMenuMgr] "c:\program files\seagate\seagatemanager\freeagent status\StxMenuMgr.exe"
mRun: [PSUNMain] "c:\program files\panda security\panda cloud antivirus\PSUNMain.exe" /Traybar
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
StartupFolder: c:\users\bernardo\appdata\roaming\micros~1\windows\startm~1\programs\startup\dropbox.lnk - c:\users\bernardo\appdata\roaming\dropbox\bin

mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Baixar com o Free Download Manager - file://c:\program files\free download manager\dllink.htm
IE: Baixar tudo com o Free Download Manager - file://c:\program files\free download manager\dlall.htm
IE: Baixar vídeo com o Free Download Manager - file://c:\program files\free download manager\dlfvideo.htm
IE: Download selecionado pelo Free Download Manager - file://c:\program files\free download manager\dlselected.htm
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://
DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} - hxxps://
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: GbPluginCef - c:\program files\gbplugin\gbiehCef.dll
SEH: GbPluginObj Class: {e37cb5f0-51f5-4395-a808-5fa49e399003} - c:\program files\gbplugin\gbiehcef.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\bernardo\appdata\roaming\mozilla\firefox\profiles\d29rhzhf.default\
FF - prefs.js: browser.startup.homepage -
FF - component: c:\program files\free download manager\firefox\extension\components\vmsfdmff.dll
FF - component: c:\program files\mozilla firefox\extensions\{ab2ce124-6272-4b12-94a9-7303c7397bd1}\components\SkypeFfComponent.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\google\update\\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwachk.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npWebLaunch.dll
FF - plugin: c:\program files\opera\program\plugins\nppl3260.dll
FF - plugin: c:\program files\opera\program\plugins\nprpjplug.dll
FF - plugin: c:\users\bernardo\appdata\local\google\update\\npGoogleOneClick8.dll
FF - plugin: c:\users\bernardo\appdata\roaming\facebook\npfbplugin_1_0_1.dll
FF - plugin: c:\users\bernardo\appdata\roaming\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\users\bernardo\appdata\roaming\mozilla\plugins\npgtpo3dautoplugin.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", "");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name",

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description",

c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\gbpkm.sys [2009-12-10 30504]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [2010-5-4 125960]
R2 Akamai;Akamai NetSession Interface;c:\windows\system32\svchost.exe -k Akamai [2009-7-13 20992]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2009-8-18 176128]
R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-9-25 189736]
R2 GbpSv;Gbp Service;c:\progra~1\gbplugin\GbpSv.exe [2009-12-10 53800]
R2 NanoServiceMain;Panda Cloud Antivirus Service;c:\program files\panda security\panda cloud antivirus\PSANHost.exe [2010-4-30 136448]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [2010-5-27 141384]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [2010-4-30 99336]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [2010-4-30 111112]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [2010-5-12 111176]
R3 BazisVirtualCDBus;WinCDEmu Virtual Bus Driver;c:\windows\system32\drivers\BazisVirtualCDBus.sys [2010-4-6 93848]
R3 netw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\drivers\netw5v32.sys [2009-6-10 4231168]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2009-11-27 233472]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-30 136176]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 BazisVirtualCD;Virtual CD driver;c:\windows\system32\drivers\BazisVirtualCD.sys [2009-6-20 61080]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2010-2-26 137344]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2010-2-26 8320]
S3 VirtDiskBus;Virtual disk Enumerator;c:\windows\system32\drivers\VirtDiskBus.sys [2009-6-20 63640]
S3 WatAdminSvc;WatAdminSvc;c:\windows\system32\wat\WatAdminSvc.exe [2010-3-8 1343400]

=============== Created Last 30 ================

2010-07-28 18:17:02 0 d-----w- c:\users\bernardo\appdata\roaming\Malwarebytes
2010-07-28 18:16:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-28 18:16:10 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-28 18:16:10 0 d-----w- c:\programdata\Malwarebytes
2010-07-28 18:16:09 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-28 17:20:47 93056 ----a-w- C:\kxlyikog.sys
2010-07-28 01:57:48 0 d-----w- c:\users\bernardo\appdata\roaming\DigiCel
2010-07-26 20:01:17 0 d-----w- C:\Bernardo
2010-07-17 23:01:40 0 d-----w- c:\program files\URUSoft

==================== Find3M ====================

2010-06-03 02:41:44 3600384 ----a-w- c:\windows\system32\GPhotos.scr
2010-05-27 07:24:13 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-27 03:49:37 293888 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 17:14:28 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-21 05:18:06 977920 ----a-w- c:\windows\system32\wininet.dll
2010-05-09 09:14:55 641536 ----a-w- c:\windows\system32\CPFilters.dll
2010-05-09 09:14:50 417792 ----a-w- c:\windows\system32\msdri.dll
2010-05-01 14:49:25 2326528 ----a-w- c:\windows\system32\win32k.sys
2009-08-19 19:47:33 37052 ----a-w- c:\windows\inf\perflib\041d\perfd.dat
2009-08-19 19:47:33 37052 ----a-w- c:\windows\inf\perflib\041d\perfc.dat
2009-08-19 19:47:33 294764 ----a-w- c:\windows\inf\perflib\041d\perfi.dat
2009-08-19 19:47:33 294764 ----a-w- c:\windows\inf\perflib\041d\perfh.dat
2009-08-19 18:31:41 39446 ----a-w- c:\windows\inf\perflib\0419\perfd.dat
2009-08-19 18:31:41 39446 ----a-w- c:\windows\inf\perflib\0419\perfc.dat
2009-08-19 18:31:41 336704 ----a-w- c:\windows\inf\perflib\0419\perfi.dat
2009-08-19 18:31:41 336704 ----a-w- c:\windows\inf\perflib\0419\perfh.dat
2009-08-19 18:25:23 43068 ----a-w- c:\windows\inf\perflib\0413\perfd.dat
2009-08-19 18:25:23 43068 ----a-w- c:\windows\inf\perflib\0413\perfc.dat
2009-08-19 18:25:23 341322 ----a-w- c:\windows\inf\perflib\0413\perfi.dat
2009-08-19 18:25:23 341322 ----a-w- c:\windows\inf\perflib\0413\perfh.dat
2009-08-19 18:19:37 36156 ----a-w- c:\windows\inf\perflib\0414\perfd.dat
2009-08-19 18:19:37 36156 ----a-w- c:\windows\inf\perflib\0414\perfc.dat
2009-08-19 18:19:37 298300 ----a-w- c:\windows\inf\perflib\0414\perfi.dat
2009-08-19 18:19:37 298300 ----a-w- c:\windows\inf\perflib\0414\perfh.dat
2009-08-19 18:14:15 37534 ----a-w- c:\windows\inf\perflib\0410\perfd.dat
2009-08-19 18:14:15 37534 ----a-w- c:\windows\inf\perflib\0410\perfc.dat
2009-08-19 18:14:15 335478 ----a-w- c:\windows\inf\perflib\0410\perfi.dat
2009-08-19 18:14:15 335478 ----a-w- c:\windows\inf\perflib\0410\perfh.dat
2009-08-19 18:08:30 38160 ----a-w- c:\windows\inf\perflib\040c\perfd.dat
2009-08-19 18:08:30 38160 ----a-w- c:\windows\inf\perflib\040c\perfc.dat
2009-08-19 18:08:30 344522 ----a-w- c:\windows\inf\perflib\040c\perfi.dat
2009-08-19 18:08:30 344522 ----a-w- c:\windows\inf\perflib\040c\perfh.dat
2009-08-19 18:02:49 38258 ----a-w- c:\windows\inf\perflib\040b\perfd.dat
2009-08-19 18:02:49 38258 ----a-w- c:\windows\inf\perflib\040b\perfc.dat
2009-08-19 18:02:49 279790 ----a-w- c:\windows\inf\perflib\040b\perfi.dat
2009-08-19 18:02:49 279790 ----a-w- c:\windows\inf\perflib\040b\perfh.dat
2009-08-19 17:57:50 41390 ----a-w- c:\windows\inf\perflib\0c0a\perfd.dat
2009-08-19 17:57:50 41390 ----a-w- c:\windows\inf\perflib\0c0a\perfc.dat
2009-08-19 17:57:50 341432 ----a-w- c:\windows\inf\perflib\0c0a\perfi.dat
2009-08-19 17:57:50 341432 ----a-w- c:\windows\inf\perflib\0c0a\perfh.dat
2009-08-19 17:52:05 38104 ----a-w- c:\windows\inf\perflib\0407\perfd.dat
2009-08-19 17:52:05 38104 ----a-w- c:\windows\inf\perflib\0407\perfc.dat
2009-08-19 17:52:05 295922 ----a-w- c:\windows\inf\perflib\0407\perfi.dat
2009-08-19 17:52:05 295922 ----a-w- c:\windows\inf\perflib\0407\perfh.dat
2009-08-19 17:46:48 39236 ----a-w- c:\windows\inf\perflib\0406\perfd.dat
2009-08-19 17:46:48 39236 ----a-w- c:\windows\inf\perflib\0406\perfc.dat
2009-08-19 17:46:48 306636 ----a-w- c:\windows\inf\perflib\0406\perfi.dat
2009-08-19 17:46:48 306636 ----a-w- c:\windows\inf\perflib\0406\perfh.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2010-01-22 18:13:51 245760 --sha-w- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\ietldcache\index.dat
2010-02-24 20:31:05 245760 --sha-w- c:\windows\system32\config\systemprofile\appdata\roaming\microsoft\windows\ietldcache\index.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c


============= FINISH: 21:55:06,39 ===============



DDS (Ver_10-03-17.01)

Microsoft Windows 7 Ultimate
Boot Device: \Device\HarddiskVolume2
Install Date: 19/11/2009 22:13:17
System Uptime: 28/07/2010 21:45:33 (0 hours ago)

Motherboard: TOSHIBA | | ISKAA
Processor: Intel(R) Core(TM)2 Duo CPU T5450 @ 1.66GHz | U2E1 | 1667/mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 75 GiB total, 18,765 GiB free.
D: is FIXED (NTFS) - 73 GiB total, 16,359 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP197: 25/07/2010 00:00:06 - Scheduled Checkpoint
RP198: 27/07/2010 10:20:48 - Windows Update
RP200: 28/07/2010 11:06:58 - Windows Defender Checkpoint

==== Installed Programs ======================

7-Zip 4.65
Adobe AIR
Adobe Anchor Service CS4
Adobe Bridge CS4
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Recommended Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Extra Settings CS4
Adobe Color Video Profiles CS CS4
Adobe CS4 American English Speech Analysis Models
Adobe CSI CS4
Adobe Default Language CS4
Adobe Dreamweaver CS4
Adobe Dynamiclink Support
Adobe Encore CS4
Adobe Encore CS4 Codecs
Adobe ExtendScript Toolkit CS4
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Linguistics CS4
Adobe Media Encoder CS4
Adobe Media Encoder CS4 Additional Exporter
Adobe Media Encoder CS4 Dolby
Adobe Media Encoder CS4 Exporter
Adobe Media Encoder CS4 Importer
Adobe OnLocation CS4
Adobe Output Module
Adobe PDF Library Files CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Photoshop Lightroom 2.7
Adobe Premiere Pro CS4
Adobe Premiere Pro CS4 Functional Content
Adobe Premiere Pro CS4 Third Party Content
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Shockwave Player 11.5
Adobe Type Support CS4
Adobe Update Manager CS4
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS4
Akamai NetSession Interface
Apple Software Update
Ares 2.1.5
Assistant de connexion Windows Live
AviSynth 2.5 3.1
Celtx (2.7)
D-Book 5.2.3
DVD Decrypter (Remove Only)
DVD Flick
DVD Shrink 3.2
Facebook Plug-In
FileZilla Client
Foxit Reader
Free Download Manager 3.0
Google Chrome
Google Earth
Google Talk Plugin
Google Update Helper
Installation Windows Live
Java Auto Updater
Java(TM) 6 Update 20
MagicDisc 2.7.106
Malwarebytes' Anti-Malware
Microsoft .NET Framework 4 Client Profile
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Silverlight
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft WSE 3.0 Runtime
Mozilla Firefox (3.6.4)
Mozilla Firefox (3.6.8)
Mozilla Thunderbird (3.0.3)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
Nokia Connectivity Cable Driver
Nokia PC Suite
Nokia Software Updater
NSS (remove only)
Opera 10.60
Outil de téléchargement Windows Live
Oxin's Style! 3D GayVilla 2
Panda Cloud Antivirus
PC Connectivity Solution
PDF Settings CS4
PhotoRescue Advanced PC 2.1.700
Photoshop Camera Raw
Picasa 3
Real Alternative 1.7.5
Realtek High Definition Audio Driver
Seagate Manager Installer
SeaTools for Windows
Sid Meier's Civilization 4
SimCity 4 Deluxe
Skype Toolbars
Skype™ 4.2
Subtitle Workshop 2.51
Suite Shared Configuration CS4
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
The Sims™ 3
The Sims™ 3 Ambições
The Sims™ 3 Vida em Alto Estilo Coleção de Objetos
The Sims™ 3 Volta ao Mundo
VLC media player 1.1.1
Winamp: Detectar Aplicação
Windows Driver Package - Nokia Modem (06/01/2009
Windows Driver Package - Nokia Modem (10/05/2009 4.2)
Windows Driver Package - Nokia pccsmcfd (08/22/2008
Windows Live Call
Windows Live Communications Platform
Windows Live Messenger

==== Event Viewer Messages From Past Week ========

28/07/2010 21:45:51, Error: atikmdag [52236] - CPLIB :: General - Invalid Parameter
28/07/2010 21:45:51, Error: atikmdag [43029] - Display is not active
28/07/2010 15:10:52, Error: Service Control Manager [7022] - The Panda Cloud Antivirus Service service hung on starting.
28/07/2010 15:09:22, Error: Microsoft-Windows-WER-SystemErrorReporting [1001] - The computer has rebooted from a bugcheck. The

bugcheck was: 0x00000050 (0xc966f00b, 0x00000000, 0x9d3def60, 0x00000000). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id:

28/07/2010 12:59:28, Error: Disk [11] - The driver detected a controller error on \Device\Harddisk1\DR1.
28/07/2010 10:35:21, Error: Microsoft-Windows-DistributedCOM [10001] - Unable to start a DCOM Server: {F87B28F1-DA9A-4F35-8EC0-

800EFCF26B83} as /. The error: "5" Happened while starting this command: C:\Windows\System32\slui.exe -Embedding
26/07/2010 22:56:54, Error: Service Control Manager [7023] - The SPP Notification Service service terminated with the following

error: Access is denied.
24/07/2010 17:01:21, Error: volsnap [36] - The shadow copies of volume C: were aborted because the shadow copy storage could not

grow due to a user imposed limit.
23/07/2010 10:00:47, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a

transaction response from the WSearch service.
23/07/2010 10:00:17, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a

transaction response from the LanmanServer service.

==== End Of File ===========================

Did you run the Microsoft® Windows® Malicious Software Removal Tool ?
If not please do so.
Then do the following:
Please Run the ESET Online Scanner and attach the ScanLog with your post for assistance.
You will need to use Internet Explorer to to complete this scan.
You will need to temporarily Disable your current Anti-virus program.

Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us

Jools Holland '=)
Yes, I had run Microsoft's tool as instructed. I ran ESET now as instructed, my Panda and Windows Defender both turned off, but I didn't find a log file! '=/ The folders I have are C:\Program Files\ESET\ESET Online Scanner and inside there is only OnlineScanner.ocx and OnlineScannerUninstaller.exe

Yes, I checked "remove found threats" and "scan unwanted applications"
It took some two hours to scan and it found 2 threats. I had the option to remove them, and I did it, but I don't think it removed anything... The screen after that was one where I chose to purchase it or try it... and that's all there was

HouseCall's full scan found two threats (troj and troj and fixed them. I found no way to get it to produce a log though. Perhaps I should redo one of the previous scans and post the new log here? What do you think?
Thanks again '=)

Here are the logs

Malwarebytes' Anti-Malware 1.46

Database version: 4371

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

31/07/2010 01:39:52
mbam-log-2010-07-31 (01-39-52).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 345057
Time elapsed: 5 hour(s), 30 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 02:11:32, on 31/07/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Users\bernardo\AppData\Local\Google\Google Talk Plugin\googletalkplugin.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\HiJackThis\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Programme d'aide de l'Assistant de connexion Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files

\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - C:\Program Files\GbPlugin\gbiehcef.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKCU\..\Run: [Google Update] "C:\Users\bernardo\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Cyberlink.exe] C:\Users\bernardo\AppData\Cyberlink.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: Dropbox.lnk = bernardo\AppData\Roaming\Dropbox\bin\Dropbox.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: Baixar com o Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: Baixar tudo com o Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Baixar vídeo com o Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download selecionado pelo Free Download Manager - file://C:\Program Files\Free Download Manager

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) -
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: GbPluginCef - C:\Program Files\GbPlugin\gbiehCef.dll
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\Windows\system32\astsrv.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet

O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync

O23 - Service: Gbp Service (GbpSv) - - C:\PROGRA~1\GbPlugin\GbpSv.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe

End of file - 7537 bytes

This article has been dead for over six months. Start a new discussion instead.