every time i start up my computer, and then againd every other 20 minutes, i get a splash screen from themida...whatever that is...some software engineering security...bla bla
i´m concerned it could be some kind of threat
i´d would really aprecciate some help....for i dont know what to do....my computer is getting slower each time...
thanks a lot...
rodrigo
brazil

Hi Rodrigo, welcome to SAF

The only known workaround for this as far as I know is:

When the "Themida" splash screen appears, hit ctrl alt delete, and in task manager kill Wmedia.exe process.
Set system to show all files and reboot into safe mode;
Search for any wmedia.* files and delete them...
(2 files are normally in the system32 folder and one in the Prefetch folder).

I would also suggest you the following:

- Download and run CrapCleaner from http://www.ccleaner.com/
Note: in CCleaner: go to <options/advanced> Uncheck "Only delete files in Windows Temp folders older than 48 hours").

- Run updated versions of Spybot S&D and AdAware SE (one at a time), cleaning all that may be listed.
Spybot - http://www.safer-networking.org/en/mirrors/index.html
AdAware - http://www.download.com/3000-2144-10045910.html
(remember to update databases before scanning)

- Perform an online virus scan from http://www.pandasoftware.com/products/activescan

Next, take a look at this pinned topic and post a HijackThis log here, as we can take a look at it: http://www.suggestafix.com/index.php?showtopic=16053


Chris, from Brazil too.

poxa....mas então vc fala português?

Falo sim rodrigo. Nasci em Piracicaba e moro em Jacareí.

Yep ! I do speak portuguese (born in Piracicaba, SP), not here because we need to let our other members and friends read and understand what's going on. I also speak French.

Did you solve the Themida problem ?

Chris

no...i haven´t solved that problem yet....there´s no wmedia.exe process to kill when splash screen comes up...

Even if the process is not listed there, you may try to find the files. Can you please list what processes are active when the Themida splash screen comes up ?

I would also insist with you to perform the pre-cleaning process I suggested above and post a HJT log here.

Chris

yes...i downloaded it but it wont work...i don´t know why but when i click install the ccleaner setup window closes down and nothign happens

Themida or other virus/baddie is probably preventing some programs from being installed. And about the others ? AdAware SE and Spybot S&D ?

You must first get rid of the wmedia files. You did not post the running processes I asked for...

Reboot into safe mode,
Use Windows Explorer to locate any instances of wmedia.* files and delete them.

Reboot in normal mode and try to install the programs again.

Chris

these are the processes going on when themida comes up:
Isass
services
winlogon
crss
MpfSrv
smss
mcusrmgr
mctskshd
mcsysmon
mcshield
RedirSvc
mcpromgr
mcods
McNASvc
mcupdmgr
System
Tempo Ocioso do sistema
taskmgr
mcagen
mcvsshld
mclogsrv
HWAPI
cisvc
SiteAdv
msngr
spoolsv
GbpSv
explorer
wdfmrg
svchost
svchost
svchost
svchost
SAService
that´s it....
this process called svchost...there´s always 4 or 6 of it...i don´t know what it is...
before, themida splash screen would come up every 20 minutes...it stopped now and only appears on start up...

svchost is a legit service and it's normal to have several instances of them running together. I can see some unknown services (to me), so I will need to search for info on them one-by-one. This may take some time.

Try deleting the wmedia files in safe mode in the meantime. I'll be back soon.

Chris

Hi again, the bold red services are bad ones.

GbpSv -----------> virus/worm !
wdfmrg ----------> worm !

Hit Ctrl Alt Del and kill the red processes.

<Start/Run> type in cmd (enter)
In the command box, type the following:

sc stop gbpsv (enter)
sc delete gbpsv (enter)

sc stop wdfmrg (enter)
sc delete wdfmrg (enter)

You may now be able to install the programs normally. Run them all and post a HijackThis log afterward.

Chris

I'll be back tomorrow at 6h15~6h30 (our local time).
Estarei de volta amanhã entre 6h15~6h30 (horário local).

i did what you told me to...but for wdfmrg i got a message saying there was no such process installed
i ran spybot and adware...adware found 18 bad files and deleted them all...all cookies...
but yet i wasn´t able to install ccleaner...don´t know why...this never happened before...right after the "create desktop icon" window setup.exe just stops running...
heres the log file from hijack this...

Logfile of HijackThis v1.99.1
Scan saved at 18:38:38, on 7/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\SiteAdvisor\6021\SiteAdv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Arquivos de programas\Arquivos comuns\McAfee\HackerWatch\HWAPI.exe
C:\ARQUIV~1\McAfee\MSC\mclogsrv.exe
C:\ARQUIV~1\McAfee\MSC\mcupdmgr.exe
c:\arquivos de programas\arquivos comuns\mcafee\mna\mcnasvc.exe
C:\ARQUIV~1\McAfee\VIRUSS~1\mcods.exe
C:\ARQUIV~1\McAfee\MSC\mcpromgr.exe
c:\ARQUIV~1\ARQUIV~1\mcafee\redirsvc\redirsvc.exe
C:\ARQUIV~1\McAfee\VIRUSS~1\mcshield.exe
C:\ARQUIV~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\ARQUIV~1\McAfee\MSC\mctskshd.exe
C:\ARQUIV~1\McAfee\MSC\mcusrmgr.exe
C:\Arquivos de programas\McAfee\MPF\MPFSrv.exe
C:\Arquivos de programas\SiteAdvisor\6021\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\ARQUIV~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Documents and Settings\A\Meus documentos\Meus Arquivos Recebidos\Setup´s\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Arquivos de programas\SiteAdvisor\6021\SiteAdv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\arquivos de programas\mcafee\virusscan\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\WINDOWS\Downloaded Program Files\gbiehabn.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Arquivos de programas\SiteAdvisor\6021\SiteAdv.dll
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Arquivos de programas\Corel\Corel Graphics 12\Languages\BR\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=022107 serial=DR12CCC-0482230-QEC lang=BP
O4 - HKLM\..\Run: [SiteAdvisor] C:\Arquivos de programas\SiteAdvisor\6021\SiteAdv.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugi...GbPluginABN.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Arquivos de programas\SiteAdvisor\6021\SiteAdv.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Arquivos de programas\Skype\Plugin Manager\Skype4COM.dll
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\ARQUIV~1\ARQUIV~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Gbp Service (GbpSv) - GAS Tecnologia LTDA - C:\Arquivos de programas\GbPlugin\GbpSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Arquivos de programas\Arquivos comuns\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\ARQUIV~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\ARQUIV~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\arquivos de programas\arquivos comuns\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\ARQUIV~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\ARQUIV~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\ARQUIV~1\ARQUIV~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\ARQUIV~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\ARQUIV~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (mctskshd.exe) - McAfee, Inc. - C:\ARQUIV~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\ARQUIV~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Arquivos de programas\McAfee\MPF\MPFSrv.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Arquivos de programas\SiteAdvisor\6021\SAService.exe
O23 - Service: Windows Server Management Services (WSMSPSVC) - Unknown owner - C:\WINDOWS\msngr.exe

i guess i´m bothering you...right?sorry....but thanks...haha
té mais!

two other questions
what´s the difference betweena virus and a worm?
and is McAfee a good antivirus?

No Rodrigo, you are not bothering me...
Did you find and delete any wmedia.* file ?

Download and install AVG Anti-Spyware from http://free.grisoft.com/doc/20/lng/us/tpl/v5 - don't run it for scanning yet, just update it:

Double-click the icon on Desktop to launch AVGAS
You will need to update AVGAS to the latest definition files.
- On the top of the main screen click Shield
- Click the word active to change it to inactive
- On the top of the main screen click Update.
Then click on Start Update. The update will start and a progress bar will show the updates being installed.

When you have finished updating, EXIT AVGAS.

Disconnect from the internet.

Set your system to show all files; please see here if you're unsure how to do this.

Close all programs (including McAfee antivirus and any protection program you have) leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugi...GbPluginABN.cab
O23 - Service: Gbp Service (GbpSv) - GAS Tecnologia LTDA - C:\Arquivos de programas\GbPlugin\GbpSv.exe
O23 - Service: Windows Server Management Services (WSMSPSVC) - Unknown owner - C:\WINDOWS\msngr.exe

Click on Fix Checked when finished and exit HijackThis.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders and delete them if still present:

C:\Arquivos de programas\GbPlugin\ (whole folder)
C:\WINDOWS\msngr.exe (file)

Exit Explorer, don't reboot yet.

Run AVG Anti-Spyware.
- Click Scanner
- Click on the Scan tab
- Click Complete System Scan to begin scanning.
When the scan is complete click Recommended Action and change it to Quarantine, then click Apply all actions
Once finished, click the Save report button, then click Save Report As. This will create a text file.

IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button.

Make sure you know where to find this file again.
Restart in Normal Mode.

Post back a fresh HJT log along with the AVGAS report.

Chris.

what´s a wmedia.* file ?is that the name of the file?or some kind of file?i´m not sure how to look for those

Follow the instructions on my last post. Don't skip any part. When you reach and perform the following instructions:locate and delete any wmedia.exe or wmedia.dll (do a search using Windows Explorer for wmedia.*, which means wmedia with any extension). Those are the Themida common files, and you may find three instances of them, as I said you on my first post:
After doing this, go back to the instructions again:

Chris

i´ve done all that...and i tried to find wmedia files afterwards but none were found!it seems like you´ve solved that themida problem for i haven´t seen that splash screen since then!
only thing i could not do was delete the GbPlugin folder...i got this message saying that i couldn´t delete it because there was someone else or some other computer using it...the system was on safe mode and disconected from the internet!
here are those files you asked me to save:

---------------------------------------------------------
AVG Anti-Spyware - Relatório de verificação
---------------------------------------------------------

+ Criação: 00:48:20 8/2/2007

+ Resultado da verificação:



C:\Documents and Settings\A\Cookies\a@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Nenhuma ação executada.
C:\Documents and Settings\A\Cookies\a@atdmt[2].txt -> TrackingCookie.Atdmt : Nenhuma ação executada.
C:\Documents and Settings\A\Cookies\a@com[1].txt -> TrackingCookie.Com : Nenhuma ação executada.
C:\Documents and Settings\A\Cookies\a@doubleclick[1].txt -> TrackingCookie.Doubleclick : Nenhuma ação executada.
:mozilla.61:C:\Documents and Settings\A\Dados de aplicativos\Mozilla\Firefox\Profiles\m0r41iov.default\cookies.txt -> TrackingCookie.Googleadservices : Nenhuma ação executada.
C:\Documents and Settings\A\Cookies\a@statcounter[2].txt -> TrackingCookie.Statcounter : Nenhuma ação executada.
:mozilla.41:C:\Documents and Settings\A\Dados de aplicativos\Mozilla\Firefox\Profiles\m0r41iov.default\cookies.txt -> TrackingCookie.Yieldmanager : Nenhuma ação executada.
:mozilla.42:C:\Documents and Settings\A\Dados de aplicativos\Mozilla\Firefox\Profiles\m0r41iov.default\cookies.txt -> TrackingCookie.Yieldmanager : Nenhuma ação executada.
:mozilla.43:C:\Documents and Settings\A\Dados de aplicativos\Mozilla\Firefox\Profiles\m0r41iov.default\cookies.txt -> TrackingCookie.Yieldmanager : Nenhuma ação executada.
:mozilla.44:C:\Documents and Settings\A\Dados de aplicativos\Mozilla\Firefox\Profiles\m0r41iov.default\cookies.txt -> TrackingCookie.Yieldmanager : Nenhuma ação executada.
:mozilla.45:C:\Documents and Settings\A\Dados de aplicativos\Mozilla\Firefox\Profiles\m0r41iov.default\cookies.txt -> TrackingCookie.Yieldmanager : Nenhuma ação executada.


::Fim do relatório

Logfile of HijackThis v1.99.1
Scan saved at 01:00:22, on 8/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Arquivos de programas\SiteAdvisor\6021\SiteAdv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Arquivos de programas\Arquivos comuns\McAfee\HackerWatch\HWAPI.exe
C:\ARQUIV~1\McAfee\MSC\mclogsrv.exe
C:\ARQUIV~1\McAfee\MSC\mcupdmgr.exe
c:\arquivos de programas\arquivos comuns\mcafee\mna\mcnasvc.exe
C:\ARQUIV~1\McAfee\VIRUSS~1\mcods.exe
C:\ARQUIV~1\McAfee\MSC\mcpromgr.exe
c:\ARQUIV~1\ARQUIV~1\mcafee\redirsvc\redirsvc.exe
C:\ARQUIV~1\McAfee\VIRUSS~1\mcshield.exe
C:\ARQUIV~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\ARQUIV~1\McAfee\MSC\mctskshd.exe
C:\ARQUIV~1\McAfee\MSC\mcusrmgr.exe
C:\Arquivos de programas\McAfee\MPF\MPFSrv.exe
C:\Arquivos de programas\SiteAdvisor\6021\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\ARQUIV~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Arquivos de programas\MSN Messenger\usnsvc.exe
C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Documents and Settings\A\Meus documentos\Meus Arquivos Recebidos\Setup´s\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\arquivos de programas\mcafee\virusscan\scriptcl.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\WINDOWS\Downloaded Program Files\gbiehabn.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Arquivos de programas\SiteAdvisor\6021\SiteAdv.dll
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Arquivos de programas\Corel\Corel Graphics 12\Languages\BR\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=022107 serial=DR12CCC-0482230-QEC lang=BP
O4 - HKLM\..\Run: [SiteAdvisor] C:\Arquivos de programas\SiteAdvisor\6021\SiteAdv.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Arquivos de programas\SiteAdvisor\6021\SiteAdv.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Arquivos de programas\Skype\Plugin Manager\Skype4COM.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\ARQUIV~1\ARQUIV~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Gbp Service (GbpSv) - GAS Tecnologia LTDA - C:\Arquivos de programas\GbPlugin\GbpSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Arquivos de programas\Arquivos comuns\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\ARQUIV~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\ARQUIV~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\arquivos de programas\arquivos comuns\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\ARQUIV~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\ARQUIV~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\ARQUIV~1\ARQUIV~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\ARQUIV~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\ARQUIV~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (mctskshd.exe) - McAfee, Inc. - C:\ARQUIV~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\ARQUIV~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Arquivos de programas\McAfee\MPF\MPFSrv.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Arquivos de programas\SiteAdvisor\6021\SAService.exe
O23 - Service: Windows Server Management Services (WSMSPSVC) - Unknown owner - C:\WINDOWS\msngr.exe (file missing)

Bom dia Rodrigo,

The AVGAS report shows "Nenhuma ação executada" instead of "quarantined" as I asked...
If you did not apply all actions to quaratine the (few) baddies, you'll need to run AVGAS again in safe mode and make it Quarantine or delete anything found.

The log looks good, but we need to get rid of those two services which are still showing...

<Iniciar/Executar>, type in services.msc (Enter)
Locate the services below, stop them, then double click on them and set them to "Desativado".

Gbp Service (GbpSv)
Windows Server Management Services (WSMSPSVC)

Reboot into safe mode again,

Run HijackThis and fix those two entries:

O23 - Service: Gbp Service (GbpSv) - GAS Tecnologia LTDA - C:\Arquivos de programas\GbPlugin\GbpSv.exe
O23 - Service: Windows Server Management Services (WSMSPSVC) - Unknown owner - C:\WINDOWS\msngr.exe (file missing)

Click on Fix Checked when finished and exit HijackThis.

Before rebooting in normal mode, try again to delete the folder:

C:\Arquivos de programas\GbPlugin\ (whole folder)

restart normally and post a new HJT log.

Chris

is McAfee a good anti-virus?and what´s a buffer overflow?cause all the time i get this message from McAFee saying that a buffer overflow has been blocked!
i still can´t delete that GbPlugin Folde...inside it there´s only on file...GbpSv.exe

---------------------------------------------------------
AVG Anti-Spyware - Relatório de verificação
---------------------------------------------------------

+ Criação: 16:30:37 8/2/2007

+ Resultado da verificação:



C:\Documents and Settings\A\Cookies\a@2o7[1].txt -> TrackingCookie.2o7 : Limpo.
C:\Documents and Settings\A\Cookies\a@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Limpo.
C:\Documents and Settings\A\Cookies\a@atdmt[2].txt -> TrackingCookie.Atdmt : Limpo.
C:\Documents and Settings\A\Cookies\a@doubleclick[1].txt -> TrackingCookie.Doubleclick : Limpo.


::Fim do relatório

and I did do what you asked for....those are all in quarantine...

Logfile of HijackThis v1.99.1
Scan saved at 17:41:12, on 8/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\cisvc.exe
C:\Arquivos de programas\Arquivos comuns\McAfee\HackerWatch\HWAPI.exe
C:\ARQUIV~1\McAfee\MSC\mclogsrv.exe
C:\ARQUIV~1\McAfee\MSC\mcupdmgr.exe
C:\Arquivos de programas\SiteAdvisor\6021\SiteAdv.exe
C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
c:\arquivos de programas\arquivos comuns\mcafee\mna\mcnasvc.exe
C:\ARQUIV~1\McAfee\VIRUSS~1\mcods.exe
C:\ARQUIV~1\McAfee\MSC\mcpromgr.exe
c:\ARQUIV~1\ARQUIV~1\mcafee\redirsvc\redirsvc.exe
C:\ARQUIV~1\McAfee\VIRUSS~1\mcshield.exe
C:\ARQUIV~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\ARQUIV~1\McAfee\MSC\mctskshd.exe
C:\ARQUIV~1\McAfee\MSC\mcusrmgr.exe
C:\Arquivos de programas\McAfee\MPF\MPFSrv.exe
C:\Arquivos de programas\SiteAdvisor\6021\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\ARQUIV~1\mcafee.com\agent\mcagent.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\A\Meus documentos\Meus Arquivos Recebidos\Setup´s\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\arquivos de programas\mcafee\virusscan\scriptcl.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\WINDOWS\Downloaded Program Files\gbiehabn.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Arquivos de programas\SiteAdvisor\6021\SiteAdv.dll
O4 - HKLM\..\Run: [CorelDRAW Graphics Suite 11b] C:\Arquivos de programas\Corel\Corel Graphics 12\Languages\BR\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=022107 serial=DR12CCC-0482230-QEC lang=BP
O4 - HKLM\..\Run: [SiteAdvisor] C:\Arquivos de programas\SiteAdvisor\6021\SiteAdv.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Arquivos de programas\SiteAdvisor\6021\SiteAdv.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Arquivos de programas\Skype\Plugin Manager\Skype4COM.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Arquivos de programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\ARQUIV~1\ARQUIV~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Gbp Service (GbpSv) - GAS Tecnologia LTDA - C:\Arquivos de programas\GbPlugin\GbpSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Arquivos de programas\Arquivos comuns\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Log Manager (McLogManagerService) - McAfee, Inc. - C:\ARQUIV~1\McAfee\MSC\mclogsrv.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\ARQUIV~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\arquivos de programas\arquivos comuns\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\ARQUIV~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\ARQUIV~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\ARQUIV~1\ARQUIV~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\ARQUIV~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\ARQUIV~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Task Scheduler (mctskshd.exe) - McAfee, Inc. - C:\ARQUIV~1\McAfee\MSC\mctskshd.exe
O23 - Service: McAfee User Manager (mcusrmgr) - McAfee, Inc. - C:\ARQUIV~1\McAfee\MSC\mcusrmgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Arquivos de programas\McAfee\MPF\MPFSrv.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Arquivos de programas\SiteAdvisor\6021\SAService.exe

something weird happened today...my screen sparked...the image disppeared and came back on in the blink of an eye...and i heard this strange noise coming from it...and my computer is way slower to start up and shut down than it used to be...

Bom dia Rodrigo, (tomei todas ontem, tô de ressaca)

McAfee (my sister-in law says M-Café) is a good antivirus, but virus and baddies are different, so an antivirus may not detect a malware and an antispyware may not detect a virus.

This service is still showing
O23 - Service: Gbp Service (GbpSv) - GAS Tecnologia LTDA - C:\Arquivos de programas\GbPlugin\GbpSv.exe

Did you set it to "desativado" on services.msc ?

Reboot into safe mode, run HJT again and fix it...
O23 - Service: Gbp Service (GbpSv) - GAS Tecnologia LTDA - C:\Arquivos de programas\GbPlugin\GbpSv.exe

Reboot in normal mode and see if it's gone.

If it is still there,
Run HJT again and click the "Open the misc tools section" button (4th from top to bottom);
Click the "Delete an NT service" (4th from top to bottom);
Enter GbpSv in the box and click OK.

Let me know if this 023 line is gone.

Chris

fala cris...blz?
então rapaz....não sei mais oq fazer...
ops...haha...i set it to disabled a hundred times but it gets back on by itself...this thing has got its own will...and I can´t delete it...that 023 line is still here and even that delete nt service tool won´t work...it says GbpSv can´t be deleted cause it´s running....bt it´s not....at least i think...
on msconfig services tab it´s unchecked...but on services.msc it goes back to automatic every time i disable it...
big problem hã?

Did you do this as I asked you ?

Do you have anything related to Gas Tecnologia installed - Please take a look at your add-remove programs.

Also, let's try this:
Run HJT again and click the "Open the misc tools section" button (4th from top to bottom);
At the top, check the box named "List also minor sections"
Click the "Generate startuplist log". A notepad session will open, please post its content here.

Chris

chris...these are the programs installed on my pc...
adobe reader
Arquivo Winrar
Athlon 64 processor driver
Corel Draw
Dreamule
J2SE Runtime Enviroment 5.0
McAfee Security Center
Microsoft Office
Nero 7
Realtek AC´97Audio
USB VIdeo Device Drive
VIA Gerenciador de Dispositivo de Plataforma
VIA/S3G Display Driver
Windows Installer 3.1
Windows Live Messenger

and this is the exact message i get when trying to delete an nt service using HijackThis: "The Service GbpSv is enabled and/or runnig. Disable it first, using HijackThis itself (from the scan results) or the services.msc window"
Believe me....i disabled it using the services.msc window...a lot of times...i comes back...

an at last....what you just asked for:

StartupList report, 11/2/2007, 15:27:58
StartupList version: 1.52.2
Started from : C:\Documents and Settings\A\Meus documentos\Meus Arquivos Recebidos\Setup´s\Defesa\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Arquivos de programas\Arquivos comuns\McAfee\HackerWatch\HWAPI.exe
C:\ARQUIV~1\McAfee\MSC\mclogsrv.exe
C:\ARQUIV~1\McAfee\MSC\mcupdmgr.exe
c:\arquivos de programas\arquivos comuns\mcafee\mna\mcnasvc.exe
C:\ARQUIV~1\McAfee\VIRUSS~1\mcods.exe
C:\ARQUIV~1\McAfee\MSC\mcpromgr.exe
c:\ARQUIV~1\ARQUIV~1\mcafee\redirsvc\redirsvc.exe
C:\ARQUIV~1\McAfee\VIRUSS~1\mcshield.exe
C:\ARQUIV~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\ARQUIV~1\McAfee\MSC\mctskshd.exe
C:\ARQUIV~1\McAfee\MSC\mcusrmgr.exe
C:\Arquivos de programas\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\ARQUIV~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Arquivos de programas\Windows Media Player\wmplayer.exe
C:\ARQUIV~1\mcafee\msc\mcupdui.exe
c:\arquivos de programas\mcafee\msc\mcuimgr.exe
C:\WINDOWS\system32\imapi.exe
C:\Arquivos de programas\Internet Explorer\iexplore.exe
C:\Arquivos de programas\SiteAdvisor\SiteAdv.exe
C:\Documents and Settings\A\Meus documentos\Meus Arquivos Recebidos\Setup´s\Defesa\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

CorelDRAW Graphics Suite 11b = C:\Arquivos de programas\Corel\Corel Graphics 12\Languages\BR\Programs\Registration.exe /title="CorelDRAW Graphics Suite 12" /date=022107 serial=DR12CCC-0482230-QEC lang=BP

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

mcsysmon.exe = c:\ARQUIV~1\mcafee\VIRUSS~1\mcsysmon.exe -regserver
!mcvsps.dll = regsvr32.exe /s c:\ARQUIV~1\mcafee\VIRUSS~1\mcvsps.dll
!naiannps.dll = regsvr32.exe /s c:\ARQUIV~1\mcafee\VIRUSS~1\naiannps.dll
!mcvsqt.dll = regsvr32.exe /s c:\ARQUIV~1\mcafee\VIRUSS~1\mcvsqt.dll
!mvscfg.dll = regsvr32.exe /s c:\ARQUIV~1\mcafee\VIRUSS~1\mvscfg.dll
!mvsver.dll = regsvr32.exe /s c:\ARQUIV~1\mcafee\VIRUSS~1\mvsver.dll
!naiann.dll = regsvr32.exe /s c:\ARQUIV~1\mcafee\VIRUSS~1\naiann.dll
!mcodsax.dll = regsvr32.exe /s c:\ARQUIV~1\mcafee\VIRUSS~1\mcodsax.dll
mcods.exe = c:\ARQUIV~1\mcafee\VIRUSS~1\mcods.exe -regserver
!mcvspp.dll = regsvr32.exe /s c:\ARQUIV~1\mcafee\VIRUSS~1\mcvspp.dll
!mvsap.dll = regsvr32.exe /s c:\ARQUIV~1\mcafee\VIRUSS~1\mvsap.dll
!mvslog.dll = regsvr32.exe /s c:\ARQUIV~1\mcafee\VIRUSS~1\mvslog.dll
!hwapips.dll = regsvr32.exe /s c:\ARQUIV~1\ARQUIV~1\mcafee\HACKER~1\hwapips.dll
hwapi.exe = c:\ARQUIV~1\ARQUIV~1\mcafee\HACKER~1\hwapi.exe -regserver
!redirver.dll = regsvr32.exe /s c:\ARQUIV~1\ARQUIV~1\mcafee\redirsvc\redirver.dll
redirsvc.exe = c:\ARQUIV~1\ARQUIV~1\mcafee\redirsvc\redirsvc.exe -regserver
!empxyver.dll = regsvr32.exe /s c:\ARQUIV~1\ARQUIV~1\mcafee\emproxy\empxyver.dll
!fwdrvver.dll = regsvr32.exe /s c:\ARQUIV~1\ARQUIV~1\mcafee\fwdriver\fwdrvver.dll
!mpfmisp.dll = regsvr32.exe /s c:\ARQUIV~1\mcafee\mpf\mc\mpfmisp.dll
!mpfaltps.dll = regsvr32.exe /s c:\ARQUIV~1\mcafee\mpf\mc\mpfaltps.dll

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}]
StubPath = C:\WINDOWS\system32\ieudinit.exe

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Arquivos de programas\SiteAdvisor\SiteAdv.dll - {089FD14D-132B-48FC-8861-0048AE113215}
(no name) - C:\Arquivos de programas\Java\jre1.5.0_10\bin\ssv.dll (file missing) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
scriptproxy - c:\arquivos de programas\mcafee\virusscan\scriptcl.dll - {7DB2D5A0-7241-4E79-B68D-6309F01C5231}
G-Buster Browser Defense - C:\WINDOWS\Downloaded Program Files\gbieh.dll - {C41A1C0E-EA6C-11D4-B1B8-444553540000}
G-Buster Browser Defense ABN AMRO - C:\WINDOWS\Downloaded Program Files\gbiehabn.dll - {C41A1C0E-EA6C-11D4-B1B8-444553540007}

--------------------------------------------------

Enumerating Task Scheduler jobs:

McDefragTask.job
McQcTask.job

--------------------------------------------------

Enumerating Windows NT/2000/XP services

McAfee Application Installer Cleanup (0186971171216301): C:\WINDOWS\TEMP\018697~1.EXE C:\ARQUIV~1\ARQUIV~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service (autostart)
Áudio do Windows: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Serviço de transferência inteligente de plano de fundo: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Localizador de computadores: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serviço de indexação: %SystemRoot%\system32\cisvc.exe (autostart)
Symantec Lic NetConnect service: "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSvcHst.exe" /h ccCommon (autostart)
Serviços de criptografia: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Inicializador de Processo de Servidor DCOM: %SystemRoot%\system32\svchost -k DcomLaunch (autostart)
Cliente DHCP: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Gerenciador de discos lógicos: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Cliente DNS: %SystemRoot%\system32\svchost.exe -k NetworkService (autostart)
Erro ao informar o serviço: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Log de eventos: %SystemRoot%\system32\services.exe (autostart)
Gbp Service: C:\Arquivos de programas\GbPlugin\GbpSv.exe (autostart)
Ajuda e suporte: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Acesso a dispositivo de interface humana: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Servidor: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Estação de trabalho: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Auxiliar NetBIOS TCP/IP: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
McAfee HackerWatch Service: "C:\Arquivos de programas\Arquivos comuns\McAfee\HackerWatch\HWAPI.exe" (autostart)
McAfee Log Manager: C:\ARQUIV~1\McAfee\MSC\mclogsrv.exe (autostart)
McAfee Update Manager: C:\ARQUIV~1\McAfee\MSC\mcupdmgr.exe (autostart)
McAfee Network Agent: "c:\arquivos de programas\arquivos comuns\mcafee\mna\mcnasvc.exe" (autostart)
McAfee Scanner: C:\ARQUIV~1\McAfee\VIRUSS~1\mcods.exe (autostart)
McAfee Protection Manager: C:\ARQUIV~1\McAfee\MSC\mcpromgr.exe (autostart)
McAfee Redirector Service: c:\ARQUIV~1\ARQUIV~1\mcafee\redirsvc\redirsvc.exe (autostart)
McAfee Real-time Scanner: C:\ARQUIV~1\McAfee\VIRUSS~1\mcshield.exe (autostart)
McAfee SystemGuards: C:\ARQUIV~1\McAfee\VIRUSS~1\mcsysmon.exe (autostart)
McAfee Task Scheduler: C:\ARQUIV~1\McAfee\MSC\mctskshd.exe (autostart)
McAfee User Manager: C:\ARQUIV~1\McAfee\MSC\mcusrmgr.exe (autostart)
McAfee Personal Firewall Service: "C:\Arquivos de programas\McAfee\MPF\MPFSrv.exe" (autostart)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
Serviços IPSEC: %SystemRoot%\system32\lsass.exe (autostart)
Armazenamento protegido: %SystemRoot%\system32\lsass.exe (autostart)
Registro remoto: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Chamada de procedimento remoto (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
Gerenciador de contas de segurança: %SystemRoot%\system32\lsass.exe (autostart)
Agendador de tarefas: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Logon secundário: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Notificação de eventos de sistema: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Firewall do Windows/Compartilhamento de Conexão com a Internet (ICS): %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Detecção do hardware do shell: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Spooler de impressão: %SystemRoot%\system32\spoolsv.exe (autostart)
Serviço de restauração do sistema: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Assistente de aquisição de imagens do Windows (WIA): %SystemRoot%\system32\svchost.exe -k imgsvc (autostart)
Temas: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Cliente de rastreamento de link distribuído: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\system32\wdfmgr.exe (autostart)
Horário do Windows: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Cliente da Web: %SystemRoot%\system32\svchost.exe -k LocalService (autostart)
Testador de instrumentação de gerenciam. do Windows: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Central de Segurança: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Atualizações Automáticas: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Configuração zero sem fio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 13.313 bytes
Report generated in 0,187 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
thanks again

OK, leave it alone, it's a legit online banking protection service from GAS informática, provided by ABN-AMRO bank.

It's flagged as virus/wotm by Norton and other antivirus because there may be another baddie with the same name, this one from GAS tecnologias is legit though.

Are you still having problems with Themida ?

Chris

hahaha...nice...
themida is gone...i guess my computer might be free then...
could you just give me a tip of how to protect my pc well?should i have a anti-spy firewall and all that crap besides mcafee?how do i configurer them?
how can i be sure there´s no rootkits backdoors or whatever else that could threaten me?
how can I learn all that stuff?

how come i can´t install ccleaner?

Maybe you can't install it because it was corrupted on download ? You may try to download and install it again. Or maybe some McAfee shield setting is preventing it to be installed ? I really don't know...

This is what I use for my own protection (all freebies):

AVG antivirus free, updated daily at 3h00 AM and scheduled to scan the whole system at 4h00 AM (My system is online 24x7). You don't need it, as McAfee is a good antivirus and you'd better not run two antivirus together.

ZoneAlarm free Firewall from http://www.zonelabs.com/store/content/comp...reeDownload.jsp

SpywareBlaster: http://www.javacoolsoftware.com/sbdownload.html (update the definition files on install and once a week after install)

SpywareGuard: http://www.javacoolsoftware.com/sgdownload.html

RegProt (warns every time a registry key is changed and allow to deny if suspicious): http://www.diamondcs.com.au/index.php?page=regprot

CrazyBrowser instead of Internet Explorer. Although it needs the IE engine to run, it has built-in content filters and popup blockers, and never crashed: http://www.crazybrowser.com/

CrapCleaner, http://www.ccleaner.com/ (when needed or at least once a week) and AVGAS (Former Ewido) in safe mode if I suspect something. It's free trial for 30 days, but it works and manually updates after that, just don't have the active shield, so, I let it disabled.

NEVER let the Outlook Express preview pane active, Always delete suspicious mails before switching the preview pane back.

With safe browsing and mailing habits, this will keep most baddies away.

Chris

thanks chris...you helped me a lot...
can i just ask you one last question?then i swear i won´t bother yu ever again...hehe
what happens if you delete a program folder before uninstalling it?I did that to Java runtime environment...now it´s listed on add/remove programs...but i can´t uninstall it..hehe

Well, you can remove it from the add-remove list using hijackthis... click the "Open uninstall Manager" (last button), select the program from the dropdown list and hit the "Delete this Entry" button. Just be careful not to delete a valid entry though.

btw, you are not bothering me. You are always welcome.

Chris