ntload.sys trojan horse

riqued · 3rd February 2008

Every time I star my pc Avast shows this virus:

C:\WINDOWS\system32\ntload.sys
Win32:NTRootKit-B [Trj]
Trojan Horse

I always move it to the quarentene, but it keeps showing up.

After Avast I get a message that winupdate.exe found a problem and needs to be closed and after that another error message:

"Exception EAccessViolation in module winupdate.exe at 0001B6BB
Access violation at address 0041B6BB in module 'winupdate.exe'. Read of address FFFFFFFF."

I have Windows XP SP2, what should I do?

**Geri** · 3rd February 2008

Hi riqued
Welcome to Windowsbbs

Please download and install HijackThis and Run a scan then close HJT, then run Deckard's System Scanner and post the main.txt log here. Links and instructions here.

Thanks
Geri

riqued · 3rd February 2008

Deckard's System Scanner v20071014.68
Run by HENRIQUE on 2008-02-03 17:53:38
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
27: 2008-02-03 19:53:49 UTC - RP723 - Deckard's System Scanner Restore Point
26: 2008-02-02 20:34:43 UTC - RP722 - Ponto de verificação do sistema
25: 2008-02-01 16:29:18 UTC - RP721 - Ponto de verificação do sistema
24: 2008-01-29 19:35:04 UTC - RP720 - Ponto de verificação do sistema
23: 2008-01-28 17:47:06 UTC - RP719 - Ponto de verificação do sistema

-- First Restore Point --
1: 2007-12-26 17:51:07 UTC - RP697 - Ponto de verificação do sistema

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as HENRIQUE.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:00:56, on 3/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe
C:\Arquivos de programas\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svcd\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\vsnpstd.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\tlntsvr.exe
C:\Arquivos de programas\TVersity\Media Server\MediaServer.exe
C:\Arquivos de programas\MicroStar\WLANUtility\WlanUtility.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\Arquivos de programas\MicroStar\WLANUtility\WLAN_Service.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\HENRIQUE\Desktop\dss.exe
C:\DOCUME~1\HENRIQUE\Desktop\HENRIQUE.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com.br/0SEPTBR/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 65.124.89.209:2487
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F3 - REG:win.ini: run="C:\WINDOWS\system32\winupdate.exe"
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [NetMeter] C:\Arquivos de programas\HooTech\NetMeter\NetMeter.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Arquivos de programas\Arquivos comuns\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Arquivos de programas\uTorrent\utorrent.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WlanUtility.lnk = C:\Arquivos de programas\MicroStar\WLANUtility\WlanUtility.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O23 - Service: Abel - Unknown owner - C:\Documents and Settings\HENRIQUE\Desktop\h\Cain\Abel.exe (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Security Service (KRBT) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Arquivos de programas\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Arquivos de programas\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe (file missing)
O23 - Service: MSI_WLAN_Service - Unknown owner - C:\Arquivos de programas\MicroStar\WLANUtility\WLAN_Service.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Registry Management Service (RegManServ) - Unknown owner - C:\Arquivos de programas\Registry Defragmentation\RegManServ.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Arquivos de programas\TVersity\Media Server\MediaServer.exe

--
End of file - 7725 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - unable to read value
.js - JSFile - shell\open\command - unable to read value

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfvfs02 (StarForce Protection VFS Driver (version 2.x)) - c:\windows\system32\drivers\sfvfs02.sys <Not Verified; Protection Technology; StarForce Protection System>
R3 mcdbus (Driver for MagicISO SCSI Host Controller) - c:\windows\system32\drivers\mcdbus.sys <Not Verified; MagicISO, Inc.; MagicISO SCSI Host Controller>
R3 PCANDIS5 (PCANDIS5 NDIS Protocol Driver) - c:\windows\system32\pcandis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>

S3 Bcim (Bandwidth Controller kernel component) - c:\windows\system32\drivers\bcim.sys (file missing)
S3 EagleNT - c:\windows\system32\drivers\eaglent.sys (file missing)
S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
S3 hamachi_oem (PlayLinc Adapter) - c:\windows\system32\drivers\gan_adapter.sys <Not Verified; Applied Networking Inc.; Hamachi Virtual Network Interface Driver, OEM>
S3 libusb0 (LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120) - c:\windows\system32\drivers\libusb0.sys <Not Verified; http://libusb-win32.sourceforge.net; LibUSB-Win32 - Kernel Driver>
S3 npkcrypt - c:\arquivos de programas\gravity\ro\npkcrypt.sys (file missing)
S3 ntload (ntload v0.1) - c:\windows\system32\ntload.sys (file missing)
S3 PalmUSBD - c:\windows\system32\drivers\palmusbd.sys (file missing)
S3 snpstd (LG Webpro_Camera) - c:\windows\system32\drivers\snpstd.sys <Not Verified; ; PC Camera driver>
S3 usbbus (LGE CDMA Composite USB Device) - c:\windows\system32\drivers\lgusbbus.sys <Not Verified; LG Electronics Inc.; LG CDMA USB Multi function Driver>
S3 XPADFL02 (XPAD Filter Service 02) - c:\windows\system32\drivers\xpadfl02.sys <Not Verified; Compuware Corporation; DriverStudio>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Autodesk Licensing Service - "c:\arquivos de programas\arquivos comuns\autodesk shared\service\adskscsrv.exe" <Not Verified; Autodesk; Autodesk Licensing Service>
R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\arquivos de programas\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 KRBT (Security Service) - c:\windows\system32\svcd\svchost.exe
R2 TVersityMediaServer - "c:\arquivos de programas\tversity\media server\mediaserver.exe"

S2 MSI_WLAN_Service - "c:\arquivos de programas\microstar\wlanutility\wlan_service.exe" <Not Verified; ; APUtility Application>
S2 RegManServ (Registry Management Service) - c:\arquivos de programas\registry defragmentation\regmanserv.exe (file missing)
S3 Abel - c:\documents and settings\henrique\desktop\h\cain\abel.exe (file missing)
S3 FLEXnet Licensing Service - "c:\arquivos de programas\arquivos comuns\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S3 mi-raysat_3dsmax8 (RaySat_3dsmax8 Server) - "c:\arquivos de programas\autodesk\3dsmax8\mentalray\satellite\raysat_3dsmax8server.exe"
S3 mi-raysat_3dsmax9_32 (mental ray 3.5 Satellite (32-bit)) - "c:\arquivos de programas\autodesk\3ds max 9\mentalray\satellite\raysat_3dsmax9_32server.exe" (file missing)
S3 NMIndexingService - "c:\arquivos de programas\arquivos comuns\ahead\lib\nmindexingservice.exe" (file missing)

-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description: Controlador de comunicação PCI simples
Device ID: PCI\VEN_1106&DEV_3068&SUBSYS_4C211543&REV_80\3&61AAA01&0&8E
Manufacturer:
Name: Controlador de comunicação PCI simples
PNP Device ID: PCI\VEN_1106&DEV_3068&SUBSYS_4C211543&REV_80\3&61AAA01&0&8E
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: VIA Rhine II Fast Ethernet Adapter
Device ID: PCI\VEN_1106&DEV_3065&SUBSYS_30651106&REV_74\3&61AAA01&0&90
Manufacturer: VIA Technologies, Inc.
Name: VIA Rhine II Fast Ethernet Adapter #2
PNP Device ID: PCI\VEN_1106&DEV_3065&SUBSYS_30651106&REV_74\3&61AAA01&0&90
Service: FET5X86V

-- Files created between 2008-01-03 and 2008-02-03 -----------------------------

2008-01-29 20:42:10 87552 --a------ C:\WINDOWS\system32\winupdate.exe
2008-01-29 20:41:50 87552 --a------ C:\WINDOWS\system32\TmpX.exe
2008-01-29 20:41:43 114 --a------ C:\WINDOWS\system32\url3
2008-01-29 20:41:43 102 --a------ C:\WINDOWS\system32\url2
2008-01-29 20:41:43 102 --a------ C:\WINDOWS\system32\url1
2008-01-29 20:41:43 8 --a------ C:\WINDOWS\system32\CID
2008-01-29 20:41:37 4 --a------ C:\WINDOWS\system32\SvcNm
2008-01-29 20:41:37 0 d-------- C:\WINDOWS\system32\svcd
2008-01-26 14:41:08 0 d-------- C:\Arquivos de programas\Gabest
2008-01-11 14:07:19 0 d-------- C:\Arquivos de programas\blueMSX
2008-01-06 21:33:08 0 d-------- C:\Arquivos de programas\Microsoft Silverlight

-- Find3M Report ---------------------------------------------------------------

2008-02-03 17:53:44 0 d-------- C:\Documents and Settings\HENRIQUE\Dados de aplicativos\uTorrent
2008-02-03 17:39:21 0 d-------- C:\Arquivos de programas\Mozilla Firefox 2 Beta 2
2008-02-02 17:39:47 0 d-------- C:\Documents and Settings\HENRIQUE\Dados de aplicativos\Adobe
2008-01-20 16:27:07 0 d-------- C:\Arquivos de programas\mIRC
2007-12-27 15:23:25 0 d-------- C:\Documents and Settings\HENRIQUE\Dados de aplicativos\Dev-Cpp
2007-12-20 23:33:28 0 d-------- C:\Arquivos de programas\Project64 1.6
2007-12-20 23:16:18 0 d-------- C:\Arquivos de programas\Microsoft.NET
2007-12-20 23:12:43 452722 --a----c- C:\WINDOWS\system32\perfh016.dat
2007-12-20 23:12:43 79216 --a----c- C:\WINDOWS\system32\perfc016.dat
2007-12-20 23:01:07 0 d-------- C:\Arquivos de programas\WinAVIVideoConverter
2007-12-20 22:46:22 0 d-------- C:\Arquivos de programas\LeechGet 2005
2007-12-20 02:05:36 0 d-------- C:\Documents and Settings\HENRIQUE\Dados de aplicativos\RapidCRC
2007-12-20 02:05:05 0 d-------- C:\Arquivos de programas\RapidCRC
2007-12-19 20:00:43 0 d-------- C:\Arquivos de programas\Xvid
2007-12-18 17:18:36 0 d-------- C:\Arquivos de programas\Red Kawa
2007-12-18 17:05:49 0 d-------- C:\Arquivos de programas\Windows Media Connect 2
2007-12-18 15:51:31 0 d-------- C:\Arquivos de programas\TVersity Codec Pack
2007-12-15 00:58:42 0 d-------- C:\Arquivos de programas\LibUSB-Win32
2007-12-15 00:45:15 0 d-------- C:\Documents and Settings\HENRIQUE\Dados de aplicativos\fltk.org
2007-11-29 20:40:43 0 -ra------ C:\logwmemory.bin
2007-11-16 18:41:50 4490 --a----c- C:\WINDOWS\mozver.dat

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.5.0_05\bin\jusched.exe" [26/08/2005 06:14]
"snpstd"="C:\WINDOWS\vsnpstd.exe" [10/06/2004 01:48]
"NetMeter"="C:\Arquivos de programas\HooTech\NetMeter\NetMeter.exe" [14/02/2006 08:19]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [22/10/2006 12:22]
"nwiz"="nwiz.exe" [22/10/2006 12:22 C:\WINDOWS\system32\nwiz.exe]
"ISUSPM Startup"="C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" [11/08/2005 05:30]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [22/10/2006 12:22]
"QuickTime Task"="C:\Arquivos de programas\QuickTime\qttask.exe" [05/12/2005 03:14]
"ISUSScheduler"="C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" [11/08/2005 05:30]
"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [04/12/2007 11:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe" []
"updateMgr"="C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [30/03/2006 05:45]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:45]
"AdobeUpdater"="C:\Arquivos de programas\Arquivos comuns\Adobe\Updater5\AdobeUpdater.exe" [01/03/2007 12:06]
"uTorrent"="C:\Arquivos de programas\uTorrent\utorrent.exe" [18/01/2008 09:30]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\
Adobe Gamma Loader.lnk - C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe [30/3/2006 10:31:23]
Adobe Reader Speed Launch.lnk - C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/9/2005 11:05:26]
WlanUtility.lnk - C:\Arquivos de programas\MicroStar\WLANUtility\WlanUtility.exe [26/3/2004 04:51:30]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er]
"NoChangeStartMenu"=0 (0x0)
"NoLogOff"=1 (0x1)
"NoRun"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SQLWriter"=2 (0x2)
"SQLBrowser"=2 (0x2)
"SQLAgent$SONY_MEDIAMGR"=3 (0x3)
"NMIndexingService"=3 (0x3)
"MSSQLServerADHelper"=3 (0x3)
"MSSQL$SQLEXPRESS"=2 (0x2)
"mi-raysat_3dsmax9_32"=2 (0x2)
"mi-raysat_3dsmax8"=2 (0x2)

-- End of Deckard's System Scanner: finished at 2008-02-03 18:01:56 ------------

Thanks for the help

**Geri** · 4th February 2008

Hi riqued

Having any p2p file sharing apps such as Limewire, BitTorrent uTorrent etc.. is almost like inviting malware into your computer. There is absolutely no way for you to know which of the hundreds of thousands of users you are sharing files with are infected or not.
I strongly recommend removing any P2P applications.

Download ComboFix from Here to your Desktop.
It's best to disable realtime protection applications as they sometimes interfere with the tool. Check this link for any applicable programs you may have.

Close all open programs and windows
Double click combofix.exe and follow the prompts.
Vista users right click Combofix.exe and select Run As Administrator.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Please post the Combofix log.

Thanks
Geri

riqued · 4th February 2008

ComboFix 08-02.03.1 - HENRIQUE 2008-02-04 4:28:44.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.692 [GMT -2:00]
Executando de: C:\Documents and Settings\HENRIQUE\Desktop\ComboFix.exe
* Criado um novo ponto de restauro

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\winupdate.exe
C:\WINDOWS\system32\wl.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\ntload

((((((((((((((((((((((( Ficheiros criados de 2008-01-04 to 2008-02-04 ))))))))))))))))))))))))))))))))
.

2008-02-03 20:31 . 2008-02-03 20:31 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-03 20:31 . 2008-02-03 20:31 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-03 17:52 . 2008-02-03 17:52 <DIR> d-------- C:\Deckard
2008-01-29 20:41 . 2008-01-29 20:41 <DIR> d-------- C:\WINDOWS\system32\svcd
2008-01-29 20:41 . 2008-01-29 20:41 87,552 --a------ C:\WINDOWS\system32\TmpX.exe
2008-01-29 20:41 . 2008-02-04 04:25 114 --a------ C:\WINDOWS\system32\url3
2008-01-29 20:41 . 2008-02-04 04:25 102 --a------ C:\WINDOWS\system32\url2
2008-01-29 20:41 . 2008-02-04 04:25 102 --a------ C:\WINDOWS\system32\url1
2008-01-29 20:41 . 2008-02-04 04:25 8 --a------ C:\WINDOWS\system32\CID
2008-01-29 20:41 . 2008-01-29 20:41 4 --a------ C:\WINDOWS\system32\SvcNm
2008-01-26 14:41 . 2008-01-26 14:41 <DIR> d-------- C:\Arquivos de programas\Gabest
2008-01-25 16:36 . 2004-08-04 00:45 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-01-25 16:36 . 2004-08-04 00:45 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-01-25 16:36 . 2001-09-05 23:20 12,288 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2008-01-25 16:36 . 2001-09-05 23:20 12,288 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2008-01-11 14:07 . 2008-01-11 14:08 <DIR> d-------- C:\Arquivos de programas\blueMSX
2008-01-06 21:33 . 2008-01-06 21:33 <DIR> d-------- C:\Arquivos de programas\Microsoft Silverlight

.
((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-04 06:27 --------- d-----w C:\Documents and Settings\HENRIQUE\Dados de aplicativos\uTorrent
2008-02-04 06:21 --------- d-----w C:\Arquivos de programas\Mozilla Firefox 2 Beta 2
2008-02-04 03:45 --------- d-----w C:\Arquivos de programas\mIRC
2007-12-27 17:23 --------- d-----w C:\Documents and Settings\HENRIQUE\Dados de aplicativos\Dev-Cpp
2007-12-21 01:33 --------- d-----w C:\Arquivos de programas\Project64 1.6
2007-12-21 01:16 --------- d-----w C:\Arquivos de programas\Microsoft.NET
2007-12-21 01:04 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft Help
2007-12-21 01:01 --------- d-----w C:\Arquivos de programas\WinAVIVideoConverter
2007-12-21 00:46 --------- d-----w C:\Arquivos de programas\LeechGet 2005
2007-12-20 04:05 --------- d-----w C:\Documents and Settings\HENRIQUE\Dados de aplicativos\RapidCRC
2007-12-20 04:05 --------- d-----w C:\Arquivos de programas\RapidCRC
2007-12-19 22:00 --------- d-----w C:\Arquivos de programas\Xvid
2007-12-18 19:18 --------- d-----w C:\Arquivos de programas\Red Kawa
2007-12-18 19:05 --------- d-----w C:\Arquivos de programas\Windows Media Connect 2
2007-12-18 17:51 --------- d-----w C:\Arquivos de programas\TVersity Codec Pack
2007-12-15 02:58 --------- d-----w C:\Arquivos de programas\LibUSB-Win32
2007-12-15 02:45 --------- d-----w C:\Documents and Settings\HENRIQUE\Dados de aplicativos\fltk.org
2007-12-04 14:56 93,264 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-04 14:55 94,544 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-04 14:53 23,152 -c--a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-04 14:51 42,912 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-04 14:49 26,624 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-29 22:40 0 ----a-r C:\logwmemory.bin
2007-10-04 15:57 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2007-09-01 01:41 56,096 -c--a-w C:\Documents and Settings\HENRIQUE\Dados de aplicativos\GDIPFONTCACHEV1.DAT
2006-12-18 16:57 365 ----a-w C:\Arquivos de programas\INSTALL.LOG
2003-12-18 13:33 20,102 ----a-w C:\Arquivos de programas\Readme.txt
2003-09-03 09:46 10,960 ----a-w C:\Arquivos de programas\EULA.txt
2005-05-13 20:12 217,073 -csha-w C:\WINDOWS\meta4.exe
2005-10-24 14:13 66,560 -csha-w C:\WINDOWS\MOTA113.exe
2005-10-14 00:27 422,400 -csha-w C:\WINDOWS\x2.64.exe
2005-10-07 22:14 308,224 -csha-w C:\WINDOWS\system32\avisynth.dll
2005-07-14 15:31 27,648 -csha-w C:\WINDOWS\system32\AVSredirect.dll
2005-06-22 01:37 45,568 -csha-w C:\WINDOWS\system32\cygz.dll
2004-01-25 03:00 70,656 -csha-w C:\WINDOWS\system32\i420vfw.dll
2006-04-27 13:24 2,945,024 -csha-w C:\WINDOWS\system32\Smab.dll
2005-02-28 16:16 240,128 -csha-w C:\WINDOWS\system32\x.264.exe
2004-01-25 03:00 70,656 -csha-w C:\WINDOWS\system32\yv12vfw.dll
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe" [ ]
"updateMgr"="C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45 313472]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45 15360]
"AdobeUpdater"="C:\Arquivos de programas\Arquivos comuns\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 00:06 2321600]
"uTorrent"="C:\Arquivos de programas\uTorrent\utorrent.exe" [2008-01-18 21:30 219952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.5.0_05\bin\jusched.exe" [2005-08-26 18:14 36975]
"snpstd"="C:\WINDOWS\vsnpstd.exe" [2004-06-10 13:48 286720]
"NetMeter"="C:\Arquivos de programas\HooTech\NetMeter\NetMeter.exe" [2006-02-14 20:19 183296]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"ISUSPM Startup"="C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" [2005-08-11 17:30 249856]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22 86016]
"QuickTime Task"="C:\Arquivos de programas\QuickTime\qttask.exe" [2005-12-05 15:14 155648]
"ISUSScheduler"="C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" [2005-08-11 17:30 81920]
"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 11:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:45 15360]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\
Adobe Gamma Loader.lnk - C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe [2006-03-30 22:31:23 113664]
Adobe Reader Speed Launch.lnk - C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
WlanUtility.lnk - C:\Arquivos de programas\MicroStar\WLANUtility\WlanUtility.exe [2004-03-26 16:51:30 143360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explor er]
"NoLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2004-11-02 21:24 32768 C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SQLWriter"=2 (0x2)
"SQLBrowser"=2 (0x2)
"SQLAgent$SONY_MEDIAMGR"=3 (0x3)
"NMIndexingService"=3 (0x3)
"MSSQLServerADHelper"=3 (0x3)
"MSSQL$SQLEXPRESS"=2 (0x2)
"mi-raysat_3dsmax9_32"=2 (0x2)
"mi-raysat_3dsmax8"=2 (0x2)

R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys [2003-10-31 01:22]
R2 KRBT;Security Service;C:\WINDOWS\system32\svcd\svchost.exe [2008-01-29 20:41]
R3 M2500;802.11g Wireless Network Driver;C:\WINDOWS\system32\DRIVERS\M2500.sys [2004-02-17 09:24]
S3 Abel;Abel;C:\Documents and Settings\HENRIQUE\Desktop\h\Cain\Abel.exe []
S3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2007-02-27 09:14]
S3 hamachi_oem;PlayLinc Adapter;C:\WINDOWS\system32\DRIVERS\gan_adapter.sys [2006-10-19 12:11]
S3 libusb0;LibUsb-Win32 - Kernel Driver 11/20/2005, 20051120;C:\WINDOWS\system32\drivers\libusb0.sys [2006-04-23 04:34]
S3 XPADFL02;XPAD Filter Service 02;C:\WINDOWS\system32\DRIVERS\xpadfl02.sys [2006-12-24 06:15]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 04:35:06
Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializ veis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso
Ficheiros ocultos: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe
C:\Arquivos de programas\Bonjour\mDNSResponder.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\tlntsvr.exe
C:\Arquivos de programas\TVersity\Media Server\MediaServer.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\Arquivos de programas\MicroStar\WLANUtility\WLAN_Service.exe
.
**************************************************************************
.
Tempo para conclusÆo: 2008-02-04 4:42:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-04 06:41:57
.
2008-01-23 16:45:43 --- E O F ---

riqued · 4th February 2008

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:48:24, on 4/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe
C:\Arquivos de programas\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svcd\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\Arquivos de programas\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\vsnpstd.exe
C:\Arquivos de programas\HooTech\NetMeter\NetMeter.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\uTorrent\utorrent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Arquivos de programas\MicroStar\WLANUtility\WlanUtility.exe
C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\tlntsvr.exe
C:\Arquivos de programas\TVersity\Media Server\MediaServer.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\Arquivos de programas\MicroStar\WLANUtility\WLAN_Service.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\HENRIQUE\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 65.124.89.209:2487
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Arquivos de programas\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [NetMeter] C:\Arquivos de programas\HooTech\NetMeter\NetMeter.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Arquivos de programas\Arquivos comuns\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Arquivos de programas\uTorrent\utorrent.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WlanUtility.lnk = C:\Arquivos de programas\MicroStar\WLANUtility\WlanUtility.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O23 - Service: Abel - Unknown owner - C:\Documents and Settings\HENRIQUE\Desktop\h\Cain\Abel.exe (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Security Service (KRBT) - Unknown owner - C:\WINDOWS\system32\svcd\svchost.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Arquivos de programas\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Arquivos de programas\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe (file missing)
O23 - Service: MSI_WLAN_Service - Unknown owner - C:\Arquivos de programas\MicroStar\WLANUtility\WLAN_Service.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Registry Management Service (RegManServ) - Unknown owner - C:\Arquivos de programas\Registry Defragmentation\RegManServ.exe (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Arquivos de programas\TVersity\Media Server\MediaServer.exe

--
End of file - 7633 bytes

**Geri** · 5th February 2008

Hi riqued

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt

Please post the SDFix log.

Thanks
Geri

riqued · 5th February 2008

SDFix: Version 1.136

Run by HENRIQUE on ter 05/02/2008 at 02:42

Microsoft Windows XP [versão 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\system32\CID - Deleted
C:\WINDOWS\system32\svcd\svchost.exe - Deleted
C:\WINDOWS\system32\SvcNm - Deleted
C:\WINDOWS\system32\TmpX.exe - Deleted
C:\WINDOWS\system32\upds.log - Deleted
C:\WINDOWS\system32\url1 - Deleted
C:\WINDOWS\system32\url2 - Deleted
C:\WINDOWS\system32\url3 - Deleted

Folder C:\WINDOWS\system32\svcd - Removed

Removing Temp Files...

ADS Check:

Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-05 14:57:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E36468 2FA4BAF72C53EA4]
"p0"="C:\Arquivos de programas\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:ae,9a,b8,83,f9,70,6b,ed,6f,62,6a,ec,ce,3b,e2,d5,e8,7b,9e,5a,0d, ..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E36468 2FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,e7,25,c0,9c,2c,0a,43,06,eb,72,f8,39,39,4c,61,1a,f9 ,..
"khjeh"=hex:25,d9,42,1c,9e,e5,5a,53,d3,2e,6c,43,1c,e7,82,f8,fd,0a,88,e3,5e, ..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E36468 2FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:c3,f2,5d,c4,ce,43,fd,e1,d8,d1,26,8c,31,a1,04,7c,58,90,7f,f9,32, ..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E36468 2FA4BAF72C53EA4]
"p0"="C:\Arquivos de programas\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:ae,9a,b8,83,f9,70,6b,ed,6f,62,6a,ec,ce,3b,e2,d5,e8,7b,9e,5a,0d, ..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E36468 2FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,e7,25,c0,9c,2c,0a,43,06,eb,72,f8,39,39,4c,61,1a,f9 ,..
"khjeh"=hex:25,d9,42,1c,9e,e5,5a,53,d3,2e,6c,43,1c,e7,82,f8,fd,0a,88,e3,5e, ..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E36468 2FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:c3,f2,5d,c4,ce,43,fd,e1,d8,d1,26,8c,31,a1,04,7c,58,90,7f,f9,32, ..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E36468 2FA4BAF72C53EA4]
"p0"="C:\Arquivos de programas\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:ae,9a,b8,83,f9,70,6b,ed,6f,62,6a,ec,ce,3b,e2,d5,e8,7b,9e,5a,0d, ..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E36468 2FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,e7,25,c0,9c,2c,0a,43,06,eb,72,f8,39,39,4c,61,1a,f9 ,..
"khjeh"=hex:25,d9,42,1c,9e,e5,5a,53,d3,2e,6c,43,1c,e7,82,f8,fd,0a,88,e3,5e, ..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E36468 2FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:c3,f2,5d,c4,ce,43,fd,e1,d8,d1,26,8c,31,a1,04,7c,58,90,7f,f9,32, ..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E36468 2FA4BAF72C53EA4]
"p0"="C:\Arquivos de programas\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:ae,9a,b8,83,f9,70,6b,ed,6f,62,6a,ec,ce,3b,e2,d5,e8,7b,9e,5a,0d, ..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E36468 2FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,e7,25,c0,9c,2c,0a,43,06,eb,72,f8,39,39,4c,61,1a,f9 ,..
"khjeh"=hex:25,d9,42,1c,9e,e5,5a,53,d3,2e,6c,43,1c,e7,82,f8,fd,0a,88,e3,5e, ..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E36468 2FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:c3,f2,5d,c4,ce,43,fd,e1,d8,d1,26,8c,31,a1,04,7c,58,90,7f,f9,32, ..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E36468 2FA4BAF72C53EA4]
"p0"="C:\Arquivos de programas\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:ae,9a,b8,83,f9,70,6b,ed,6f,62,6a,ec,ce,3b,e2,d5,e8,7b,9e,5a,0d, ..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E36468 2FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,e7,25,c0,9c,2c,0a,43,06,eb,72,f8,39,39,4c,61,1a,f9 ,..
"khjeh"=hex:25,d9,42,1c,9e,e5,5a,53,d3,2e,6c,43,1c,e7,82,f8,fd,0a,88,e3,5e, ..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\sptd\Cfg\19659239224E36468 2FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:71,4c,c4,76,1b,fa,53,3b,4e,7d,28,77,08,c8,7b,72,7a,62,b9,bd,43, ..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E36468 2FA4BAF72C53EA4]
"p0"="C:\Arquivos de programas\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:ae,9a,b8,83,f9,70,6b,ed,6f,62,6a,ec,ce,3b,e2,d5,e8,7b,9e,5a,0d, ..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E36468 2FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,e7,25,c0,9c,2c,0a,43,06,eb,72,f8,39,39,4c,61,1a,f9 ,..
"khjeh"=hex:25,d9,42,1c,9e,e5,5a,53,d3,2e,6c,43,1c,e7,82,f8,fd,0a,88,e3,5e, ..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\sptd\Cfg\19659239224E36468 2FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:c3,f2,5d,c4,ce,43,fd,e1,d8,d1,26,8c,31,a1,04,7c,58,90,7f,f9,32, ..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E36468 2FA4BAF72C53EA4]
"p0"="C:\Arquivos de programas\DAEMON Tools\"
"h0"=dword:00000000
"khjeh"=hex:ae,9a,b8,83,f9,70,6b,ed,6f,62,6a,ec,ce,3b,e2,d5,e8,7b,9e,5a,0d, ..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E36468 2FA4BAF72C53EA4\00000001]
"a0"=hex:20,01,00,00,e7,25,c0,9c,2c,0a,43,06,eb,72,f8,39,39,4c,61,1a,f9 ,..
"khjeh"=hex:25,d9,42,1c,9e,e5,5a,53,d3,2e,6c,43,1c,e7,82,f8,fd,0a,88,e3,5e, ..

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\sptd\Cfg\19659239224E36468 2FA4BAF72C53EA4\00000001\0Jf40]
"khjeh"=hex:c3,f2,5d,c4,ce,43,fd,e1,d8,d1,26,8c,31,a1,04,7c,58,90,7f,f9,32, ..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s0"=dword:fbabb362
"s1"=dword:84fe3737
"s2"=dword:535a55b7
"h0"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E3 64682FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:fc,5d,ad,21,0e,7b,b0,2f,48,60,e7,df,ae,75,b3,59,7d,e5,f9,e8,7b, ..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\RemoteAccess\Accounting]
"AccountSessionIdStart"=dword:00000102
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\SharedAccess\Epoch]
"Epoch"=dword:00002cf4
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\sptd\Cfg\19659239224E36468 2FA4BAF72C53EA4]
"h0"=dword:00000000
"khjeh"=hex:fc,5d,ad,21,0e,7b,b0,2f,48,60,e7,df,ae,75,b3,59,7d,e5,f9,e8,7b, ..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\Tcpip\Parameters\Interface s\{81E7FD41-6D12-46A3-B13A-6A6A37AA116A}]
"DhcpServer"="255.255.255.255"
"Lease"=dword:00000e10
"LeaseObtainedTime"=dword:47a88e20
"T1"=dword:47a89528
"T2"=dword:47a89a6e
"LeaseTerminatesTime"=dword:47a89c30
"DhcpIPAddress"="0.0.0.0"
"DhcpSubnetMask"="255.0.0.0"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\{81E7FD41-6D12-46A3-B13A-6A6A37AA116A}\Parameters\Tcpip]
"DhcpIPAddress"="0.0.0.0"
"DhcpSubnetMask"="255.0.0.0"
"DhcpServer"="255.255.255.255"
"Lease"=dword:00000e10
"LeaseObtainedTime"=dword:47a88e20
"T1"=dword:47a89528
"T2"=dword:47a89a6e
"LeaseTerminatesTime"=dword:47a89c30

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19]
"RefCount"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{3915BDE5-722A-DB0D-DC24-7E8E276BBC44}]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DEE45668-624F-C574-9905-989FB377EE69}]
"jahkkhnmgdmpngodfcff"=hex:6a,61,6d,6c,62,65,69,67,64,67,6a,62,6e,65,6e,64, 68,69,63,6e,00,..
"iankakclonkkdcmfdf"=hex:6a,61,6d,6c,62,65,69,67,64,67,6a,62,6e,65,6e,64,68 ,69,63,6e,00,..

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameter s\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Arquivos de programas\\uTorrent\\utorrent.exe"="C:\\Arquivos de programas\\uTorrent\\utorrent.exe:*:Enabled:µTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameter s\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Fri 13 May 2005 217,073 A.SH. --- "C:\WINDOWS\meta4.exe"
Mon 24 Oct 2005 66,560 A.SH. --- "C:\WINDOWS\MOTA113.exe"
Thu 13 Oct 2005 422,400 A.SH. --- "C:\WINDOWS\x2.64.exe"
Wed 13 Oct 2004 1,694,208 A.SH. --- "C:\Arquivos de programas\Messenger\msmsgs.exe"
Fri 7 Oct 2005 308,224 A.SH. --- "C:\WINDOWS\system32\avisynth.dll"
Thu 14 Jul 2005 27,648 A.SH. --- "C:\WINDOWS\system32\AVSredirect.dll"
Tue 21 Jun 2005 45,568 A.SH. --- "C:\WINDOWS\system32\cygz.dll"
Tue 6 Feb 2007 660,480 A..H. --- "C:\WINDOWS\system32\d3dinf.dll"
Sun 25 Jan 2004 70,656 A.SH. --- "C:\WINDOWS\system32\i420vfw.dll"
Thu 27 Apr 2006 2,945,024 A.SH. --- "C:\WINDOWS\system32\Smab.dll"
Mon 28 Feb 2005 240,128 A.SH. --- "C:\WINDOWS\system32\x.264.exe"
Sun 25 Jan 2004 70,656 A.SH. --- "C:\WINDOWS\system32\yv12vfw.dll"
Wed 22 Dec 2004 76,568 ..SHR --- "C:\Arquivos de programas\Autodesk\Autodesk DWF Viewer\Setup.exe"
Thu 13 Jan 2005 11,360 A.SHR --- "C:\Arquivos de programas\Autodesk\Autodesk DWF Viewer\_Setupx.dll"
Sun 28 Oct 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Tue 20 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\958f6198e7b74c8bd1180a14e6def2c1\ BIT3.tmp"
Thu 24 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f7db876e78b88fd8276fd7d29cb7e4eb\ BIT8.tmp"
Mon 12 Nov 2007 175,104 A..H. --- "C:\Documents and Settings\HENRIQUE\Desktop\RAC\Finished\3Gal\tut2\~WRL0001.tmp"
Thu 15 Nov 2007 184,320 A..H. --- "C:\Documents and Settings\HENRIQUE\Desktop\RAC\Finished\3Gal\tut2\~WRL1835.tmp"
Thu 15 Nov 2007 201,728 A..H. --- "C:\Documents and Settings\HENRIQUE\Desktop\RAC\Finished\3Gal\tut2\~WRL2462.tmp"
Thu 15 Nov 2007 223,232 A..H. --- "C:\Documents and Settings\HENRIQUE\Desktop\RAC\Finished\3Gal\tut2\~WRL3107.tmp"
Thu 15 Nov 2007 176,128 A..H. --- "C:\Documents and Settings\HENRIQUE\Desktop\RAC\Finished\3Gal\tut2\~WRL3391.tmp"
Thu 15 Nov 2007 227,840 A..H. --- "C:\Documents and Settings\HENRIQUE\Desktop\RAC\Finished\3Gal\tut2\~WRL4000.tmp"

Finished!

Thanks Geri. The problem I had is gone, if you I don't need to do anything else can I delete the programs now?

**Geri** · 6th February 2008

Hi riqued
This is kind of hard, I don't know Spanish so I'm doing the best I can here.

OK These have to go.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\WINDOWS\QTFont.for
C:\WINDOWS\QTFont.qfn

Please delete these and we'll get a on-line scan.

First do this.
Click Start>Run in the run box copy and paste or type ComboFix /u then hit Enter to uninstall ComboFix and remove the files/folders it created.

Now delete these.
SDFix.exe

This folder.
C:\SDFix

Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Now lets get a on-line scan.

Please do an online scan with Kaspersky WebScanner

Click on “Accept” If your pop –up blocker blocks the ActiveX download, allow it, click on “Accept” again

You will be promted to install an ActiveX component from Kaspersky, Click Yes or Install.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Extended (if available otherwise Standard)
- Scan Options:
- Scan Archives
  Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This will start the program and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Please post the Kaspersky log.

Thanks
Geri

**Geri** · 17th February 2008

Hi clarabelle
Welcome to Windowsbbs.
I have moved your post to a thread of its own to avoid confusion , please look for it and make all replies there.

Quote:

Please follow Posting Rules (#3 - Meaningful Subject) when posting.
I have adjusted your subject.

Thanks
Geri