Another Trusted Zone 63.219.181.7 problem

I know there are some posts here regarding this or similar problems and I´ve read them but since this is probably system specific I decided to post anyway. Please don´t hold it against me...
I´ll describe what is happening with my system and what I have done so far and how I failed to solve the problem.
AVG 7.0 detects and is unable to clean a troian horse (downloader.agent.5.F) at c:\windows\system32\adsnp.dll. I can´t find this file anywhere on my system. Is it safe to hit "delete file "?
I used Bitdefender antivirus free scan, Panda antivirus online and Symantec antivirus online and none detected this...
Ad-Aware reports 1 Reg entry and 1 Reg value entry. It´s able to clean it but the problem is there again after a restart.

Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Trusted zone presumably compromised : 63.219.181.7

Possible Browser Hijack attempt Object Recognized!
Type : Regkey
Data :
Category : Vulnerability
Comment : Trusted zone presumably compromised : 63.219.181.7
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\63.219.181.7

Possible Browser Hijack attempt Object Recognized!
Type : RegValue
Data :
Category : Vulnerability
Comment : Trusted zone presumably compromised : 63.219.181.7
Rootkey : HKEY_CURRENT_USER
Object : Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\63.219.181.7
Value : http

I have an entry at tools>internet options>security>trusted sites>sites that I am unable to remove (http:\\*.63.219.181.7).
I used Spybot - Search & Destroy. It reported one Alexa related entry, five DSO exploit entries and some cookies. I was able to fix them all with the program.
Any attempt I have made to manually edit the registry with "regedit" is proven pointless after restart.
Using "regedit" search function causes the program to crash. Any atempt to "backup" the registry has the same effect.
Tried "regedit" in "safe mode" and had no crashes but didn´t detect suspect entries either.
This is my HJT log.

Logfile of HijackThis v1.98.2
Scan saved at 20:41:53, on 24-11-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Ficheiros comuns\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\WINDOWS\System32\oodag.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programas\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Programas\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\Programas\Ahead\InCD\InCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programas\Java\j2re1.4.2_06\bin\jusched.exe
C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programas\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Programas\Creative\MediaSource\Detector\CTDetect.exe
C:\Programas\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.avsim.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Programas\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Programas\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -off
O4 - HKLM\..\Run: [CTSysVol] C:\Programas\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Programas\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Programas\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300 "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [InCD] C:\Programas\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programas\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Programas\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Programas\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /M "Stylus Photo R300" /EF "HKCU "
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O12 - Plugin for .mid: C:\Programas\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mpg: C:\Programas\Internet Explorer\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: http://*.63.219.181.7
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/SU/ocx/12119/CTSUEng.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093095467125
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/SU/ocx/15008/CTPID.cab

Any help is more than welcome.
Thank you in advance.

 

Welcome to WindowsBBS BadKarmaPT

Please follow the recommendations given member paggy here, then post the logs and contents of the reg key in this thread.

 

Thank you, noahdfear.
I followed "paddys" guidelines and will post both logs next but I looked into my registry and I have no "Ms4Hd" key... Is this possible?
Let me know if you need anything else.
Okay, here goes:

Module information for 'Explorer.EXE'
MODULE BASE SIZE PATH
Explorer.EXE 1000000 1011712 C:\WINDOWS\Explorer.EXE 6.00.2800.1221 (xpsp2.030511-1403) Explorador do Windows
ntdll.dll 77f40000 708608 C:\WINDOWS\System32\ntdll.dll 5.1.2600.1217 (xpsp2.030429-2131) DLL de camada do NT
kernel32.dll 77e40000 995328 C:\WINDOWS\system32\kernel32.dll 5.1.2600.1560 (xpsp2_gdr.040517-1325) DLL cliente da API BASE do Windows NT
msvcrt.dll 77be0000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.1106 (xpsp1.020828-1920) Windows NT CRT DLL
ADVAPI32.dll 77da0000 643072 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) API avançada com base em Windows 32
RPCRT4.dll 78000000 552960 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.1361 (xpsp2.040109-1800) Remote Procedure Call Runtime
GDI32.dll 7f000000 266240 C:\WINDOWS\system32\GDI32.dll 5.1.2600.1561 (xpsp2_gdr.040517-1325) GDI Client DLL
USER32.dll 77d10000 573440 C:\WINDOWS\system32\USER32.dll 5.1.2600.1561 (xpsp2_gdr.040517-1325) DLL de cliente API de utilizador de Windows 2000
SHLWAPI.dll 772a0000 430080 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2800.1584 (xpsp2.040720-1705) Biblioteca de pequenos utilitários da shell
SHELL32.dll 4f510000 8499200 C:\WINDOWS\system32\SHELL32.dll 6.00.2800.1580 (xpsp2.040720-1705) DLL comum da shell do Windows
ole32.dll 7cc90000 1196032 C:\WINDOWS\system32\ole32.dll 5.1.2600.1362 (xpsp2.040109-1800) Microsoft OLE para Windows
OLEAUT32.dll 770f0000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5016.0 Microsoft OLE 3.50 for Windows NT(TM) and Windows 95(TM) Operating Systems
BROWSEUI.dll 71500000 1036288 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2800.1584 Biblioteca da interface de utilizador do browser da shell
SHDOCVW.dll 71700000 1355776 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2800.1584 Objecto Doc da shell e biblioteca de controlos
UxTheme.dll 5b180000 212992 C:\WINDOWS\System32\UxTheme.dll 6.00.2800.1106 (xpsp1.020828-1920) Biblioteca UxTheme da Microsoft
comctl32.dll 78090000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1579_x-ww_7bbf8d08\comctl32.dll 6.0 (xpsp2.040720-1705) User Experience Controls Library
comctl32.dll 77310000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp1.020828-1920) Common Controls Library
appHelp.dll 75ef0000 122880 C:\WINDOWS\system32\appHelp.dll 5.1.2600.1106 (xpsp1.020828-1920) Application Compatibility Client Library
CLBCATQ.DLL 7a170000 528384 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.53
COMRes.dll 77010000 851968 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42
VERSION.dll 77bd0000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
cscui.dll 765d0000 327680 C:\WINDOWS\System32\cscui.dll 5.1.2600.1106 (xpsp1.020828-1920) Interface de utilizador de cache do cliente
CSCDLL.dll 765b0000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Agente de rede em offline
themeui.dll 5ba40000 466944 C:\WINDOWS\System32\themeui.dll 6.00.2800.1106 (xpsp1.020828-1920) API de tema do Windows
Secur32.dll 76f50000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.1106 (xpsp1.020828-1920) Security Support Provider Interface
MSIMG32.dll 76330000 20480 C:\WINDOWS\System32\MSIMG32.dll 5.1.2600.1106 (xpsp1.020828-1920) GDIEXT Client DLL
USERENV.dll 75a20000 684032 C:\WINDOWS\system32\USERENV.dll 5.1.2600.1106 (xpsp1.020828-1920) Userenv
actxprxy.dll 71cf0000 110592 C:\WINDOWS\System32\actxprxy.dll 6.00.2600.0000 (XPClient.010817-1148) ActiveX Interface Marshaling Library
LINKINFO.dll 76940000 28672 C:\WINDOWS\System32\LINKINFO.dll 5.1.2600.1579 (xpsp2.040720-1705) Windows Volume Tracking
ntshrui.dll 76950000 151552 C:\WINDOWS\System32\ntshrui.dll 5.1.2600.1106 (xpsp1.020828-1920) Extensões da shell para partilha
ATL.DLL 76ae0000 86016 C:\WINDOWS\System32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode)
NETAPI32.dll 71bd0000 319488 C:\WINDOWS\System32\NETAPI32.dll 5.1.2600.1562 (xpsp2_gdr.040517-1325) Net Win32 API DLL
SAMLIB.dll 71ba0000 69632 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.1106 (xpsp1.020828-1920) SAM Library DLL
msi.dll 1200000 2101248 C:\WINDOWS\System32\msi.dll 2.0.2600.1106 Windows Installer
SETUPAPI.dll 76630000 958464 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) API do programa de configuração do Windows
NETSHELL.dll 75ca0000 1650688 C:\WINDOWS\system32\NETSHELL.dll 5.1.2600.1254 (xpsp2.030801-1834) Shell de ligações de rede
credui.dll 76bc0000 188416 C:\WINDOWS\system32\credui.dll 5.1.2600.1106 (xpsp1.020828-1920) Interface de utilizador do 'Gestor de credênciais'
WS2_32.dll 71a50000 81920 C:\WINDOWS\system32\WS2_32.dll 5.1.2600.1240 (xpsp2.030618-0119) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71a40000 32768 C:\WINDOWS\system32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper para Windows NT
iphlpapi.dll 76d20000 90112 C:\WINDOWS\system32\iphlpapi.dll 5.1.2600.1240 (xpsp2.030618-0119) API de programa auxiliar IP
MLANG.dll 74710000 585728 C:\WINDOWS\System32\MLANG.dll 6.00.2600.0000 (xpclient.010817-1148) Multi Language Support DLL
urlmon.dll 1a400000 503808 C:\WINDOWS\system32\urlmon.dll 6.00.2800.1474 Extensões OLE32 para Win32
WINSTA.dll 76310000 61440 C:\WINDOWS\System32\WINSTA.dll 5.1.2600.1106 (xpsp1.020828-1920) Winstation Library
webcheck.dll 74ad0000 270336 C:\WINDOWS\System32\webcheck.dll 6.00.2800.1106 (xpsp1.020828-1920) Supervisor de Web sites
stobject.dll 74aa0000 131072 C:\WINDOWS\System32\stobject.dll 5.1.2600.1106 (xpsp1.020828-1920) Objecto 'Systray' do serviço da shell
BatMeter.dll 74a90000 36864 C:\WINDOWS\System32\BatMeter.dll 6.00.2600.0000 (xpclient.010817-1148) DLL de ajuda do indicador de bateria
POWRPROF.dll 74a70000 28672 C:\WINDOWS\System32\POWRPROF.dll 6.00.2600.0000 (xpclient.010817-1148) Power Profile Helper DLL
WTSAPI32.dll 76f10000 32768 C:\WINDOWS\System32\WTSAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows Terminal Server SDK APIs
upnpui.dll 5b390000 241664 C:\WINDOWS\System32\upnpui.dll 5.1.2600.1106 (xpsp1.020828-1920) Pasta e monitor do tabuleiro UPNP
upnp.dll 74fe0000 135168 C:\WINDOWS\System32\upnp.dll 5.1.2600.1106 (xpsp1.020828-1920) Universal Plug and Play API
WININET.dll 63000000 618496 C:\WINDOWS\system32\WININET.dll 6.00.2800.1468 Extensões da Internet para Win32
CRYPT32.dll 76270000 561152 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) Crypto API32
MSASN1.dll 76250000 65536 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.1362 (xpsp2.040109-1800) ASN.1 Runtime APIs
SSDPAPI.dll 74ea0000 40960 C:\WINDOWS\System32\SSDPAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) SSDP Client API DLL
mswsock.dll 719f0000 245760 C:\WINDOWS\system32\mswsock.dll 5.1.2600.0 (xpclient.010817-1148) Fornecedor de serviços de Microsoft Windows Sockets 2.0
wshtcpip.dll 71a30000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.0 (xpclient.010817-1148) Windows Sockets Helper DLL
MSCTF.dll 746c0000 278528 C:\WINDOWS\System32\MSCTF.dll 5.1.2600.1106 (xpsp1.020828-1920) MSCTF Server DLL
wsock32.dll 71a70000 36864 C:\WINDOWS\System32\wsock32.dll 5.1.2600.0 (xpclient.010817-1148) DLL do Windows Socket a 32 bits
msxml3.dll 72d90000 1134592 C:\WINDOWS\System32\msxml3.dll 8.30.9926.0 MSXML 3.0 SP 3
RASAPI32.DLL 76ea0000 225280 C:\WINDOWS\System32\RASAPI32.DLL 5.1.2600.1106 (xpsp1.020828-1920) API de acesso remoto
rasman.dll 76e50000 69632 C:\WINDOWS\System32\rasman.dll 5.1.2600.1106 (xpsp1.020828-1920) Remote Access Connection Manager
TAPI32.dll 76e70000 176128 C:\WINDOWS\System32\TAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft® Windows(TM) Telephony API Client DLL
rtutils.dll 76e40000 53248 C:\WINDOWS\System32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities
WINMM.dll 76b00000 184320 C:\WINDOWS\System32\WINMM.dll 5.1.2600.1106 (xpsp1.020828-1920) MCI API DLL
sensapi.dll 72260000 20480 C:\WINDOWS\System32\sensapi.dll 5.1.2600.1106 (xpsp1.020828-1920) SENS Connectivity API DLL
ctagent.dll 10000000 65536 C:\WINDOWS\System32\ctagent.dll 1, 0, 0, 8 ctagent
SXS.DLL 75e40000 708608 C:\WINDOWS\System32\SXS.DLL 5.1.2600.1579 (xpsp2.040720-1705) Fusion 2.5
printui.dll 74b20000 544768 C:\WINDOWS\System32\printui.dll 5.1.2600.1106 (xpsp1.020828-1920) DLL da interface de utilizador de impressão
WINSPOOL.DRV 72f90000 143360 C:\WINDOWS\System32\WINSPOOL.DRV 5.1.2600.1106 (xpsp1.020828-1920) Controlador de spooler do Windows
ACTIVEDS.dll 76e00000 192512 C:\WINDOWS\System32\ACTIVEDS.dll 5.1.2600.0 (xpclient.010817-1148) DLL de camada de router ADs
adsldpc.dll 76dd0000 151552 C:\WINDOWS\System32\adsldpc.dll 5.1.2600.1106 (xpsp1.020828-1920) DLL C do fornecedor de LDAP ADs
WLDAP32.dll 76f20000 184320 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.1106 (xpsp1.020828-1920) Win32 LDAP API DLL
CFGMGR32.dll 74a80000 28672 C:\WINDOWS\System32\CFGMGR32.dll 5.1.2600.0 (xpclient.010817-1148) Configuration Manager Forwarder DLL
MPR.dll 71ac0000 69632 C:\WINDOWS\system32\MPR.dll 5.1.2600.0 (xpclient.010817-1148) DLL de router de fornecedor múltiplo
drprov.dll 75f10000 24576 C:\WINDOWS\System32\drprov.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Terminal Server Network Provider
ntlanman.dll 71bc0000 53248 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft® Lan Manager
NETUI0.dll 71c80000 90112 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.0 (xpclient.010817-1148) Código comum NT LM UI - Classes GUI
NETUI1.dll 71c40000 245760 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - Networking classes
NETRAP.dll 71c30000 24576 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.0 (xpclient.010817-1148) Net Remote Admin Protocol DLL
davclnt.dll 75f20000 36864 C:\WINDOWS\System32\davclnt.dll 5.1.2600.0 (xpclient.010817-1148) Web DAV Client DLL
RadExe.dll ad0000 159744 C:\WINDOWS\System32\RadExe.dll 2, 1, 1009, 0 RadExe Module
MFC42.DLL 73d60000 991232 C:\WINDOWS\System32\MFC42.DLL 6.00.8665.0 MFCDLL Shared Library - Retail Version
MFC42LOC.DLL 61e10000 57344 C:\WINDOWS\System32\MFC42LOC.DLL 6.00.8665 Recursos específicos de linguagem MFC
browselc.dll 723e0000 77824 C:\WINDOWS\System32\browselc.dll 6.00.2800.1106 (xpsp1.020828-1920) Biblioteca da interface de utilizador do browser da shell
AcroIEHelper.dll a00000 49152 C:\Programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll 6.0.1.2003110300 Adobe Acrobat IE Helper Version 6.0 for ActivieX
MSGINA.dll 75920000 995328 C:\WINDOWS\System32\MSGINA.dll 5.1.2600.1343 (xpsp2.040109-1800) Windows NT Logon GINA DLL
ODBC32.dll 1430000 204800 C:\WINDOWS\System32\ODBC32.dll 3.520.9042.0 Microsoft Data Access - ODBC Driver Manager
comdlg32.dll 76360000 286720 C:\WINDOWS\system32\comdlg32.dll 6.00.2800.1106 (xpsp1.020828-1920) Biblioteca (DLL) de caixas de diálogo comuns
odbcint.dll 1f850000 98304 C:\WINDOWS\System32\odbcint.dll 3.520.7713.0 Microsoft Data Access - Recursos de ODBC
incdshx.dll 1c000000 126976 C:\Programas\Ahead\InCD\incdshx.dll 4, 3, 0, 5 UDF Shell Extension DLL
zipfldr.dll 73310000 335872 C:\WINDOWS\System32\zipfldr.dll 6.00.2800.1584 (xpsp2.040720-1705) Pasta comprimida (zipada)
rarext.dll 3490000 176128 C:\Programas\WinRAR\rarext.dll
NRad.dll 34c0000 147456 C:\WINDOWS\System32\NRad.dll 2, 1, 1009, 0 NRad Module
mydocs.dll 723c0000 102400 C:\WINDOWS\System32\mydocs.dll 6.00.2600.0000 (xpclient.010817-1148) Interface da pasta 'Os meus documentos'
NTMARTA.DLL 76ca0000 126976 C:\WINDOWS\System32\NTMARTA.DLL 5.1.2600.1106 (xpsp1.020828-1920) Fornecedor de Windows NT MARTA
msohev.dll 32520000 73728 C:\Programas\Microsoft Office\Office10\msohev.dll 10.0.2609 Microsoft Office XP component
WINTRUST.dll 76bf0000 176128 C:\WINDOWS\System32\WINTRUST.dll 5.131.2600.0 (xpclient.010817-1148) APIs de verificação de fidedignidade da Microsoft
IMAGEHLP.dll 76c50000 139264 C:\WINDOWS\system32\IMAGEHLP.dll 5.1.2600.1106 (xpsp1.020828-1920) Windows NT Image Helper
rsaenh.dll ffd0000 143360 C:\WINDOWS\System32\rsaenh.dll 5.1.2600.1029 (xpsp1.020426-1800) Microsoft Base Cryptographic Provider
asfsipc.dll 70f40000 28672 C:\WINDOWS\System32\asfsipc.dll 1.1.00.3917 ASFSipc Object
MSISIP.DLL 60a40000 53248 C:\WINDOWS\System32\MSISIP.DLL 2.0.2600.0 MSI Signature SIP Provider
wshext.dll 74e40000 65536 C:\WINDOWS\System32\wshext.dll 5.6.0.6626 Microsoft (r) Shell Extension for Windows Script Host
wshPTG.DLL 590f0000 57344 C:\WINDOWS\System32\wshPTG.DLL 5.6.0.6626 Microsoft (r) Windows Script Host International Resources
MCPS.DLL 365a0000 90112 C:\PROGRA~1\MICROS~2\Office10\MCPS.DLL 10.0.6313 Media Catalog Proxy/Stub
MSVCP60.DLL 76030000 397312 C:\WINDOWS\System32\MSVCP60.DLL 6.00.8972.0 Microsoft (R) C++ Runtime Library

 

Module information for 'iexplore.exe'
MODULE BASE SIZE PATH
iexplore.exe 400000 102400 C:\Programas\Internet Explorer\iexplore.exe 6.00.2800.1106 (xpsp1.020828-1920) Internet Explorer
ntdll.dll 77f40000 708608 C:\WINDOWS\System32\ntdll.dll 5.1.2600.1217 (xpsp2.030429-2131) DLL de camada do NT
kernel32.dll 77e40000 995328 C:\WINDOWS\system32\kernel32.dll 5.1.2600.1560 (xpsp2_gdr.040517-1325) DLL cliente da API BASE do Windows NT
msvcrt.dll 77be0000 339968 C:\WINDOWS\system32\msvcrt.dll 7.0.2600.1106 (xpsp1.020828-1920) Windows NT CRT DLL
USER32.dll 77d10000 573440 C:\WINDOWS\system32\USER32.dll 5.1.2600.1561 (xpsp2_gdr.040517-1325) DLL de cliente API de utilizador de Windows 2000
GDI32.dll 7f000000 266240 C:\WINDOWS\system32\GDI32.dll 5.1.2600.1561 (xpsp2_gdr.040517-1325) GDI Client DLL
ADVAPI32.dll 77da0000 643072 C:\WINDOWS\system32\ADVAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) API avançada com base em Windows 32
RPCRT4.dll 78000000 552960 C:\WINDOWS\system32\RPCRT4.dll 5.1.2600.1361 (xpsp2.040109-1800) Remote Procedure Call Runtime
SHLWAPI.dll 772a0000 430080 C:\WINDOWS\system32\SHLWAPI.dll 6.00.2800.1584 (xpsp2.040720-1705) Biblioteca de pequenos utilitários da shell
SHDOCVW.dll 71700000 1355776 C:\WINDOWS\System32\SHDOCVW.dll 6.00.2800.1584 Objecto Doc da shell e biblioteca de controlos
comctl32.dll 78090000 933888 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.1579_x-ww_7bbf8d08\comctl32.dll 6.0 (xpsp2.040720-1705) User Experience Controls Library
SHELL32.dll 4f510000 8499200 C:\WINDOWS\system32\SHELL32.dll 6.00.2800.1580 (xpsp2.040720-1705) DLL comum da shell do Windows
comctl32.dll 77310000 569344 C:\WINDOWS\system32\comctl32.dll 5.82 (xpsp1.020828-1920) Common Controls Library
ole32.dll 7cc90000 1196032 C:\WINDOWS\system32\ole32.dll 5.1.2600.1362 (xpsp2.040109-1800) Microsoft OLE para Windows
uxtheme.dll 5b180000 212992 C:\WINDOWS\System32\uxtheme.dll 6.00.2800.1106 (xpsp1.020828-1920) Biblioteca UxTheme da Microsoft
MSCTF.dll 746c0000 278528 C:\WINDOWS\System32\MSCTF.dll 5.1.2600.1106 (xpsp1.020828-1920) MSCTF Server DLL
BROWSEUI.dll 71500000 1036288 C:\WINDOWS\System32\BROWSEUI.dll 6.00.2800.1584 Biblioteca da interface de utilizador do browser da shell
browselc.dll 723e0000 77824 C:\WINDOWS\System32\browselc.dll 6.00.2800.1106 (xpsp1.020828-1920) Biblioteca da interface de utilizador do browser da shell
appHelp.dll 75ef0000 122880 C:\WINDOWS\system32\appHelp.dll 5.1.2600.1106 (xpsp1.020828-1920) Application Compatibility Client Library
CLBCATQ.DLL 7a170000 528384 C:\WINDOWS\System32\CLBCATQ.DLL 2001.12.4414.53
OLEAUT32.dll 770f0000 569344 C:\WINDOWS\system32\OLEAUT32.dll 3.50.5016.0 Microsoft OLE 3.50 for Windows NT(TM) and Windows 95(TM) Operating Systems
COMRes.dll 77010000 851968 C:\WINDOWS\System32\COMRes.dll 2001.12.4414.42
VERSION.dll 77bd0000 28672 C:\WINDOWS\system32\VERSION.dll 5.1.2600.0 (xpclient.010817-1148) Version Checking and File Installation Libraries
WININET.dll 63000000 618496 C:\WINDOWS\system32\WININET.dll 6.00.2800.1468 Extensões da Internet para Win32
CRYPT32.dll 76270000 561152 C:\WINDOWS\system32\CRYPT32.dll 5.131.2600.1123 (xpsp2.020921-0842) Crypto API32
MSASN1.dll 76250000 65536 C:\WINDOWS\system32\MSASN1.dll 5.1.2600.1362 (xpsp2.040109-1800) ASN.1 Runtime APIs
Secur32.dll 76f50000 65536 C:\WINDOWS\System32\Secur32.dll 5.1.2600.1106 (xpsp1.020828-1920) Security Support Provider Interface
cscui.dll 765d0000 327680 C:\WINDOWS\System32\cscui.dll 5.1.2600.1106 (xpsp1.020828-1920) Interface de utilizador de cache do cliente
CSCDLL.dll 765b0000 110592 C:\WINDOWS\System32\CSCDLL.dll 5.1.2600.0 (xpclient.010817-1148) Agente de rede em offline
SETUPAPI.dll 76630000 958464 C:\WINDOWS\System32\SETUPAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) API do programa de configuração do Windows
SnagItIEAddin.dll 10000000 151552 C:\Programas\TechSmith\SnagIt 7\SnagItIEAddin.dll 1.0.5 SnagIt Add-in for Internet Explorer
MSVCR71.dll 7c340000 352256 C:\Programas\TechSmith\SnagIt 7\MSVCR71.dll 7.10.3052.4 Microsoft® C Runtime Library
SnagItBHO.dll 1a00000 49152 C:\Programas\TechSmith\SnagIt 7\SnagItBHO.dll 1.0.1 SnagIt Browser Helper Object for Internet Explorer
AcroIEHelper.dll 1a10000 49152 C:\Programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll 6.0.1.2003110300 Adobe Acrobat IE Helper Version 6.0 for ActivieX
urlmon.dll 1a400000 503808 C:\WINDOWS\system32\urlmon.dll 6.00.2800.1474 Extensões OLE32 para Win32
SXS.DLL 75e40000 708608 C:\WINDOWS\System32\SXS.DLL 5.1.2600.1579 (xpsp2.040720-1705) Fusion 2.5
shdoclc.dll 76120000 577536 C:\WINDOWS\System32\shdoclc.dll 6.00.2600.0000 (xpclient.010817-1148) Objecto Doc da shell e biblioteca de controlos
mlang.dll 74710000 585728 C:\WINDOWS\System32\mlang.dll 6.00.2600.0000 (xpclient.010817-1148) Multi Language Support DLL
wsock32.dll 71a70000 36864 C:\WINDOWS\System32\wsock32.dll 5.1.2600.0 (xpclient.010817-1148) DLL do Windows Socket a 32 bits
WS2_32.dll 71a50000 81920 C:\WINDOWS\System32\WS2_32.dll 5.1.2600.1240 (xpsp2.030618-0119) Windows Socket 2.0 32-Bit DLL
WS2HELP.dll 71a40000 32768 C:\WINDOWS\System32\WS2HELP.dll 5.1.2600.0 (xpclient.010817-1148) Windows Socket 2.0 Helper para Windows NT
mswsock.dll 719f0000 245760 C:\WINDOWS\system32\mswsock.dll 5.1.2600.0 (xpclient.010817-1148) Fornecedor de serviços de Microsoft Windows Sockets 2.0
wshtcpip.dll 71a30000 32768 C:\WINDOWS\System32\wshtcpip.dll 5.1.2600.0 (xpclient.010817-1148) Windows Sockets Helper DLL
RASAPI32.DLL 76ea0000 225280 C:\WINDOWS\System32\RASAPI32.DLL 5.1.2600.1106 (xpsp1.020828-1920) API de acesso remoto
rasman.dll 76e50000 69632 C:\WINDOWS\System32\rasman.dll 5.1.2600.1106 (xpsp1.020828-1920) Remote Access Connection Manager
NETAPI32.dll 71bd0000 319488 C:\WINDOWS\System32\NETAPI32.dll 5.1.2600.1562 (xpsp2_gdr.040517-1325) Net Win32 API DLL
TAPI32.dll 76e70000 176128 C:\WINDOWS\System32\TAPI32.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft® Windows(TM) Telephony API Client DLL
rtutils.dll 76e40000 53248 C:\WINDOWS\System32\rtutils.dll 5.1.2600.0 (xpclient.010817-1148) Routing Utilities
WINMM.dll 76b00000 184320 C:\WINDOWS\System32\WINMM.dll 5.1.2600.1106 (xpsp1.020828-1920) MCI API DLL
ctagent.dll 1e00000 65536 C:\WINDOWS\System32\ctagent.dll 1, 0, 0, 8 ctagent
sensapi.dll 72260000 20480 C:\WINDOWS\System32\sensapi.dll 5.1.2600.1106 (xpsp1.020828-1920) SENS Connectivity API DLL
USERENV.dll 75a20000 684032 C:\WINDOWS\system32\USERENV.dll 5.1.2600.1106 (xpsp1.020828-1920) Userenv
msi.dll 2150000 2101248 C:\WINDOWS\System32\msi.dll 2.0.2600.1106 Windows Installer
DNSAPI.dll 76ee0000 151552 C:\WINDOWS\System32\DNSAPI.dll 5.1.2600.1106 (xpsp1.020828-1920) DNS Client API DLL
winrnr.dll 76f70000 28672 C:\WINDOWS\System32\winrnr.dll 5.1.2600.0 (xpclient.010817-1148) LDAP RnR Provider DLL
WLDAP32.dll 76f20000 184320 C:\WINDOWS\system32\WLDAP32.dll 5.1.2600.1106 (xpsp1.020828-1920) Win32 LDAP API DLL
rasadhlp.dll 76f80000 20480 C:\WINDOWS\System32\rasadhlp.dll 5.1.2600.0 (xpclient.010817-1148) Remote Access AutoDial Helper
mshtml.dll 63580000 2830336 C:\WINDOWS\System32\mshtml.dll 6.00.2800.1476 Visualizador de HTML da Microsoft (R)
msimtf.dll 74690000 155648 C:\WINDOWS\System32\msimtf.dll 5.1.2600.1106 (xpsp1.020828-1920) Active IMM Server DLL
MSLS31.DLL 74660000 159744 C:\WINDOWS\System32\MSLS31.DLL 3.10.349.0 Microsoft Line Services library file
IMM32.DLL 76340000 114688 C:\WINDOWS\System32\IMM32.DLL 5.1.2600.1106 (xpsp1.020828-1920) Windows XP IMM32 API Client DLL
msohev.dll 32520000 73728 C:\Programas\Microsoft Office\Office10\msohev.dll 10.0.2609 Microsoft Office XP component
jscript.dll 6b700000 589824 C:\WINDOWS\System32\jscript.dll 5.6.0.8513 Microsoft (r) JScript
MPR.dll 71ac0000 69632 C:\WINDOWS\system32\MPR.dll 5.1.2600.0 (xpclient.010817-1148) DLL de router de fornecedor múltiplo
drprov.dll 75f10000 24576 C:\WINDOWS\System32\drprov.dll 5.1.2600.0 (xpclient.010817-1148) Microsoft Terminal Server Network Provider
ntlanman.dll 71bc0000 53248 C:\WINDOWS\System32\ntlanman.dll 5.1.2600.1106 (xpsp1.020828-1920) Microsoft® Lan Manager
NETUI0.dll 71c80000 90112 C:\WINDOWS\System32\NETUI0.dll 5.1.2600.0 (xpclient.010817-1148) Código comum NT LM UI - Classes GUI
NETUI1.dll 71c40000 245760 C:\WINDOWS\System32\NETUI1.dll 5.1.2600.0 (xpclient.010817-1148) NT LM UI Common Code - Networking classes
NETRAP.dll 71c30000 24576 C:\WINDOWS\System32\NETRAP.dll 5.1.2600.0 (xpclient.010817-1148) Net Remote Admin Protocol DLL
SAMLIB.dll 71ba0000 69632 C:\WINDOWS\System32\SAMLIB.dll 5.1.2600.1106 (xpsp1.020828-1920) SAM Library DLL
davclnt.dll 75f20000 36864 C:\WINDOWS\System32\davclnt.dll 5.1.2600.0 (xpclient.010817-1148) Web DAV Client DLL
MSGINA.dll 75920000 995328 C:\WINDOWS\System32\MSGINA.dll 5.1.2600.1343 (xpsp2.040109-1800) Windows NT Logon GINA DLL
WINSTA.dll 76310000 61440 C:\WINDOWS\System32\WINSTA.dll 5.1.2600.1106 (xpsp1.020828-1920) Winstation Library
ODBC32.dll 3670000 204800 C:\WINDOWS\System32\ODBC32.dll 3.520.9042.0 Microsoft Data Access - ODBC Driver Manager
comdlg32.dll 76360000 286720 C:\WINDOWS\system32\comdlg32.dll 6.00.2800.1106 (xpsp1.020828-1920) Biblioteca (DLL) de caixas de diálogo comuns
odbcint.dll 1f850000 98304 C:\WINDOWS\System32\odbcint.dll 3.520.7713.0 Microsoft Data Access - Recursos de ODBC
mshtmled.dll 74c50000 454656 C:\WINDOWS\System32\mshtmled.dll 6.00.2800.1106 (xpsp1.020828-1920) Componente de edição de HTML da Microsoft (R)
imgutil.dll 66d50000 40960 C:\WINDOWS\System32\imgutil.dll 6.00.2800.1106 (xpsp1.020828-1920) IE plugin image decoder support DLL
pngfilt.dll 5e760000 45056 C:\WINDOWS\System32\pngfilt.dll 6.00.2800.1106 (xpsp1.020828-1920) IE PNG plugin image decoder
dxtrans.dll 6c2e0000 208896 C:\WINDOWS\System32\dxtrans.dll 6.00.2800.1106 (xpsp1.020828-1920) DirectX Media -- DirectX Transform Core
ATL.DLL 76ae0000 86016 C:\WINDOWS\System32\ATL.DLL 3.00.9435 ATL Module for Windows NT (Unicode)
ddrawex.dll 65000000 36864 C:\WINDOWS\System32\ddrawex.dll 5.3.0000000.900 built by: DIRECTX Direct Draw Ex
DDRAW.dll 51000000 327680 C:\WINDOWS\System32\DDRAW.dll 5.3.0000001.0904 built by: private/Lab06_dev(DXBLD00) Microsoft DirectDraw
DCIMAN32.dll 73b50000 24576 C:\WINDOWS\System32\DCIMAN32.dll 5.1.2600.0 (xpclient.010817-1148) DCI Manager
dxtmsft.dll 6c320000 348160 C:\WINDOWS\System32\dxtmsft.dll 6.00.2800.1106 (xpsp1.020828-1920) DirectX Media -- Image DirectX Transforms
actxprxy.dll 71cf0000 110592 C:\WINDOWS\System32\actxprxy.dll 6.00.2600.0000 (XPClient.010817-1148) ActiveX Interface Marshaling Library

 

Well, I suppose it is possible to not have that key, but not likely, IMO. More likely it's not visible unless you're in safe mode. On the chance that this variant might be using a different key than we've seen thus far, would you also do as suggested in this post. I will PM you with my email addy.

Incidently, I did not see any bad dlls in your PV log as I have in most others with this infection.

 

Mail sent with the requested info.
Thank you.

 

Outlook considered the Ms4Hd file "dangerous" and removed it from the mail.
I´m pasting it here.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\Files]
"msswch.exe "=" "
"adsnp.dll "=" "
"cdrview.dll "=" "
"comctrl32.dll "=" "
"dbconf.exe "=" "
"qwinsta32.exe "=" "
"routenet.exe "=" "
"smbin.exe "=" "
"taskrun.exe "=" "
"usrdate.exe "=" "
"spoolsrv.exe "=" "
"winmcd.exe "=" "
"winsrv.exe "=" "
"msbkup.exe "=" "
"usb.dll "=" "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\Processes]
"msswch.exe "=" "
"dbconf.exe "=" "
"qwinsta32.exe "=" "
"routenet.exe "=" "
"smbin.exe "=" "
"taskrun.exe "=" "
"usrdate.exe "=" "
"spoolsrv.exe "=" "
"winmcd.exe "=" "
"winsrv.exe "=" "
"msbkup.exe "=" "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\RegKeys]
"{98DBBF16-CA43-4c33-BE80-99E6694468A4} "=" "
"{A5366673-E8CA-11D3-9CD9-0090271D075B} "=" "
"Files "=" "
"Ms4Hd "=" "
"Processes "=" "
"RegKeys "=" "
"RegValues "=" "
"Vendor "=" "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ms4Hd\RegValues]
"msbkup.exe "=" "
"spoolsrv.exe "=" "

 

You should print this out and/or save it to text where you can access it in safe mode.

Update Ad-aware.

Download CWShredder from here. Save it to the desktop. Double click to install. You will get another desktop icon to run the program.

Download the text files here and here, saving to the desktop. Right click and rename, changing only the .txt extensions to .reg extensions.

Download The Killbox from here: http://tools.zerosrealm.com/killbox.zip
Unzip the files to a folder.

Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)

HijackThis sometimes reports the Sun Java files missing when they are not. If you are inclined to use them, check the tools button>Java console in IE for functionality before fixing the 09 entries. It may work.

Go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and OK. Yes to restart. This will restart your computer in safe mode. Logon to you user account.

Now in safe mode, you will need to show hidden files and folders, as well as system files.

Double click the Ms4HdRem.reg and SSH.reg files to merge to the registry.

Open C:\Windows\System32 and delete the following files if found. If any files are undeletable, use the Killbox method outlined below, substituting the proper filenames.

msswch.exe
adsnp.dll
cdrview.dll
comctrl32.dll
dbconf.exe
qwinsta32.exe
routenet.exe
smbin.exe
taskrun.exe
usrdate.exe
spoolsrv.exe
winmcd.exe
winsrv.exe
msbkup.exe
usb.dll


Killbox
Open the Killbox folder and double-click on Killbox.exe to run it. In the "Paste Full Path of File to Delete" box, copy and paste the following:

C:\WINDOWS\System32\msswch.exe

Don't click any of the buttons though, instead click on the Action menu and choose "Delete on Reboot ". On the next screen, PendingFileRenameOperations, click File on the menu and choose "Add File ". The filename and path should show up in the window. If that's successful, choose the Action menu and select "Process and Reboot ". Click cancel on the Reboot Needed popup, then OK to the next. Leave that window open and paste this filename and path into the first window.

C:\WINDOWS\System32\adsnp.dll

Click action, delete on reboot, add & process, repeat with

C:\WINDOWS\System32\cdrview.dll

Repeat process for each filename and close all windows. Don't reboot yet!

Open CWShredder. Close all other windows and click fix.

Open C:\Temp if present, select all and delete.
Open C:\Windows\Temp, select all and delete.
Open C:\Documents and settings\username\Local Settings\temp, select all and delete. Do this for all usernames.
Open C:\Windows\Prefetch, select all and delete.
Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and OK.

Open Ad-aware and run in full scan mode. Delete all it finds. Empty the recycle bin.

Open regedit and navigate to [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and check for an entry with one of the above bad filenames. If present, right click the entry and delete. Close regedit.

Uncheck the /safeboot box in msconfig and ok to reboot.

Back in Windows, scan your PC with RAV. If any files are infected and uncleanable, click the report button then copy and paste it here.

Post a new HijackThis log also.

 

Thank you for your step by step instructions.
Since it´s late here (past 4 a.m.) I´m going to bed now and I´ll do what you described in your post tomorrow.
I get an error when I try to download the two .txt files. Is this temporary? If so I´ll try again tomorrow.
One other thing, in my system the files don´t show their extension (.exe, .dll, .txt, etc). I am able to change their name but their type remains the same.
Maybe this sounds silly but how do I change a file type? From .txt to .reg for example?
Thank you once again.

 

Don't know why you were unable to download. Did you get a run/save dialog box when you clicked them? Did you click save? I could email them if still unable to save them.

In folder options, where you show hidden files and folders, uncheck the box to hide extensions for known file types, click apply and OK.

Just got your log in email and will let you know if I see anything else that needs attention.

 

Please mail me the two .txt files. It asks me to login again even if I am already logged in and I do get a run/save dialog box but when I click save I get a "Internet explorer was unable to download file... please try again later" message?
As soon as I have the two files I´m ready to go...

 

Done.

 

Dave,
I can´t thank you enough... After a week trying to solve this problem everything seems to be OK now.
I´m glad I found this forum.
The scan with RAV revealed a clean system and all the symptoms seem to be gone. I´ll post my new HJT log next...
I´m just a bit concerned about the line that says "adsnp.dll" (file missing). I wonder if that´s important?
Thank you once again.

Logfile of HijackThis v1.98.2
Scan saved at 15:34:18, on 25-11-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Ficheiros comuns\Acronis\Schedule2\schedul2.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\WINDOWS\System32\oodag.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Programas\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\Programas\Ahead\InCD\InCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Programas\Creative\MediaSource\RemoteControl\RcMan.exe
C:\Programas\Creative\MediaSource\Detector\CTDetect.exe
C:\Programas\Internet Explorer\iexplore.exe
C:\Programas\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.avsim.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Programas\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\WINDOWS\System32\adsnp.dll (file missing)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Programas\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -off
O4 - HKLM\..\Run: [CTSysVol] C:\Programas\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Programas\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Programas\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Programas\Ficheiros comuns\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300 "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [InCD] C:\Programas\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ATIPTA] C:\Programas\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [RemoteCenter] C:\Programas\Creative\MediaSource\RemoteControl\RcMan.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Programas\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /M "Stylus Photo R300" /EF "HKCU "
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O12 - Plugin for .mid: C:\Programas\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .mpg: C:\Programas\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/SU/ocx/12119/CTSUEng.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1093095467125
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/SU/ocx/15008/CTPID.cab

 

Great! Fix that adsnp entry with HJT and re-enable system restore. Then I recommend you download Spybot Version 1.3 from my signature and install. Allow it to load SD Helper. Open it up and click mode on the toolbar, then advanced mode. Click immunize in the left pane, then immunize again, this time from above with the green + beside it. Click the link below that for SpywareBlaster, download, install, enable all protection and update. Check for updates regularly. Then, still in Spybot, click IE tweaks and at least lock the HOSTS file.
Then download and install IESpyad.

That will give you an added layer of protection against unwanted parasites.

My further advice is to download RegSeeker to clean up any other registry entries hanging around. Open the program, maximize the window and click clean registry. When scan is complete,verify the backup box in lower left corner is checked and click the select all button. Then right click within the search results and select delete. Now do a quick check of your installed program's functionality. I've never had RegSeeker remove anything vital that it wasn't supposed to, but you never know. If all is well, run it again and again until it comes up clean, again checking programs between runs. Should something go wrong, click the backup button and restore last run, then rerun and exclude entries associated with whatever it broke. Click the histories button and there are choices to clean up the start menu, typed URLs, TIFs you thought were gone, stream MRU keys, etc (I don't allow backups of these). Use them too, and do another clean registry. It probably wouldn't even be a bad idea to run it again after reboot.

Glad I could help. Good work!

 

Like I said before I can´t thank you enough so...
Thank you!
Just letting you know I am going to follow your suggestions to protect my system. I´ll do whatever it takes to prevent another situation like the one I had...
Thank you once again.