Crash/Slow system - Trojan.Win32.Monder.gen

[kornflakes]

Hello there

This is the problem im having right now:

- the system is acting slow on anything i do, it even takes like 10 seconds to open the notepad; sometimes it even crash when i try a full scan with my antivirus;

- google don't search anything; sometimes it does, but it takes ages to show up;

- some websites do not load, like Gmail, Youtube, *.blogspot.com;

- the firefox download window don't show up anymore when i try to download a file or picture (it works when i delete the file "downloads.rdf", but only for the first download);


I have ZoneAlarm Security Suite instaled, and every time i turn on my pc it tells me that the file "C:\Windows\System32\rqRJYpqq.dll" is infected with the trojan "Trojan.Win32.Monder.gen". There is no way to remove it with ZoneAlarm.

Here is a pic.

And here is my DSS log:

Deckard's System Scanner v20071014.68
Run by Gabriel on 2008-06-17 21:40:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 2 Restore Point(s) --
2: 2008-06-18 00:40:47 UTC - RP2 - Deckard's System Scanner Restore Point
1: 2008-06-17 23:49:59 UTC - RP1 - Ponto de verificação do sistema


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 4.39 GiB (less than 15%) free.


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-17 21:42:22
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\ASUS\Probe\AsusProb.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Gabriel\Desktop\trojan.monden\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Arquivos de programas\DAP\DAPBHO.dll
O2 - BHO: (no name) - {446373F0-2DAF-4C58-B08C-DD209CC50F4D} - C:\WINDOWS\system32\hgGaaApp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {8EA86503-476F-476A-A55A-7225082DF3EB} - C:\WINDOWS\system32\rqRJYpqq.dll
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {c7571302-6afc-a46b-b3f4-0a9cfafa0cdd} - {ddc0afaf-c9a0-4f3b-b64a-cfa62031757c} - C:\WINDOWS\system32\viylcbiu.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ASUS Probe] c:\arquivos de programas\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Arquivos de programas\Winamp\winampa.exe"
O4 - HKLM\..\Run: [BM2bc421cf] Rundll32.exe "C:\WINDOWS\system32\ishtgdsl.dll",s
O4 - HKLM\..\Run: [28f71253] rundll32.exe "C:\WINDOWS\system32\kvmiobek.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download with &DAP - C:\ARQUIV~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\ARQUIV~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\Arquivos de programas\DAP\DAP.exe
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'C:\Arquivos de programas\Extensis\Extensis Suitcase 11\Bonjour\mdnsNSP.dll' missing
O16 - DPF: {0FF588E0-0913-4CBC-BEC6-422A2D96B7FB} (AuditionWebCtrl Class) - http://www.audition.com.br/activex/AuditionWeb.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/.../GAME_UNO1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1145935759890
O16 - DPF: {76CB493D-11F7-4236-BDE4-7A5851B03FA9} (Launcher Class) - http://cabalonline.net/Com/CabalWebLauncher.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/contr...terActiveX.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} () - http://www.gamengame.com/KALogoutComponent.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Arquivos de programas\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Arquivos de programas\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: rqRJYpqq - C:\WINDOWS\system32\rqRJYpqq.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\system32\WgaLogon.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Unknown owner - C:\Arquivos de programas\Extensis\Extensis Suitcase 11\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


--
End of file - 7418 bytes

-- File Associations -----------------------------------------------------------

.js - jsfile - DefaultIcon - "C:\Arquivos de programas\Adobe\Dreamweaver CS3\Adobe Dreamweaver CS3\Dreamweaver.exe",7
.js - jsfile - shell\open\command - "C:\Arquivos de programas\Adobe\Dreamweaver CS3\Adobe Dreamweaver CS3\Dreamweaver.exe","%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 aslm75 - c:\windows\system32\drivers\aslm75.sys
R2 Haspnt - c:\windows\system32\drivers\haspnt.sys <Not Verified; Aladdin Knowledge Systems; Windows NT HASP Kernel Device Driver>
R3 pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>

S0 VClone - c:\windows\system32\drivers\vclone.sys (file missing)
S2 DS1410D - c:\windows\system32\drivers\ds1410d.sys
S3 EagleNT - c:\windows\system32\drivers\eaglent.sys (file missing)
S3 neokdss - c:\windows\system32\drivers\neokdss.sys (file missing)
S3 npkcrypt - d:\jogos\ro\devro\npkcrypt.sys (file missing)
S3 npkycryp - d:\jogos\ro\devro\npkycryp.sys (file missing)
S3 vaxscsi - c:\windows\system32\drivers\vaxscsi.sys (file missing)
S3 XDva014 - c:\windows\system32\xdva014.sys (file missing)
S3 XDva112 - c:\windows\system32\xdva112.sys (file missing)
S3 XTrapD12 - c:\windows\system32\xtrapd12.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Autodesk Licensing Service - "c:\arquivos de programas\arquivos comuns\autodesk shared\service\adskscsrv.exe"
R2 StarWindServiceAE (StarWind AE Service) - c:\arquivos de programas\alcohol soft\alcohol 120\starwind\starwindserviceae.exe <Not Verified; Rocket Division Software; StarWind Alcohol Edition>

S2 Bonjour Service - "c:\arquivos de programas\extensis\extensis suitcase 11\bonjour\mdnsresponder.exe" (file missing)
S3 FLEXnet Licensing Service - "c:\arquivos de programas\arquivos comuns\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-05-17 and 2008-06-17 -----------------------------

2008-06-17 21:36:47 98816 --a------ C:\WINDOWS\system32\viylcbiu.dll
2008-06-17 21:34:42 82432 --a------ C:\WINDOWS\system32\kvmiobek.dll
2008-06-17 21:34:33 90112 --a------ C:\WINDOWS\system32\ishtgdsl.dll
2008-06-16 21:16:00 0 d-------- C:\Arquivos de programas\Panda Security
2008-06-16 20:14:02 0 d--hs---- C:\WINDOWS\CSC
2008-06-16 20:10:03 99328 --a------ C:\WINDOWS\system32\mwyqtors.dll
2008-06-16 20:07:57 81408 --a------ C:\WINDOWS\system32\gbvnntsy.dll
2008-06-16 20:07:49 90112 --a------ C:\WINDOWS\system32\fefccwwn.dll
2008-06-15 20:01:17 99840 --a------ C:\WINDOWS\system32\jkdagigp.dll
2008-06-14 15:56:23 479365 --ahs---- C:\WINDOWS\system32\ppAaaGgh.ini2
2008-06-14 15:56:19 322048 --a------ C:\WINDOWS\system32\hgGaaApp.dll
2008-06-14 15:51:11 33280 --a------ C:\WINDOWS\system32\rqRJYpqq.dll
2008-05-26 2214 0 d-------- C:\Arquivos de programas\Alcohol Soft


-- Find3M Report ---------------------------------------------------------------

2008-06-17 20:54:00 0 --a------ C:\WINDOWS\TempFile
2008-06-17 20:48:22 0 d-------- C:\Arquivos de programas\VisualSubSync
2008-06-17 20:45:56 0 d--h----- C:\Arquivos de programas\InstallShield Installation Information
2008-06-17 20:42:09 0 d-------- C:\Arquivos de programas\Arquivos comuns\element5 Shared
2008-06-14 15:28:31 2560 --a------ C:\WINDOWS\system32\BitCometRes.dll <Not Verified; BitComet; BitComet BCTP Helper>
2008-06-13 16:16:10 4212 ---h---c- C:\WINDOWS\system32\zllictbl.dat
2008-06-07 2337 0 d--h----- C:\Arquivos de programas\Zero G Registry
2008-06-07 23:05:04 0 d-------- C:\Arquivos de programas\Macromedia
2008-06-07 23:04:37 0 d-------- C:\Arquivos de programas\CyberLink
2008-06-07 23:03:05 0 d-------- C:\Arquivos de programas\Corel
2008-06-07 12:22:14 0 d-------- C:\Arquivos de programas\Backup Reg EasyCleaner
2008-06-07 12:17:23 0 d-------- C:\Arquivos de programas\Messenger
2008-06-07 12:17:22 0 d-------- C:\Arquivos de programas\DAP
2008-06-07 12:17:21 0 d-------- C:\Arquivos de programas\Movie Maker
2008-06-07 12:17:17 0 d-------- C:\Arquivos de programas\Soldat
2008-06-07 12:17:17 0 d-------- C:\Arquivos de programas\Real Alternative
2008-05-31 06:40:37 0 d-------- C:\Arquivos de programas\BitComet
2008-05-12 22:58:57 0 d-------- C:\Arquivos de programas\Winamp
2008-05-11 15:56:57 0 d-------- C:\Documents and Settings\Gabriel\Dados de aplicativos\AdobeUM
2008-05-05 09:56:41 0 d-------- C:\Arquivos de programas\Arquivos comuns\Blizzard Entertainment
2008-04-28 12:04:12 0 d-------- C:\Arquivos de programas\DAEMON Tools
2008-04-28 02:17:26 0 d-------- C:\Documents and Settings\Gabriel\Dados de aplicativos\MailFrontier
2008-04-27 18:56:33 1049 --a------ C:\WINDOWS\QSFVExit.bat
2008-04-25 17:13:26 0 d-------- C:\Documents and Settings\Gabriel\Dados de aplicativos\Hamachi


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{446373F0-2DAF-4C58-B08C-DD209CC50F4D}]
14/06/2008 15:56 322048 --a------ C:\WINDOWS\system32\hgGaaApp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8EA86503-476F-476A-A55A-7225082DF3EB}]
14/06/2008 15:51 33280 --a------ C:\WINDOWS\system32\rqRJYpqq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ddc0afaf-c9a0-4f3b-b64a-cfa62031757c}]
17/06/2008 21:36 98816 --a------ C:\WINDOWS\system32\viylcbiu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [01/06/2006 17:22]
"nwiz"="nwiz.exe" [01/06/2006 17:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [01/06/2006 17:22]
"ASUS Probe"="c:\arquivos de programas\ASUS\Probe\AsusProb.exe" [06/12/2002 15:07]
"ZoneAlarm Client"="C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe" [13/03/2008 23:11]
"WinampAgent"="C:\Arquivos de programas\Winamp\winampa.exe" [01/04/2008 15:49]
"BM2bc421cf"="C:\WINDOWS\system32\ishtgdsl.dll" [17/06/2008 21:34]
"28f71253"="C:\WINDOWS\system32\kvmiobek.dll" [17/06/2008 21:34]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 00:45]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{8EA86503-476F-476A-A55A-7225082DF3EB}"= C:\WINDOWS\system32\rqRJYpqq.dll [14/06/2008 15:51 33280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRJYpqq]
rqRJYpqq.dll 14/06/2008 15:51 33280 C:\WINDOWS\system32\rqRJYpqq.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\hgGaaApp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^winsys2.exe]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\winsys2.exe
backup=C:\WINDOWS\pss\winsys2.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Gabriel^Menu Iniciar^Programas^Inicializar^Adobe Gamma.lnk]
path=C:\Documents and Settings\Gabriel\Menu Iniciar\Programas\Inicializar\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Gabriel^Menu Iniciar^Programas^Inicializar^PowerReg Scheduler.exe]
path=C:\Documents and Settings\Gabriel\Menu Iniciar\Programas\Inicializar\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\28f71253]
rundll32.exe "C:\WINDOWS\system32\gbvnntsy.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
"C:\Arquivos de programas\Alcohol Soft\Alcohol 120\axcmd.exe" /automount

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM2bc421cf]
Rundll32.exe "C:\WINDOWS\system32\fefccwwn.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"C:\Arquivos de programas\SlySoft\CloneCD\CloneCDTray.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Arquivos de programas\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
c:\ARQUIV~1\ARQUIV~1\INSTAL~1\UPDATE~1\isuspm.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Arquivos de programas\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
"C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Arquivos de programas\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Arquivos de programas\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Arquivos de programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
"C:\Arquivos de programas\Analog Devices\SoundMAX\smax4.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"D:\jogos\steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinSys2]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mnmsrvc"=3 (0x3)
"mi-raysat_3dsmax8"=2 (0x2)
"CAISafe"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"SoundMAX Agent Service (default)"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f32b014-83db-11dc-8fb0-0013d4afa7b9}]
AutoRun\command- H:\NTsys.exe
explore\Command- H:\NTsys.exe
open\Command- H:\NTsys.exe




-- End of Deckard's System Scanner: finished at 2008-06-17 21:43:14 ------------

[Angelfire777]

Hi, welcome to tsf!

If you still need assistance, please post a fresh main.txt log

[kornflakes]

Yes i need, thank's for replying.
I'm at work now, i will post it when i get home.

Thank you very much for your attention.

[kornflakes]

here is the new main.txt log



Deckard's System Scanner v20071014.68
Run by Gabriel on 2008-06-20 19:01:11
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 4.26 GiB (less than 15%) free.


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-20 19:01:41
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\ASUS\Probe\AsusProb.exe
C:\Arquivos de programas\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Gabriel\Desktop\trojan.monden\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Arquivos de programas\DAP\DAPBHO.dll
O2 - BHO: (no name) - {09EDF0D9-8736-44AC-93B0-870BF0BF93BF} - C:\WINDOWS\system32\hgGaaApp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {8EA86503-476F-476A-A55A-7225082DF3EB} - C:\WINDOWS\system32\rqRJYpqq.dll
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {d1b81c15-c4be-eec9-9cb4-9fe981f2556c} - {c6552f18-9ef9-4bc9-9cee-eb4c51c18b1d} - C:\WINDOWS\system32\rkubljsv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ASUS Probe] c:\arquivos de programas\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Arquivos de programas\Winamp\winampa.exe"
O4 - HKLM\..\Run: [28f71253] rundll32.exe "C:\WINDOWS\system32\ypjdkuym.dll",b
O4 - HKLM\..\Run: [BM2bc421cf] Rundll32.exe "C:\WINDOWS\system32\njgodlks.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download with &DAP - C:\ARQUIV~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\ARQUIV~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\Arquivos de programas\DAP\DAP.exe
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'C:\Arquivos de programas\Extensis\Extensis Suitcase 11\Bonjour\mdnsNSP.dll' missing
O16 - DPF: {0FF588E0-0913-4CBC-BEC6-422A2D96B7FB} (AuditionWebCtrl Class) - http://www.audition.com.br/activex/AuditionWeb.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/.../GAME_UNO1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1145935759890
O16 - DPF: {76CB493D-11F7-4236-BDE4-7A5851B03FA9} (Launcher Class) - http://cabalonline.net/Com/CabalWebLauncher.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/contr...terActiveX.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} () - http://www.gamengame.com/KALogoutComponent.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Arquivos de programas\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Arquivos de programas\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: rqRJYpqq - C:\WINDOWS\system32\rqRJYpqq.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\system32\WgaLogon.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Unknown owner - C:\Arquivos de programas\Extensis\Extensis Suitcase 11\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


--
End of file - 7517 bytes

-- Files created between 2008-05-20 and 2008-06-20 -----------------------------

2008-06-20 19:00:32 79872 --a------ C:\WINDOWS\system32\ypjdkuym.dll
2008-06-20 18:59:11 99328 --a------ C:\WINDOWS\system32\rkubljsv.dll
2008-06-20 18:59:03 90624 --a------ C:\WINDOWS\system32\njgodlks.dll
2008-06-16 21:16:00 0 d-------- C:\Arquivos de programas\Panda Security
2008-06-16 20:14:02 0 d--hs---- C:\WINDOWS\CSC
2008-06-16 20:07:57 81408 --a------ C:\WINDOWS\system32\gbvnntsy.dll
2008-06-14 15:56:23 527286 --ahs---- C:\WINDOWS\system32\ppAaaGgh.ini2
2008-06-14 15:56:19 322048 --a------ C:\WINDOWS\system32\hgGaaApp.dll
2008-06-14 15:51:11 33280 --a------ C:\WINDOWS\system32\rqRJYpqq.dll
2008-05-26 2214 0 d-------- C:\Arquivos de programas\Alcohol Soft


-- Find3M Report ---------------------------------------------------------------

2008-06-20 18:54:22 0 --a------ C:\WINDOWS\TempFile
2008-06-17 20:48:22 0 d-------- C:\Arquivos de programas\VisualSubSync
2008-06-17 20:45:56 0 d--h----- C:\Arquivos de programas\InstallShield Installation Information
2008-06-17 20:42:09 0 d-------- C:\Arquivos de programas\Arquivos comuns\element5 Shared
2008-06-14 15:28:31 2560 --a------ C:\WINDOWS\system32\BitCometRes.dll <Not Verified; BitComet; BitComet BCTP Helper>
2008-06-13 16:16:10 4212 ---h---c- C:\WINDOWS\system32\zllictbl.dat
2008-06-07 2337 0 d--h----- C:\Arquivos de programas\Zero G Registry
2008-06-07 23:05:04 0 d-------- C:\Arquivos de programas\Macromedia
2008-06-07 23:04:37 0 d-------- C:\Arquivos de programas\CyberLink
2008-06-07 23:03:05 0 d-------- C:\Arquivos de programas\Corel
2008-06-07 12:22:14 0 d-------- C:\Arquivos de programas\Backup Reg EasyCleaner
2008-06-07 12:17:23 0 d-------- C:\Arquivos de programas\Messenger
2008-06-07 12:17:22 0 d-------- C:\Arquivos de programas\DAP
2008-06-07 12:17:21 0 d-------- C:\Arquivos de programas\Movie Maker
2008-06-07 12:17:17 0 d-------- C:\Arquivos de programas\Soldat
2008-06-07 12:17:17 0 d-------- C:\Arquivos de programas\Real Alternative
2008-05-31 06:40:37 0 d-------- C:\Arquivos de programas\BitComet
2008-05-12 22:58:57 0 d-------- C:\Arquivos de programas\Winamp
2008-05-11 15:56:57 0 d-------- C:\Documents and Settings\Gabriel\Dados de aplicativos\AdobeUM
2008-05-05 09:56:41 0 d-------- C:\Arquivos de programas\Arquivos comuns\Blizzard Entertainment
2008-04-28 12:04:12 0 d-------- C:\Arquivos de programas\DAEMON Tools
2008-04-28 02:17:26 0 d-------- C:\Documents and Settings\Gabriel\Dados de aplicativos\MailFrontier
2008-04-27 18:56:33 1049 --a------ C:\WINDOWS\QSFVExit.bat
2008-04-25 17:13:26 0 d-------- C:\Documents and Settings\Gabriel\Dados de aplicativos\Hamachi


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{09EDF0D9-8736-44AC-93B0-870BF0BF93BF}]
14/06/2008 15:56 322048 --a------ C:\WINDOWS\system32\hgGaaApp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8EA86503-476F-476A-A55A-7225082DF3EB}]
14/06/2008 15:51 33280 --a------ C:\WINDOWS\system32\rqRJYpqq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c6552f18-9ef9-4bc9-9cee-eb4c51c18b1d}]
20/06/2008 18:59 99328 --a------ C:\WINDOWS\system32\rkubljsv.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [01/06/2006 17:22]
"nwiz"="nwiz.exe" [01/06/2006 17:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [01/06/2006 17:22]
"ASUS Probe"="c:\arquivos de programas\ASUS\Probe\AsusProb.exe" [06/12/2002 15:07]
"ZoneAlarm Client"="C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe" [13/03/2008 23:11]
"WinampAgent"="C:\Arquivos de programas\Winamp\winampa.exe" [01/04/2008 15:49]
"28f71253"="C:\WINDOWS\system32\ypjdkuym.dll" [20/06/2008 19:00]
"BM2bc421cf"="C:\WINDOWS\system32\njgodlks.dll" [20/06/2008 18:59]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 00:45]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{8EA86503-476F-476A-A55A-7225082DF3EB}"= C:\WINDOWS\system32\rqRJYpqq.dll [14/06/2008 15:51 33280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqRJYpqq]
rqRJYpqq.dll 14/06/2008 15:51 33280 C:\WINDOWS\system32\rqRJYpqq.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\hgGaaApp

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^winsys2.exe]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\winsys2.exe
backup=C:\WINDOWS\pss\winsys2.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Gabriel^Menu Iniciar^Programas^Inicializar^Adobe Gamma.lnk]
path=C:\Documents and Settings\Gabriel\Menu Iniciar\Programas\Inicializar\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Gabriel^Menu Iniciar^Programas^Inicializar^PowerReg Scheduler.exe]
path=C:\Documents and Settings\Gabriel\Menu Iniciar\Programas\Inicializar\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\28f71253]
rundll32.exe "C:\WINDOWS\system32\gbvnntsy.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
"C:\Arquivos de programas\Alcohol Soft\Alcohol 120\axcmd.exe" /automount

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM2bc421cf]
Rundll32.exe "C:\WINDOWS\system32\fefccwwn.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"C:\Arquivos de programas\SlySoft\CloneCD\CloneCDTray.exe" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Arquivos de programas\DAEMON Tools\daemon.exe" -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
c:\ARQUIV~1\ARQUIV~1\INSTAL~1\UPDATE~1\isuspm.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Arquivos de programas\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
"C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Arquivos de programas\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Arquivos de programas\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Arquivos de programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
"C:\Arquivos de programas\Analog Devices\SoundMAX\smax4.exe" /tray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"D:\jogos\steam\Steam.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinSys2]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mnmsrvc"=3 (0x3)
"mi-raysat_3dsmax8"=2 (0x2)
"CAISafe"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"SoundMAX Agent Service (default)"=2 (0x2)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f32b014-83db-11dc-8fb0-0013d4afa7b9}]
AutoRun\command- H:\NTsys.exe
explore\Command- H:\NTsys.exe
open\Command- H:\NTsys.exe




-- End of Deckard's System Scanner: finished at 2008-06-20 19:02:32 ------------

[Angelfire777]

Hi,

You only have less than 15% of hard drive space left. That will cause some slowdowns because there will only be a little space left for your hard drive to perform read and write functions. I suggest you move some data like pictures or mp3s to an external drive etc.

Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
2. Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.
__________

Please click Here to download HijackThis to your desktop.

Click the Download button. When the Trend Micro HJT install box appears, double click on the HJTInstall.exe. Click on Install.

It will be installed by default here: C:\Program Files\Trend Micro\HijackThis

A shortcut to the application will also be placed on your Desktop.

The program will open automatically after installation.

You can double-click the icon that was placed on the Desktop to run subsequent HijackThis scans or you can use the icon inside the folder. The folder HijackThis is where you will find the HJT logs that you save. When you use the application to remove anything, you will also find the backup copies made by HJT inside this folder.

Click on "Do a system scan and save logfile" When the log pops up in Notepad, copy and paste that file back here.


Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

[kornflakes]

ComboFix log:

ComboFix 08-06-20.1 - Gabriel 2008-06-20 21:02:43.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.251 [GMT -3:00]
Executando de: C:\Documents and Settings\Gabriel\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Gabriel\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-PTB.exe
* Criado um novo ponto de restauro
.

((((((((((((((((((((((((((((((((((((( Outras Exclusäes )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM2bc421cf.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\fttutlwa.ini
C:\WINDOWS\system32\gbvnntsy.dll
C:\WINDOWS\system32\hgGaaApp.dll
C:\WINDOWS\system32\keboimvk.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\myukdjpy.ini
C:\WINDOWS\system32\ppAaaGgh.ini
C:\WINDOWS\system32\ppAaaGgh.ini2
C:\WINDOWS\system32\rqRJYpqq.dll
C:\WINDOWS\system32\xcfqecei.ini
C:\WINDOWS\system32\ystnnvbg.ini

.
((((((((((((((((((((((( Ficheiros criados de 2008-05-21 to 2008-06-21 ))))))))))))))))))))))))))))))))
.

2008-06-20 21:09 . 2008-06-20 21:09 110,419 --a------ C:\WINDOWS\BM2bc421cf.xml
2008-06-20 19:00 . 2008-06-20 19:00 79,872 --a------ C:\WINDOWS\system32\ypjdkuym.dll
2008-06-20 18:59 . 2008-06-20 18:59 99,328 --a------ C:\WINDOWS\system32\rkubljsv.dll
2008-06-20 18:59 . 2008-06-20 18:59 90,624 --a------ C:\WINDOWS\system32\njgodlks.dll
2008-06-17 21:40 . 2008-06-17 21:40 <DIR> d-------- C:\Deckard
2008-06-16 21:16 . 2008-06-16 21:17 <DIR> d-------- C:\Arquivos de programas\Panda Security
2008-05-28 14:31 . 2008-06-14 21:19 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-28 14:31 . 2008-05-28 14:31 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-26 22:06 . 2008-05-26 22:06 <DIR> d-------- C:\Arquivos de programas\Alcohol Soft

.
((((((((((((((((((((((((((((((((((((( Relat¢rio Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-21 00:20 9,864,992 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-21 00:07 137,300 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-20 06:23 2,857,984 ----a-w C:\WINDOWS\Internet Logs\xDB6.tmp
2008-06-20 06:23 1,784,832 ----a-w C:\WINDOWS\Internet Logs\xDB7.tmp
2008-06-17 23:48 --------- d-----w C:\Arquivos de programas\VisualSubSync
2008-06-17 23:45 --------- d--h--w C:\Arquivos de programas\InstallShield Installation Information
2008-06-17 23:42 --------- d-----w C:\Arquivos de programas\Arquivos comuns\element5 Shared
2008-06-17 22:01 1,993,263 ----a-w C:\WINDOWS\Internet Logs\tvDebug.zip
2008-06-16 22:54 1,656,832 ----a-w C:\WINDOWS\Internet Logs\xDB5.tmp
2008-06-16 22:54 1,113,600 ----a-w C:\WINDOWS\Internet Logs\xDB4.tmp
2008-06-16 15:35 2,981,376 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-06-16 15:35 1,634,304 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-06-14 18:28 2,560 ----a-w C:\WINDOWS\system32\BitCometRes.dll
2008-06-08 02:06 --------- d--h--w C:\Arquivos de programas\Zero G Registry
2008-06-08 02:05 --------- d-----w C:\Arquivos de programas\Macromedia
2008-06-08 02:04 --------- d-----w C:\Arquivos de programas\CyberLink
2008-06-08 02:03 --------- d-----w C:\Arquivos de programas\Corel
2008-06-07 15:43 2,915,840 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-06-07 15:22 --------- d-----w C:\Arquivos de programas\Backup Reg EasyCleaner
2008-06-07 15:17 --------- d-----w C:\Arquivos de programas\Soldat
2008-06-07 15:17 --------- d-----w C:\Arquivos de programas\Real Alternative
2008-06-07 15:17 --------- d-----w C:\Arquivos de programas\DAP
2008-05-31 09:40 --------- d-----w C:\Arquivos de programas\BitComet
2008-05-27 00:56 716,272 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-05-13 01:58 --------- d-----w C:\Arquivos de programas\Winamp
2008-05-11 18:56 --------- d-----w C:\Documents and Settings\Gabriel\Dados de aplicativos\AdobeUM
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:15 1,292,288 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-05 12:56 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Blizzard Entertainment
2008-04-28 21:17 --------- d-----w C:\Documents and Settings\All Users\Dados de aplicativos\MailFrontier
2008-04-28 15:04 --------- d-----w C:\Arquivos de programas\DAEMON Tools
2008-04-28 05:17 --------- d-----w C:\Documents and Settings\Gabriel\Dados de aplicativos\MailFrontier
2008-04-28 05:15 --------- d-----w C:\Arquivos de programas\Eset
2008-04-28 05:10 --------- d-----w C:\Arquivos de programas\Zone Labs
2008-04-25 20:13 --------- d-----w C:\Documents and Settings\Gabriel\Dados de aplicativos\Hamachi
2008-04-21 20:28 25,280 ----a-w C:\WINDOWS\system32\drivers\hamachi.sys
2008-04-21 07:02 661,504 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-25 04:49 621,344 ----a-w C:\WINDOWS\system32\mswstr10.dll
2008-03-25 04:49 183,072 ----a-w C:\WINDOWS\system32\msjint40.dll
2006-08-26 03:15 1,514 -c--a-w C:\Documents and Settings\Gabriel\Dados de aplicativos\WWB7_32.DAT
2007-05-11 00:40 848 -csha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vazias & leg¡timas por defeito nÆo sÆo mostradas.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c6552f18-9ef9-4bc9-9cee-eb4c51c18b1d}]
2008-06-20 18:59 99328 --a------ C:\WINDOWS\system32\rkubljsv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:45 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-06-01 17:22 7618560]
"nwiz"="nwiz.exe" [2006-06-01 17:22 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-06-01 17:22 86016]
"ASUS Probe"="c:\arquivos de programas\ASUS\Probe\AsusProb.exe" [2002-12-06 15:07 617984]
"ZoneAlarm Client"="C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"WinampAgent"="C:\Arquivos de programas\Winamp\winampa.exe" [2008-04-01 15:49 36352]
"28f71253"="C:\WINDOWS\system32\ypjdkuym.dll" [2008-06-20 19:00 79872]
"BM2bc421cf"="C:\WINDOWS\system32\njgodlks.dll" [2008-06-20 18:59 90624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:45 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MFZ0"= MyFlashZip0.ax

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^winsys2.exe]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\winsys2.exe
backup=C:\WINDOWS\pss\winsys2.exeCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Gabriel^Menu Iniciar^Programas^Inicializar^Adobe Gamma.lnk]
path=C:\Documents and Settings\Gabriel\Menu Iniciar\Programas\Inicializar\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Gabriel^Menu Iniciar^Programas^Inicializar^PowerReg Scheduler.exe]
path=C:\Documents and Settings\Gabriel\Menu Iniciar\Programas\Inicializar\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\28f71253]
C:\WINDOWS\system32\gbvnntsy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
--a------ 2007-12-22 04:23 221568 C:\Arquivos de programas\Alcohol Soft\Alcohol 120\axcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM2bc421cf]
C:\WINDOWS\system32\fefccwwn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
C:\Arquivos de programas\SlySoft\CloneCD\CloneCDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-04 00:45 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
--a------ 2006-11-12 07:48 157592 C:\Arquivos de programas\DAEMON Tools\daemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a--c--- 2004-04-17 12:41 196608 c:\ARQUIV~1\ARQUIV~1\INSTAL~1\UPDATE~1\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a--c--- 2004-04-13 06:07 69632 C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Arquivos de programas\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 13:24 1694208 C:\Arquivos de programas\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a--c--- 2001-07-09 10:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2006-06-01 17:22 7618560 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2006-06-01 17:22 86016 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
--a------ 2006-03-15 20:07 421888 C:\Arquivos de programas\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a--c--- 2006-05-05 22:55 155648 C:\Arquivos de programas\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Arquivos de programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
--a--c--- 2003-05-30 09:42 585728 C:\Arquivos de programas\Analog Devices\SoundMAX\smax4.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a--c--- 2003-05-29 16:28 790528 C:\Arquivos de programas\Analog Devices\SoundMAX\SMax4PNP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-04-09 14:31 1271032 D:\jogos\steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a--c--- 2005-11-10 13:03 36975 C:\Arquivos de programas\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
-ra--c--- 2006-03-30 16:45 313472 C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinSys2]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"mnmsrvc"=3 (0x3)
"mi-raysat_3dsmax8"=2 (0x2)
"CAISafe"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"SoundMAX Agent Service (default)"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Arquivos de programas\\Messenger\\msmsgs.exe"=
"C:\\Arquivos de programas\\Autodesk\\backburner\\monitor.exe"=
"C:\\Arquivos de programas\\Autodesk\\backburner\\manager.exe"=
"C:\\Arquivos de programas\\Autodesk\\backburner\\server.exe"=
"D:\\jogos\\The All-Seeing Eye\\eye.exe"=
"D:\\3dsmax7\\3dsmax.exe"=
"C:\\Arquivos de programas\\backburner 2\\monitor.exe"=
"C:\\Arquivos de programas\\backburner 2\\manager.exe"=
"C:\\Arquivos de programas\\backburner 2\\server.exe"=
"C:\\Arquivos de programas\\Bonjour\\mDNSResponder.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"D:\\jogos\\Soldat\\Soldat.exe"=
"C:\\Arquivos de programas\\DAP\\DAP.exe"=
"D:\\jogos\\steam\\steamapps\\mazzo_igor\\counter-strike\\hl.exe"=
"D:\\Downloads\\wow\\WoW-2.0.0-enUS-Installer-downloader.exe"=
"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"22320:TCP"= 22320:TCP:BitComet 22320 TCP
"22320:UDP"= 22320:UDP:BitComet 22320 UDP
"64666:TCP"= 64666:TCP:BitComet 64666 TCP
"64666:UDP"= 64666:UDP:BitComet 64666 UDP
"64591:TCP"= 64591:TCP:BitComet 64591 TCP
"64591:UDP"= 64591:UDP:BitComet 64591 UDP
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

S3 npkycryp;npkycryp;D:\jogos\ro\DevRO\npkycryp.sys []
S3 XDva014;XDva014;C:\WINDOWS\system32\XDva014.sys []
S3 XDva112;XDva112;C:\WINDOWS\system32\XDva112.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8f32b014-83db-11dc-8fb0-0013d4afa7b9}]
\Shell\AutoRun\command - H:\NTsys.exe
\Shell\explore\Command - H:\NTsys.exe
\Shell\open\Command - H:\NTsys.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-20 21:08:55
Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializ veis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso
Ficheiros ocultos: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\ypjdkuym.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Tempo para conclusÆo: 2008-06-20 21:27:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-21 00:27:15

Pre-Run: 5,356,830,720 bytes disponíveis
Post-Run: 5,254,467,584 bytes dispon¡veis

WindowsXP-KB310994-SP2-Pro-BootDisk-PTB.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

245 --- E O F --- 2008-06-12 14:00:20





hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:30:43, on 20/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe
C:\Arquivos de programas\Winamp\winampa.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe
C:\ARQUIV~1\MOZILL~1\FIREFOX.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Arquivos de programas\DAP\DAPBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {d1b81c15-c4be-eec9-9cb4-9fe981f2556c} - {c6552f18-9ef9-4bc9-9cee-eb4c51c18b1d} - C:\WINDOWS\system32\rkubljsv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ASUS Probe] c:\arquivos de programas\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Arquivos de programas\Winamp\winampa.exe"
O4 - HKLM\..\Run: [28f71253] rundll32.exe "C:\WINDOWS\system32\ypjdkuym.dll",b
O4 - HKLM\..\Run: [BM2bc421cf] Rundll32.exe "C:\WINDOWS\system32\njgodlks.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download with &DAP - C:\ARQUIV~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\ARQUIV~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\ARQUIV~1\DAP\DAP.EXE
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {0FF588E0-0913-4CBC-BEC6-422A2D96B7FB} (AuditionWebCtrl Class) - http://www.audition.com.br/activex/AuditionWeb.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/.../GAME_UNO1.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1145935759890
O16 - DPF: {76CB493D-11F7-4236-BDE4-7A5851B03FA9} (Launcher Class) - http://cabalonline.net/Com/CabalWebLauncher.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {CEA3052D-65B9-44E2-A501-5E14024BC66F} (TricksterActiveX Control) - http://www.tricksteronline.com/contr...terActiveX.cab
O16 - DPF: {D88C7675-7CEE-4C9A-BDD4-7A43EED7794D} - http://www.gamengame.com/KALogoutComponent.cab
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Unknown owner - C:\Arquivos de programas\Extensis\Extensis Suitcase 11\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Arquivos de programas\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6435 bytes