Sign of Win32:Rootkit-gen

Luiz Gonzaga · Jun 17, 2008

Hello.
Here is the log of Avast Antivirus :
--------------------------------------------
31/5/2008 18:24:18 Luiz Márcio 2568 Sign of "Win32:Agent-GMC [Trj]" has been found in "C:\System Volume Information\_restore{A73780C7-9903-4BC5-9A92-1848D0D7B0E9}\RP387\A0024464.scr\best_video.avi.scr\china.avi.scr\[UPX]" file.
31/5/2008 18:24:27 Luiz Márcio 2568 Sign of "Win32

oisonIvy-AM [Trj]" has been found in "C:\System Volume Information\_restore{A73780C7-9903-4BC5-9A92-1848D0D7B0E9}\RP387\A0024464.scr\best_video.avi.scr\china.avi.scr\[Embedded#1a00]" file.
31/5/2008 18:39:40 Luiz Márcio 2568 Sign of "Win32:Trojan-gen {Other}" has been found in "C:\System Volume Information\_restore{A73780C7-9903-4BC5-9A92-1848D0D7B0E9}\RP475\A0029764.exe\allin1dfx.exe" file.
31/5/2008 18:44:49 Luiz Márcio 2568 Sign of "Win32

elf-IWT [Trj]" has been found in "C:\System Volume Information\_restore{A73780C7-9903-4BC5-9A92-1848D0D7B0E9}\RP475\A0029764.exe\dfx.exe" file.
31/5/2008 18:45:11 Luiz Márcio 2568 Sign of "Win32:CTX" has been found in "C:\System Volume Information\_restore{A73780C7-9903-4BC5-9A92-1848D0D7B0E9}\RP477\A0029819.dll" file.
31/5/2008 18:52:57 Luiz Márcio 2568 Sign of "Win32:CTX" has been found in "C:\WINDOWS\SYSTEM32\ActiveScan\pskavs.dll" file.
31/5/2008 18:55:11 Luiz Márcio 2568 Sign of "Win32:NGVCK-E" has been found in "C:\WINDOWS\SYSTEM32\pav.sig" file.
31/5/2008 22:40:38 SYSTEM 1704 Sign of "Win32:CTX" has been found in "C:\WINDOWS\SYSTEM32\ActiveScan\pskavs.dll" file.
31/5/2008 22:54:29 SYSTEM 1704 Sign of "Win32:CTX" has been found in "C:\WINDOWS\SYSTEM32\ActiveScan\pskavs.dll" file.
31/5/2008 22:55:05 SYSTEM 1704 Sign of "Win32:CTX" has been found in "C:\WINDOWS\SYSTEM32\ActiveScan\pskavs.dll" file.
31/5/2008 22:58:27 SYSTEM 1704 Sign of "Win32:CTX" has been found in "C:\Arquivos de programas\Panda Security\ActiveScan 2.0\pskavs.dll" file.
31/5/2008 22:58:42 SYSTEM 1704 Sign of "Win32:CTX" has been found in "C:\Arquivos de programas\Panda Security\ActiveScan 2.0\pskavs.dll" file.
3/6/2008 23:49:15 SYSTEM 1676 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\system32\svchost.exe" file.
3/6/2008 23:56:19 Luiz Márcio 1280 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\SYSTEM32\SVCHOST.EXE" file.
4/6/2008 00:42:03 SYSTEM 1676 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\SYSTEM32\SVCHOST.EXE" file.
4/6/2008 00:42:27 SYSTEM 1676 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\SYSTEM32\DLLCACHE\svchost.exe" file.
4/6/2008 00:42:47 SYSTEM 1676 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\windows\system32\SET23.tmp" file.
4/6/2008 03:23:38 Luiz Márcio 2412 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\I386\SVCHOST.EXE" file.
4/6/2008 05:38:28 Luiz Márcio 2412 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\Temp\_avast4_\unp28195895.tmp" file.
4/6/2008 08:26:03 Luiz Márcio 2412 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\Temp\_avast4_\trz26.tmp" file.
4/6/2008 08:27:39 Luiz Márcio 2412 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\Temp\_avast4_\trz27.tmp" file.
4/6/2008 08:28:45 Luiz Márcio 2412 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\Temp\_avast4_\trz28.tmp" file.
4/6/2008 08:29:26 Luiz Márcio 2412 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\Temp\_avast4_\trz29.tmp" file.
4/6/2008 08:36:33 Luiz Márcio 2412 Sign of "Win32:Rootkit-gen [Rtk]" has been found in "C:\WINDOWS\Temp\_avast4_\trz2A.tmp" file.
--------------------------------------------

I think i used ACDSee to view the file with Win32:Agent-GMC [Trj] or Win32

oisonIvy-AM [Trj].
ACDSee started to act strange,abruptaly finishing with an error, but not always. And once it deleted an entire folder.
I uninstalled it.

It put all in Avast quarentine, and extracted svchost.exe from de directory i386 of the Dell OS reinstalation cd .
Then, after a reboot, no drag and drop , no system restore, not opening of property sheets, the visual of the taskbar changed.
Almost no services running. RPC server not running mensage.
I fixed the RPcss section in the registry , and still no system restore and the visual of the taskbar changed.

Here is the log of Deckards System Scanner:

Deckard's System Scanner v20071014.68
Run by Luiz Márcio on 2008-06-16 22:34:16
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Unable to create WMI object; A operação foi concluída com êxito.

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 511 MiB (512 MiB recommended).

-- HijackThis (run as Luiz Márcio.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:35:01, on 16/6/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\Arquivos de programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Arquivos de programas\Microsoft IntelliPoint\point32.exe
C:\Arquivos de programas\Iomega\DriveIcons\ImgIcon.exe
C:\Arquivos de programas\- internet\ZoneAlarm\zlclient.exe
C:\Arquivos de programas\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Arquivos de programas\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Arquivos de programas\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Arquivos de programas\Executive Software\Diskeeper\DkService.exe
C:\ARQUIV~1\Iomega\System32\AppServices.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Arquivos de programas\Iomega\AutoDisk\ADService.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\Luiz Márcio\Desktop\dss.exe
C:\ARQUIV~1\TRENDM~1\HIJACK~1\Luiz Márcio.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/intl/la/brazil/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/intl/la/brazil/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/intl/la/brazil/index.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:12080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~2\SDHelper.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Arquivos de programas\- utilities\Free Download Manager\iefdmcks.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Arquivos de programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Arquivos de programas\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Arquivos de programas\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Arquivos de programas\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [Zone Labs Client] C:\Arquivos de programas\- internet\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Arquivos de programas\- utilities\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Arquivos de programas\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Arquivos de programas\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Arquivos de programas\- utilities\Sonique\sqstart.exe -nostick
O4 - HKCU\..\Run: [AnyDVD] "C:\Arquivos de programas\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-2237029002-2704639424-2437969446-1005\..\Run: [SoniqueQuickStart] C:\Arquivos de programas\- utilities\Sonique\sqstart.exe -nostick (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Arquivos de programas\- utilities\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Arquivos de programas\- utilities\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Arquivos de programas\- utilities\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~2\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://imagem.caixa.gov.br/cab/gbpdist.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Arquivos de programas\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\ARQUIV~1\Iomega\System32\AppServices.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Arquivos de programas\Intel\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Arquivos de programas\Iomega\AutoDisk\ADService.exe

--
End of file - 8834 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

3 ac97intc (Intel(r) 82801 Audio Driver Install Service (WDM)) - c:\windows\system32\drivers\ac97intc.sys <Not Verified; Intel Corporation; Intel(r) Integrated Controller Hub Audio Driver>
3 ati2mtaa - c:\windows\system32\drivers\ati2mtaa.sys <Not Verified; ATI Technologies Inc.; ATI Rage 128 Family>
3 C-Dilla - c:\windows\system32\drivers\cdant.sys <Not Verified; Macrovision; Licence Management System>
4 cbidf - c:\windows\system32\drivers\cbidf2k.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2 CdaC15BA - c:\windows\system32\drivers\cdac15ba.sys <Not Verified; Macrovision Europe Ltd; Security Windows NT>
4 dac2w2k - c:\windows\system32\drivers\dac2w2k.sys <Not Verified; Mylex Corporation; Mylex Disk Array Controller Driver>
3 EL90XBC (3Com EtherLink XL 90XB/C Adapter Driver) - c:\windows\system32\drivers\el90xbc5.sys <Not Verified; 3Com Corporation; 3Com EtherLink PCI>
3 ElbyCDFL - c:\windows\system32\drivers\elbycdfl.sys <Not Verified; SlySoft, Inc.; CloneCD>
3 emupia (E-mu Plug-in Architecture Driver) - c:\windows\system32\drivers\emupia2k.sys <Not Verified; Creative Technology Ltd; E-mu Plug-In Architecture>
3 HCF_MSFT - c:\windows\system32\drivers\hcf_msft.sys <Not Verified; Conexant; Modem>
3 HSFHWBS2 - c:\windows\system32\drivers\hsfhwbs2.sys <Not Verified; Conexant Systems; SoftK56>
3 HSF_DP - c:\windows\system32\drivers\hsf_dp.sys <Not Verified; Conexant Systems; SoftK56>
3 i81x - c:\windows\system32\drivers\i81xnt5.sys <Not Verified; Intel Corporation; Intel Graphics Accelerator Drivers for Windows NT(R)>
3 iAimFP0 - c:\windows\system32\drivers\wadv01nt.sys <Not Verified; Intel Corporation; Intel Graphics Accelerator Drivers for Windows NT(R)>
3 iAimFP1 - c:\windows\system32\drivers\wadv02nt.sys <Not Verified; Intel Corporation; Intel Graphics Accelerator Drivers for Windows NT(R)>
3 iAimFP2 - c:\windows\system32\drivers\wadv05nt.sys <Not Verified; Intel Corporation; Intel Graphics Accelerator Drivers for Windows NT(R)>
3 iAimFP3 - c:\windows\system32\drivers\wsiintxx.sys <Not Verified; Intel Corporation; Intel Graphics Accelerator Drivers for Windows NT(R)>
3 iAimFP4 - c:\windows\system32\drivers\wvchntxx.sys <Not Verified; Intel Corporation; Intel Graphics Accelerator Drivers for Windows NT(R)>
3 iAimTV0 - c:\windows\system32\drivers\watv01nt.sys <Not Verified; Intel Corporation; Intel Graphics Accelerator Drivers for Windows NT(R)>
3 iAimTV1 - c:\windows\system32\drivers\watv02nt.sys <Not Verified; Intel Corporation; Intel Graphics Accelerator Drivers for Windows NT(R)>
3 iAimTV2 - c:\windows\system32\drivers\watv03nt.sys <Not Verified; Intel Corporation; Intel Graphics Accelerator Drivers for Windows NT(R)>
3 iAimTV3 - c:\windows\system32\drivers\watv04nt.sys <Not Verified; Intel Corporation; Intel Graphics Accelerator Drivers for Windows NT(R)>
3 iAimTV4 - c:\windows\system32\drivers\wch7xxnt.sys <Not Verified; Intel Corporation; Intel Graphics Accelerator Drivers for Windows NT(R)>
0 iomdisk (Iomega Devices Disk Filter Services) - c:\windows\system32\drivers\iomdisk.sys <Not Verified; Iomega Corporation; Microsoft(R) Windows NT(R) Operating System>
2 mdmxsdk - c:\windows\system32\drivers\mdmxsdk.sys <Not Verified; Conexant; Diagnostic Interface>
3 MODEMCSA (Dispositivo de filtro de fluxo unimodem) - c:\windows\system32\drivers\modemcsa.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
0 ppa3 (Iomega Parallel Port Legacy Filter Driver) - c:\windows\system32\drivers\ppa3.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
3 winachsf - c:\windows\system32\drivers\hsf_cnxt.sys <Not Verified; Conexant Systems; SoftK56>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

2 aawservice (Ad-Aware 2007 Service) - c:\arquivos de programas\lavasoft\ad-aware 2007\aawservice.exe
2 C-DillaCdaC11BA - c:\windows\system32\drivers\cdac11ba.exe <Not Verified; Macrovision; SafeCast Windows NT>
2 C-DillaSrv - c:\windows\system32\drivers\cdantsrv.exe <Not Verified; C-Dilla Ltd; CD-Secure/CD-Compress Windows NT>
2 Diskeeper - c:\arquivos de programas\executive software\diskeeper\dkservice.exe <Not Verified; Executive Software International, Inc.; Diskeeper (TM) Disk Defragmenter>
4 Iomega Activity Disk2 - c:\windows\system32
2 Iomega App Services - c:\arquivos de programas\iomega\system32\appservices.exe
2 _IOMEGA_ACTIVE_DISK_SERVICE_ (Iomega Active Disk) - c:\arquivos de programas\iomega\autodisk\adservice.exe

-- Device Manager: Disabled ----------------------------------------------------

Unable to create WMI object.

-- Files created between 2008-05-16 and 2008-06-16 -----------------------------

2008-06-16 22:25:44 0 d-------- C:\Arquivos de programas\Trend Micro
2008-06-16 18:17:15 0 d-------- C:\WINDOWS\tmp
2008-06-12 01:24:52 63677956 --a------ C:\regbckp3.reg
2008-06-05 17:14:37 0 d-------- C:\WINDOWS\LastGood.Tmp
2008-06-05 15:18:15 744853 --a------ C:\PAVARK.exe
2008-06-04 09:56:19 12800 --a------ C:\WINDOWS\System32\svchost.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-06-04 09:55:20 12800 --a------ C:\svchost.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-29 23:53:56 0 d-------- C:\Arquivos de programas\Alwil Software
2008-05-17 18:25:35 288 --a------ C:\WINDOWS\System32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
2008-05-17 18:25:35 288 --a------ C:\WINDOWS\System32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
2008-05-17 12:24:08 53552 -----n--- C:\WINDOWS\CTCCW.DLL <Not Verified; Creative® Technology Ltd.; Custom Control for Windows>
2008-05-17 12:24:05 26768 -----n--- C:\WINDOWS\System32\CTL3D.DLL <Not Verified; Microsoft Corporation; 3D Windows Control>
2008-05-17 12:24:03 1048576 -----n--- C:\WINDOWS\System32\SFMAN.DAT
2008-05-17 12:24:01 0 d-------- C:\WINDOWS\System32\Defaults
2008-05-17 12:23:23 134272 --a------ C:\WINDOWS\System32\drivers\portcls.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-17 12:23:23 57856 --a------ C:\WINDOWS\System32\drivers\drmk.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-17 12:22:53 36864 --a------ C:\WINDOWS\System32\sfman32.dll <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-05-17 12:22:53 135728 --a------ C:\WINDOWS\System32\drivers\hap16v2k.sys <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-05-17 12:22:52 816576 --a------ C:\WINDOWS\System32\drivers\ha10kx2k.sys <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-05-17 12:22:52 115936 --a------ C:\WINDOWS\System32\drivers\emupia2k.sys <Not Verified; Creative Technology Ltd; E-mu Plug-In Architecture>
2008-05-17 12:22:51 134032 --a------ C:\WINDOWS\System32\drivers\ctsfm2k.sys <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-05-17 12:22:51 6144 --a------ C:\WINDOWS\System32\drivers\ctprxy2k.sys <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-05-17 12:22:51 183703 --a------ C:\WINDOWS\System32\ctstatic.dat
2008-05-17 12:22:50 298384 --a------ C:\WINDOWS\System32\drivers\ctdvda2k.sys
2008-05-17 12:22:50 189490 --a------ C:\WINDOWS\System32\ctdlang.dat
2008-05-17 12:22:50 53674 --a------ C:\WINDOWS\System32\ctdaught.dat
2008-05-17 12:22:50 114972 --a------ C:\WINDOWS\System32\CTBASICW.DAT
2008-05-17 12:22:50 142968 --a------ C:\WINDOWS\System32\ctbas2w.dat
2008-05-17 12:22:49 493568 --a------ C:\WINDOWS\System32\drivers\ctaud2k.sys <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-05-17 12:22:49 186068 --a------ C:\WINDOWS\System32\drivers\ctac32k.sys <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-05-17 12:22:49 65536 --a------ C:\WINDOWS\System32\a3d.dll <Not Verified; ; a3dx5>
2008-05-17 12:22:47 49152 --a------ C:\WINDOWS\CTDCRES.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-05-17 12:22:46 270336 --a------ C:\WINDOWS\System32\SFMS32.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-05-17 12:22:46 36864 --a------ C:\WINDOWS\System32\REGPLIB.EXE
2008-05-17 12:22:45 110592 --a------ C:\WINDOWS\System32\PIAPROXY.DLL <Not Verified; Creative Technology Ltd; E-mu PIA>
2008-05-17 12:22:45 159744 --a------ C:\WINDOWS\System32\OPENAL32.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-05-17 12:22:45 49152 --a------ C:\WINDOWS\System32\KILLAPPS.EXE
2008-05-17 12:22:45 20480 --a------ C:\WINDOWS\System32\ENSDEF.EXE <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-05-17 12:22:45 77824 --a------ C:\WINDOWS\System32\EAXAC3.DLL <Not Verified; Creative Labs; EAX-AC3 DLL>
2008-05-17 12:22:45 184320 --a------ C:\WINDOWS\PSCONV.EXE
2008-05-17 12:22:45 61440 --a------ C:\WINDOWS\MIDIDEF.EXE <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-05-17 12:22:44 94208 --a------ C:\WINDOWS\DEVREG.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-05-17 12:22:43 45056 --a------ C:\WINDOWS\System32\CTSPKHLP.DLL <Not Verified; Creative Technology Ltd; CtSpkHlp Dynamic Link Library>
2008-05-17 12:22:43 110592 --a------ C:\WINDOWS\System32\CTSCAL.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-05-17 12:22:43 655360 --a------ C:\WINDOWS\System32\CTSBLFX.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-05-17 12:22:42 155648 --a------ C:\WINDOWS\System32\CTOSUSER.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-05-17 12:22:42 24576 --a------ C:\WINDOWS\System32\CTHELPER.EXE <Not Verified; Creative Technology Ltd; CtHelper Application>
2008-05-17 12:22:42 36864 --a------ C:\WINDOWS\System32\CTEMUPIA.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-05-17 12:22:38 110592 --a------ C:\WINDOWS\System32\CTDPROXY.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-05-17 12:22:37 139264 --a------ C:\WINDOWS\System32\CTDCIFCE.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-05-17 12:22:37 372736 --a------ C:\WINDOWS\System32\CTDC0001.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-05-17 12:22:37 319488 --a------ C:\WINDOWS\System32\CTDC0000.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-05-17 12:22:36 495616 --a------ C:\WINDOWS\System32\CTAUDFX.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-05-17 12:22:36 106496 --a------ C:\WINDOWS\System32\CTASIO.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-05-17 12:22:36 57344 --a------ C:\WINDOWS\System32\CTAGENT.DLL <Not Verified; Creative Technology Ltd; ctagent>
2008-05-17 12:22:35 126976 --a------ C:\WINDOWS\System32\COMMONFX.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-05-17 12:22:35 53248 --a------ C:\WINDOWS\System32\AC3API.DLL <Not Verified; Creative Technology Ltd; Creative Audio Product>
2008-05-17 12:22:33 184 --a------ C:\WINDOWS\System32\e000002.dat
2008-05-17 12:22:08 77824 --a------ C:\WINDOWS\System32\ctdvda32.dll <Not Verified; Creative Technology Ltd; Creative DVD-Audio Product>
2008-05-17 12:22:08 277200 --a------ C:\WINDOWS\System32\Ctaa1.dat
2008-05-17 11:49:57 0 d-------- C:\Arquivos de programas\Creative2
2008-05-17 11:06:34 65904638 --a------ C:\regbckp2.reg

-- Find3M Report ---------------------------------------------------------------

2008-06-05 17:30:26 0 d-------- C:\Arquivos de programas\Movie Maker
2008-06-05 17:19:25 0 d-------- C:\Arquivos de programas\Windows NT
2008-05-29 21:20:27 0 d-------- C:\Arquivos de programas\DeepPaint3D
2008-05-25 23:00:43 0 d-------- C:\Arquivos de programas\Arquivos comuns
2008-05-21 19:29:38 0 d-------- C:\Arquivos de programas\GbPlugin
2008-05-17 12:22:07 0 d--h----- C:\Arquivos de programas\InstallShield Installation Information
2008-05-09 18:41:27 0 d-------- C:\Arquivos de programas\Panda Security
2008-03-24 23:17:51 2552 --a------ C:\WINDOWS\unins000.dat
2008-03-24 23:14:08 691545 --a------ C:\WINDOWS\unins000.exe

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="C:\Arquivos de programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [22/05/2004 08:51]
"IntelliPoint"="C:\Arquivos de programas\Microsoft IntelliPoint\point32.exe" [15/05/2003 16:41]
"Iomega Drive Icons"="C:\Arquivos de programas\Iomega\DriveIcons\ImgIcon.exe" [13/08/2002 13:30]
"Deskup"="C:\Arquivos de programas\Iomega\DriveIcons\deskup.exe" [16/07/2002 09:55]
"Zone Labs Client"="C:\Arquivos de programas\- internet\ZoneAlarm\zlclient.exe" [17/02/2004 17:01]
"CloneCDTray"="C:\Arquivos de programas\- utilities\CloneCD\CloneCDTray.exe" [19/05/2005 10:47]
"QuickTime Task"="C:\Arquivos de programas\QuickTime\qttask.exe" [23/04/2006 22:56]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 11:50]
"CTSysVol"="C:\Arquivos de programas\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [11/09/2002 11:04]
"CTDVDDet"="C:\Arquivos de programas\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [30/09/2002 01:00]
"CTHelper"="CTHELPER.EXE" [03/09/2002 15:55 C:\WINDOWS\SYSTEM32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [11/05/2000 01:00]
"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [15/05/2008 20:19]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoniqueQuickStart"="C:\Arquivos de programas\- utilities\Sonique\sqstart.exe" [02/10/2003 08:08]
"AnyDVD"="C:\Arquivos de programas\SlySoft\AnyDVD\AnyDVD.exe" [29/07/2007 08:53]

C:\Documents and Settings\Luiz M rcio\Menu Iniciar\Programas\Inicializar\
DESKTOP.INI [1/10/2002 04:33:02]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\
Adobe Gamma Loader.lnk - C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe [9/11/2003 23:46:43]
Adobe Reader Speed Launch.lnk - C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe [14/12/2004 04:44:06]
DESKTOP.INI [1/10/2002 04:33:02]
Digital Line Detect.lnk - C:\Arquivos de programas\Digital Line Detect\DLG.exe [18/9/2003 14:42:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Luiz Márcio^Menu Iniciar^Programas^Inicializar^PowerReg Scheduler.exe]
path=C:\Documents and Settings\Luiz Márcio\Menu Iniciar\Programas\Inicializar\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADUserMon]
C:\Arquivos de programas\Iomega\AutoDisk\ADUserMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]
C:\Arquivos de programas\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"c:\arquivos de programas\- internet\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sson]
C:\Documents and Settings\Luiz Márcio\Dados de aplicativos\mlri.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Tartanmcp"=3 (0x3)
"Spac32kser"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="C:\arquivos de programas\- internet\QuickTime\qttask.exe" -atboottime

-- Hosts -----------------------------------------------------------------------

127.0.0.1 images.real.com
127.0.0.1 real.com
127.0.0.1 ct5.hypercount.com
127.0.0.1 acme.bfast.com
127.0.0.1 ads.bfast.com
127.0.0.1 affiliates.bfast.com
127.0.0.1 affnet.bfast.com
127.0.0.1 airedale.bfast.com
127.0.0.1 application.bfast.com
127.0.0.1 applications.bfast.com

8026 more entries in hosts file.

-- End of Deckard's System Scanner: finished at 2008-06-16 22:35:28 ------------

Luiz Gonzaga · Jun 20, 2008

Bump ,

Ried · Jun 23, 2008

Hello Luiz Gonzaga,

This will require more than one round to properly eradicate. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

Luiz Gonzaga · Jun 24, 2008

Hi.
Deckard produced just 1 log, not the extra.txt. Is it normal ?
When i finished with Combofix i got these alerts by spybot resident:

23/6/2008 20:52:42 Allowed (based on user decision) value "KernelFaultCheck" (new data: "") deleted in System Startup global entry!
23/6/2008 20:52:50 Allowed (based on user decision) value "Search Page" (new data: "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch") changed in Browser page!
23/6/2008 20:53:01 Allowed (based on user decision) value "Default_Page_URL" (new data: "") deleted in Browser page!
23/6/2008 20:53:08 Allowed (based on user decision) value "Search Page" (new data: "http://go.microsoft.com/fwlink/?LinkId=54896") changed in Browser page!
23/6/2008 20:53:16 Allowed (based on user decision) value "Default_Page_URL" (new data: "http://go.microsoft.com/fwlink/?LinkId=69157") changed in Browser page!
23/6/2008 20:53:19 Allowed (based on user decision) value "Default_Search_URL" (new data: "http://go.microsoft.com/fwlink/?LinkId=54896") changed in Browser page!
23/6/2008 20:53:24 Allowed (based on user decision) value "load" (new data: "") deleted in NT startup!

--------------------

ComboFix 08-06-20.4 - Luiz Márcio 2008-06-23 20:09:57.1 - NTFSx86

Executando de: C:\Documents and Settings\Luiz Márcio\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\svchost.exe

.
((((((((((((((((((((((( Ficheiros criados de 2008-05-23 to 2008-06-23 ))))))))))))))))))))))))))))))))
.

2008-06-16 22:33 . 2008-06-16 22:33 <DIR> d-------- C:\Deckard
2008-06-16 22:25 . 2008-06-16 22:25 <DIR> d-------- C:\Arquivos de programas\Trend Micro
2008-06-16 18:17 . 2008-06-16 18:33 <DIR> d-------- C:\WINDOWS\tmp
2008-06-12 01:24 . 2008-06-12 01:24 63,677,956 --a------ C:\regbckp3.reg
2008-06-05 18:09 . 2001-09-05 23:50 12,800 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\svchost.exe
2008-06-05 17:14 . 2008-06-05 17:30 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-06-05 15:18 . 2008-06-05 16:37 744,853 --a------ C:\PAVARK.exe
2008-06-05 15:14 . 2008-06-04 20:25 311,591 --a------ C:\AntiRootkit.zip
2008-06-04 09:56 . 2001-09-05 23:50 12,800 --a------ C:\WINDOWS\SYSTEM32\svchost.exe
2008-06-04 09:49 . 2002-09-11 02:00 6,316 --a------ C:\SVCHOST.EX_
2008-05-31 22:31 . 2008-05-31 22:31 6,949,416 --a------ C:\WINDOWS\SYSTEM32\pav.sig
2008-05-29 23:53 . 2008-05-29 23:53 <DIR> d-------- C:\Arquivos de programas\Alwil Software
2008-05-29 23:53 . 2003-03-18 18:20 1,060,864 --a------ C:\WINDOWS\SYSTEM32\MFC71.dll

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-30 00:20 --------- d-----w C:\Arquivos de programas\DeepPaint3D
2008-05-21 22:29 --------- d-----w C:\Arquivos de programas\GbPlugin
2008-05-20 22:28 65,904,638 ----a-w C:\regbckp2.reg
2008-05-17 15:22 --------- d--h--w C:\Arquivos de programas\InstallShield Installation Information
2008-05-17 14:49 --------- d-----w C:\Arquivos de programas\Creative2
2008-05-15 21:11 10,221,568 ----a-w C:\WINDOWS\Internet Logs\xDBC.tmp
2008-05-09 21:41 --------- d-----w C:\Arquivos de programas\Panda Security
2008-05-05 19:26 10,192,896 ----a-w C:\WINDOWS\Internet Logs\xDBB.tmp
2008-03-25 02:14 691,545 ----a-w C:\WINDOWS\unins000.exe
2004-04-04 17:37 73,728 ----a-w C:\Documents and Settings\Luiz Márcio\SetupNI.dll
2004-04-04 17:37 73,728 ----a-w C:\Documents and Settings\Luiz Márcio\SetupNI.dll
2004-09-20 21:56 56 --sh--r C:\WINDOWS\SYSTEM32\3FE621EB0F.sys
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\SYSTEM32\flvDX.dll
2007-09-04 04:05 2,516 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\SYSTEM32\msfDX.dll
.

------- Sigcheck -------

2001-09-05 23:50 12800 979f27f95f9a60ad6292b803aee12de5 C:\WINDOWS\LastGood.Tmp\system32\svchost.exe
2001-09-05 23:50 12800 979f27f95f9a60ad6292b803aee12de5 C:\WINDOWS\SYSTEM32\svchost.exe
2001-09-05 23:50 12800 979f27f95f9a60ad6292b803aee12de5 C:\WINDOWS\SYSTEM32\DLLCACHE\svchost.exe

2005-03-02 15:18 577536 7ffbcf1b94e6929deece06670c2407d6 C:\WINDOWS\$hf_mig$\KB890859\SP2GDR\user32.dll
2005-03-02 15:20 577536 3ed0a4d74efd5aaf8408095f452e2613 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2002-11-22 12:33 529408 675625ebe22d91177ceced37de3fe309 C:\WINDOWS\$NtUninstallKB824141$\user32.dll
2003-09-25 14:15 560640 ddf64e680eaf6aa8e3748d3f467f6973 C:\WINDOWS\$NtUninstallKB840987$\user32.dll
2004-12-28 22:32 574976 61c3034fd17499811ef2ff4c7cdb9775 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
2004-06-17 14:56 560640 a2ae6841d7868c2f2f34e27b7cb1c178 C:\WINDOWS\$NtUninstallKB891711$\user32.dll
2002-09-11 07:00 560640 d58adf4a1298bf0068ef0566e2081bbb C:\WINDOWS\$NtUninstallQ328310$\user32.dll
2005-03-02 15:21 561664 2eb0ba8a2751647abe564183aaf4e8f5 C:\WINDOWS\LastGood.Tmp\system32\user32.dll
2005-03-02 15:21 561664 2eb0ba8a2751647abe564183aaf4e8f5 C:\WINDOWS\SYSTEM32\user32.dll

2002-09-11 07:00 75264 4a95e7320199ec0e3a695494f140c69f C:\WINDOWS\$NtUninstallKB914388$\ws2_32.dll
2006-05-19 09:14 70656 33bae2d63547096a41e278887f3fb6de C:\WINDOWS\$NtUninstallKB922819$\ws2_32.dll
2006-08-16 09:16 70656 f3b582f087a11b29b68f65fbffe8193b C:\WINDOWS\LastGood.Tmp\system32\ws2_32.dll
2006-08-16 09:16 70656 f3b582f087a11b29b68f65fbffe8193b C:\WINDOWS\SYSTEM32\ws2_32.dll

2004-02-06 18:07 591360 f122028a6b40261154b089a1a6eca3b8 C:\WINDOWS\$NtUninstallKB834707-IE6SP1-20040929.091901$\wininet.dll
2004-08-23 19:35 592384 180e7ba2e75950cbd85937ce89a26edf C:\WINDOWS\$NtUninstallKB867282-IE6SP1-20050127.163319$\wininet.dll
2005-02-18 17:34 595456 01914f27e971e88fdbeb8564ceb4564e C:\WINDOWS\$NtUninstallKB883939-IE6SP1-20050428.125228$\wininet.dll
2004-12-07 19:15 593408 f85b54f2289023199c2f6f766c697750 C:\WINDOWS\$NtUninstallKB890923-IE6SP1-20050225.103456$\wininet.dll
2005-04-27 16:41 578560 8a8877577befae9e30626a83bd205a17 C:\WINDOWS\$NtUninstallKB896727-IE6SP1-20050719.165959$\wininet.dll
2005-06-18 00:24 578560 98751f560761b8f2734415f59e9bdb53 C:\WINDOWS\$NtUninstallKB905915-IE6SP1-20051122.175908$\wininet.dll
2005-10-21 15:49 579072 6ff3777332c3700ef59d4ff3d5c8cf2b C:\WINDOWS\$NtUninstallKB912812-IE6SP1-20060322.182418$\wininet.dll
2006-02-24 15:20 579072 b7cb1f00fe7ac58cec9a6457555ca1ef C:\WINDOWS\$NtUninstallKB916281-IE6SP1-20060526.162249$\wininet.dll
2006-04-28 15:07 579072 e32e5d541d9f303d603bab6ddcf00673 C:\WINDOWS\$NtUninstallKB918899-IE6SP1-20060725.123917$\wininet.dll
2006-06-23 13:27 579072 db0415f1aa72595b79deec0fc8ae1322 C:\WINDOWS\LastGood.Tmp\system32\wininet.dll
2006-06-23 13:27 579072 db0415f1aa72595b79deec0fc8ae1322 C:\WINDOWS\SYSTEM32\wininet.dll

2005-05-25 16:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$hf_mig$\KB893066\SP2GDR\tcpip.sys
2005-05-25 16:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-12 23:28 359808 583e063fdc888ca30d05c2724b0d7ef4 C:\WINDOWS\$hf_mig$\KB913446\SP2GDR\tcpip.sys
2006-01-13 14:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 08:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$hf_mig$\KB917953\SP2GDR\tcpip.sys
2006-04-20 09:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2002-09-11 07:00 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-05-25 16:41 339968 228b0385bbfca24332fa22db45a8b684 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-01-12 22:13 340480 8c101c9c566e2384af28ef7c1de4a36e C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 08:38 340480 b8158e2a6112c0a5ca67bc158fc70218 C:\WINDOWS\SYSTEM32\DRIVERS\tcpip.sys

2002-09-11 07:00 518656 3fad976292fb63de9891e31d8fe46ed9 C:\WINDOWS\$NtUninstallKB841533$\winlogon.exe
2004-06-16 21:08 485376 337420e424161ff7dd2ec9175dacb034 C:\WINDOWS\LastGood.Tmp\system32\winlogon.exe
2004-06-16 21:08 485376 337420e424161ff7dd2ec9175dacb034 C:\WINDOWS\SYSTEM32\winlogon.exe

2003-03-06 10:30 162432 09b38768036508b51564201afb000950 C:\WINDOWS\Driver Cache\I386\ndis.sys
2003-03-06 10:30 162432 09b38768036508b51564201afb000950 C:\WINDOWS\SYSTEM32\DRIVERS\ndis.sys

2005-03-02 15:08 2061056 d5ed391b213fa2a6ee25de5ab8512360 C:\WINDOWS\$hf_mig$\KB890859\SP2GDR\ntkrnlpa.exe
2005-03-02 15:13 2061184 aed7b3aa86ad031cf39c6e4bba37e818 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2003-04-24 10:20 1953024 ecec9fd54df1d43d890520b1f3a9837d C:\WINDOWS\$NtUninstallKB840987$\ntkrnlpa.exe
2004-06-17 14:43 1958272 f1b356ca171df54094f58c2120a99196 C:\WINDOWS\$NtUninstallKB885835$\ntkrnlpa.exe
2004-10-27 22:27 1959424 07406b93b788c7173d76f7bb14af0ac9 C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
2002-09-09 13:18 1951488 a4906a5ef1dc6fa464dfe46e3a280afd C:\WINDOWS\$NtUninstallQ811493$\ntkrnlpa.exe
2005-03-02 15:18 1959424 b7207cc6923f5ba5842600d0e67d314b C:\WINDOWS\Driver Cache\I386\ntkrnlpa.exe
2005-03-02 15:18 1959424 b7207cc6923f5ba5842600d0e67d314b C:\WINDOWS\LastGood.Tmp\system32\ntkrnlpa.exe
2005-03-02 15:18 1959424 b7207cc6923f5ba5842600d0e67d314b C:\WINDOWS\SYSTEM32\ntkrnlpa.exe

2005-03-02 15:09 2183552 0da99d0cbd578ad96effd3a571ce8437 C:\WINDOWS\$hf_mig$\KB890859\SP2GDR\ntoskrnl.exe
2005-03-02 15:13 2183808 6e3ab4241e058b248cb7cdc5157449c3 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2003-04-24 10:20 1929344 2c7ff48a27783bc526c6b40e3d45fbc4 C:\WINDOWS\$NtUninstallKB840987$\ntoskrnl.exe
2004-06-17 14:43 2055168 ecedf200bbeafe558986690e6a5b2df6 C:\WINDOWS\$NtUninstallKB885835$\ntoskrnl.exe
2004-10-27 22:27 2092032 62ab7487668bb7d3c7fbd86e76fb2fee C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
2002-09-09 13:18 2045824 ba32ba40a940d0b8e6017fd6adc99288 C:\WINDOWS\$NtUninstallQ811493$\ntoskrnl.exe
2005-03-02 15:18 2044416 dd15836553e95dacd280931b3c583138 C:\WINDOWS\Driver Cache\I386\ntoskrnl.exe
2005-03-02 15:18 2044416 dd15836553e95dacd280931b3c583138 C:\WINDOWS\LastGood.Tmp\system32\ntoskrnl.exe
2005-03-02 15:18 2044416 dd15836553e95dacd280931b3c583138 C:\WINDOWS\SYSTEM32\ntoskrnl.exe

2002-09-11 07:00 1006080 7de395d7b1f0c5c0ba2635bb01d0f5c8 C:\WINDOWS\explorer.exe
2002-09-11 07:00 1006080 7de395d7b1f0c5c0ba2635bb01d0f5c8 C:\WINDOWS\LastGood.Tmp\explorer.exe

2002-09-11 07:00 101888 ab1b155a5c021b4344aabe5f001b5260 C:\WINDOWS\LastGood.Tmp\system32\services.exe
2002-09-11 07:00 101888 ab1b155a5c021b4344aabe5f001b5260 C:\WINDOWS\SYSTEM32\services.exe

2002-09-11 07:00 11776 50898a35b0c98440b71c75e61392233b C:\WINDOWS\LastGood.Tmp\system32\lsass.exe
2002-09-11 07:00 11776 50898a35b0c98440b71c75e61392233b C:\WINDOWS\SYSTEM32\lsass.exe

2002-09-11 07:00 13312 2296241d47d58254658fac1918cb05d0 C:\WINDOWS\SYSTEM32\ctfmon.exe
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* entradas vazias & legítimas por defeito não são mostradas.

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoniqueQuickStart"="C:\Arquivos de programas\- utilities\Sonique\sqstart.exe" [2003-10-02 08:08 69632]
"AnyDVD"="C:\Arquivos de programas\SlySoft\AnyDVD\AnyDVD.exe" [2007-07-29 08:53 1461184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="C:\Arquivos de programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2004-05-22 08:51 684032]
"IntelliPoint"="C:\Arquivos de programas\Microsoft IntelliPoint\point32.exe" [2003-05-15 16:41 163840]
"Iomega Drive Icons"="C:\Arquivos de programas\Iomega\DriveIcons\ImgIcon.exe" [2002-08-13 13:30 86016]
"Deskup"="C:\Arquivos de programas\Iomega\DriveIcons\deskup.exe" [2002-07-16 09:55 32768]
"CloneCDTray"="C:\Arquivos de programas\- utilities\CloneCD\CloneCDTray.exe" [2005-05-19 10:47 57344]
"QuickTime Task"="C:\Arquivos de programas\QuickTime\qttask.exe" [2006-04-23 22:56 155648]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"CTSysVol"="C:\Arquivos de programas\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-09-11 11:04 53248]
"CTDVDDet"="C:\Arquivos de programas\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 01:00 45056]
"CTHelper"="CTHELPER.EXE" [2002-09-03 15:55 24576 C:\WINDOWS\SYSTEM32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-15 20:19 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-09-11 07:00 13312]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\
Adobe Gamma Loader.lnk - C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe [2003-11-09 23:46:43 113664]
Adobe Reader Speed Launch.lnk - C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
Digital Line Detect.lnk - C:\Arquivos de programas\Digital Line Detect\DLG.exe [2003-09-18 14:42:00 24576]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^Luiz Márcio^Menu Iniciar^Programas^Inicializar^PowerReg Scheduler.exe]
path=C:\Documents and Settings\Luiz Márcio\Menu Iniciar\Programas\Inicializar\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADUserMon]
--a------ 2002-09-24 15:39 147456 C:\Arquivos de programas\Iomega\AutoDisk\ADUserMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]
--a------ 2002-09-30 01:00 45056 C:\Arquivos de programas\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
c:\arquivos de programas\- internet\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sson]
C:\Documents and Settings\Luiz Márcio\Dados de aplicativos\mlri.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Tartanmcp"=3 (0x3)
"Spac32kser"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="C:\arquivos de programas\- internet\QuickTime\qttask.exe" -atboottime

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-23 20:11:44
Windows 5.1.2600 Service Pack 1 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros ocultos ...

Varredura completada com sucesso
Ficheiros ocultos: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tsd32.dll
.
Tempo para conclusão: 2008-06-23 20:18:50
ComboFix-quarantined-files.txt 2008-06-23 23:18:47

Pre-Run: 22,544,216,064 bytes disponíveis
Post-Run: 22,528,876,544 bytes disponíveis

179 --- E O F --- 2008-06-01 00:45:48

Deckard's System Scanner v20071014.68
Run by Luiz Márcio on 2008-06-23 20:57:35
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 511 MiB (512 MiB recommended).

-- HijackThis (run as Luiz Márcio.exe) -----------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:57:40, on 23/6/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Arquivos de programas\Executive Software\Diskeeper\DkService.exe
C:\ARQUIV~1\Iomega\System32\AppServices.exe
C:\Arquivos de programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Arquivos de programas\Microsoft IntelliPoint\point32.exe
C:\Arquivos de programas\Iomega\DriveIcons\ImgIcon.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Arquivos de programas\Iomega\AutoDisk\ADService.exe
C:\Arquivos de programas\Digital Line Detect\DLG.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Luiz Márcio\Desktop\dss.exe
C:\ARQUIV~1\TRENDM~1\HIJACK~1\LUIZMR~1.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/intl/la/brazil/index.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:12080
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~2\SDHelper.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Arquivos de programas\- utilities\Free Download Manager\iefdmcks.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Arquivos de programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Arquivos de programas\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Arquivos de programas\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Arquivos de programas\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [CloneCDTray] "C:\Arquivos de programas\- utilities\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Arquivos de programas\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Arquivos de programas\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Arquivos de programas\- internet\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Arquivos de programas\- utilities\Sonique\sqstart.exe -nostick
O4 - HKCU\..\Run: [AnyDVD] "C:\Arquivos de programas\SlySoft\AnyDVD\AnyDVD.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-2237029002-2704639424-2437969446-1005\..\Run: [SoniqueQuickStart] C:\Arquivos de programas\- utilities\Sonique\sqstart.exe -nostick (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Arquivos de programas\- utilities\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Arquivos de programas\- utilities\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Arquivos de programas\- utilities\Free Download Manager\dllink.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~2\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~2\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\MSMSGS.EXE
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://imagem.caixa.gov.br/cab/gbpdist.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Arquivos de programas\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\ARQUIV~1\Iomega\System32\AppServices.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Arquivos de programas\Intel\NCS\Sync\NetSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Arquivos de programas\Iomega\AutoDisk\ADService.exe

--
End of file - 8460 bytes

-- Files created between 2008-05-23 and 2008-06-23 -----------------------------

2008-06-23 20:11:37 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-06-23 20:09:34 68096 --a------ C:\WINDOWS\zip.exe
2008-06-23 20:09:34 49152 --a------ C:\WINDOWS\VFind.exe
2008-06-23 20:09:34 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-23 20:09:34 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-23 20:09:34 98816 --a------ C:\WINDOWS\sed.exe
2008-06-23 20:09:34 80412 --a------ C:\WINDOWS\grep.exe
2008-06-23 20:09:34 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-23 20:09:33 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-23 19:28:05 247568 -r-hs---- C:\cmldr
2008-06-23 19:27:40 0 dr-hs---- C:\cmdcons
2008-06-23 19:27:39 0 d-------- C:\WINDOWS\setup.pss
2008-06-16 22:25:44 0 d-------- C:\Arquivos de programas\Trend Micro
2008-06-16 18:17:15 0 d-------- C:\WINDOWS\tmp
2008-06-12 01:24:52 63677956 --a------ C:\regbckp3.reg
2008-06-05 17:14:37 0 d-------- C:\WINDOWS\LastGood.Tmp
2008-06-05 15:18:15 744853 --a------ C:\PAVARK.exe
2008-06-04 09:56:19 12800 --a------ C:\WINDOWS\System32\svchost.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-05-29 23:53:56 0 d-------- C:\Arquivos de programas\Alwil Software

-- Find3M Report ---------------------------------------------------------------

2008-06-23 19:29:05 288 --a------ C:\WINDOWS\System32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
2008-06-23 19:29:05 288 --a------ C:\WINDOWS\System32\DVCState-{00000002-00000000-00000002-00001102-00000004-10031102}.dat
2008-06-05 17:30:26 0 d-------- C:\Arquivos de programas\Movie Maker
2008-06-05 17:19:25 0 d-------- C:\Arquivos de programas\Windows NT
2008-05-29 21:20:27 0 d-------- C:\Arquivos de programas\DeepPaint3D
2008-05-25 23:00:43 0 d-------- C:\Arquivos de programas\Arquivos comuns
2008-05-21 19:29:38 0 d-------- C:\Arquivos de programas\GbPlugin
2008-05-20 19:28:09 65904638 --a------ C:\regbckp2.reg
2008-05-17 12:22:33 184 --a------ C:\WINDOWS\System32\e000002.dat
2008-05-17 12:22:07 0 d--h----- C:\Arquivos de programas\InstallShield Installation Information
2008-05-17 11:49:57 0 d-------- C:\Arquivos de programas\Creative2
2008-05-09 18:41:27 0 d-------- C:\Arquivos de programas\Panda Security
2008-03-24 23:17:51 2552 --a------ C:\WINDOWS\unins000.dat
2008-03-24 23:14:08 691545 --a------ C:\WINDOWS\unins000.exe

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="C:\Arquivos de programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [22/05/2004 08:51]
"IntelliPoint"="C:\Arquivos de programas\Microsoft IntelliPoint\point32.exe" [15/05/2003 16:41]
"Iomega Drive Icons"="C:\Arquivos de programas\Iomega\DriveIcons\ImgIcon.exe" [13/08/2002 13:30]
"Deskup"="C:\Arquivos de programas\Iomega\DriveIcons\deskup.exe" [16/07/2002 09:55]
"CloneCDTray"="C:\Arquivos de programas\- utilities\CloneCD\CloneCDTray.exe" [19/05/2005 10:47]
"QuickTime Task"="C:\Arquivos de programas\QuickTime\qttask.exe" [23/04/2006 22:56]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 11:50]
"CTSysVol"="C:\Arquivos de programas\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [11/09/2002 11:04]
"CTDVDDet"="C:\Arquivos de programas\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [30/09/2002 01:00]
"CTHelper"="CTHELPER.EXE" [03/09/2002 15:55 C:\WINDOWS\SYSTEM32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [11/05/2000 01:00]
"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [15/05/2008 20:19]
"Zone Labs Client"="C:\Arquivos de programas\- internet\ZoneAlarm\zlclient.exe" [17/02/2004 17:01]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoniqueQuickStart"="C:\Arquivos de programas\- utilities\Sonique\sqstart.exe" [02/10/2003 08:08]
"AnyDVD"="C:\Arquivos de programas\SlySoft\AnyDVD\AnyDVD.exe" [29/07/2007 08:53]

C:\Documents and Settings\Luiz M rcio\Menu Iniciar\Programas\Inicializar\
DESKTOP.INI [1/10/2002 04:33:02]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\
Adobe Gamma Loader.lnk - C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe [9/11/2003 23:46:43]
Adobe Reader Speed Launch.lnk - C:\Arquivos de programas\Adobe\Acrobat 7.0\Reader\reader_sl.exe [14/12/2004 04:44:06]
DESKTOP.INI [1/10/2002 04:33:02]
Digital Line Detect.lnk - C:\Arquivos de programas\Digital Line Detect\DLG.exe [18/9/2003 14:42:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Luiz Márcio^Menu Iniciar^Programas^Inicializar^PowerReg Scheduler.exe]
path=C:\Documents and Settings\Luiz Márcio\Menu Iniciar\Programas\Inicializar\PowerReg Scheduler.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADUserMon]
C:\Arquivos de programas\Iomega\AutoDisk\ADUserMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDet]
C:\Arquivos de programas\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"c:\arquivos de programas\- internet\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sson]
C:\Documents and Settings\Luiz Márcio\Dados de aplicativos\mlri.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Tartanmcp"=3 (0x3)
"Spac32kser"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"QuickTime Task"="C:\arquivos de programas\- internet\QuickTime\qttask.exe" -atboottime

*Newly Created Service* - CATCHME

-- End of Deckard's System Scanner: finished at 2008-06-23 20:58:08 ------------

Ried · Jun 24, 2008

Hello Luiz,

How is the system behaving after running ComboFix?

This tool tends to be quite aggressive, so please be sure to configure it exactly as listed below. I do not want it to clean--for now, I only want to see a Report of what it finds.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and Allow to run the express scan. This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.

Once the short scan has finished, we need to change the default settings.
In the Menu Bar, Go to Options>Change Settings.
Click on the Actions tab
Using the drop down menus, change each item under Objects and Malware to Report
Next, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'No to All' if it asks if you want to cure/move the file.
After the scan has completed, in the Dr.Web CureIt menu on top, click File and choose Save Report List
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Post the contents of the log from Dr.Web you saved previously in your next reply.

Luiz Gonzaga · Jun 24, 2008

Hi.
The system till now is not showing any new behaviour after Combofix.
Here is the log from Dr.Web CureIt:

ComboFix.exe\327882R2FWJFW\FIND3M.bat;C:\Documents and Settings\Luiz Márcio\Desktop\ComboFix.exe;Probably SCRIPT.Virus;;
ComboFix.exe\327882R2FWJFW\psexec.cfexe;C:\Documents and Settings\Luiz Márcio\Desktop\ComboFix.exe;Program.PsExec.171;;
ComboFix.exe;C:\Documents and Settings\Luiz Márcio\Desktop;The file has infected objects;;
A0030008.exe\327882R2FWJFW\FIND3M.bat;C:\System Volume Information\_restore{A73780C7-9903-4BC5-9A92-1848D0D7B0E9}\RP481\A0030008.exe;Probably SCRIPT.Virus;;
A0030008.exe\327882R2FWJFW\psexec.cfexe;C:\System Volume Information\_restore{A73780C7-9903-4BC5-9A92-1848D0D7B0E9}\RP481\A0030008.exe;Program.PsExec.171;;
A0030008.exe;C:\System Volume Information\_restore{A73780C7-9903-4BC5-9A92-1848D0D7B0E9}\RP481;The file has infected objects;;
A0030015.bat;C:\System Volume Information\_restore{A73780C7-9903-4BC5-9A92-1848D0D7B0E9}\RP481;Probably SCRIPT.Virus;;
A0030045.exe\327882R2FWJFW\FIND3M.bat;C:\System Volume Information\_restore{A73780C7-9903-4BC5-9A92-1848D0D7B0E9}\RP481\A0030045.exe;Probably SCRIPT.Virus;;
A0030045.exe\327882R2FWJFW\psexec.cfexe;C:\System Volume Information\_restore{A73780C7-9903-4BC5-9A92-1848D0D7B0E9}\RP481\A0030045.exe;Program.PsExec.171;;
A0030045.exe;C:\System Volume Information\_restore{A73780C7-9903-4BC5-9A92-1848D0D7B0E9}\RP481;The file has infected objects;;
A0030052.bat;C:\System Volume Information\_restore{A73780C7-9903-4BC5-9A92-1848D0D7B0E9}\RP481;Probably SCRIPT.Virus;;
A0030113.bat;C:\System Volume Information\_restore{A73780C7-9903-4BC5-9A92-1848D0D7B0E9}\RP481;Probably SCRIPT.Virus;;
PSEXESVC.EXE;C:\WINDOWS;Program.PsExec.170;;

Luiz Gonzaga · Jun 24, 2008

I forgot to mention.
The short scan of Dr.Web CureIt found nothing.
Thanks.

Ried · Jun 25, 2008

The findings by DrWeb are nothing to be concerned about as those belong to the tool we just used.

I did note you repaired RPcss yourself, as well as replaced svchost.exe from the disc, but you have many files that have failed signature verification, which indicates there may be issues with those critical files.

If the system is operating normally, please download and install XP SP2 now.

After you install XPSP2, download the latest version of ComboFix.exe (using the link I provided earlier in this thread) and run another scan with it.

Post the resultant C:\ComboFix.txt in your next reply.

Luiz Gonzaga · Jun 25, 2008

Hi.
Then you think the infected svchots.exe probably was killed before it could do more damage, and that i have a clean enough system to install the sp2 without any problem ?
Should i run avast antivirus, spybotS&D , Superantispyware before i install sp2 , or there´s no need ?

Ried · Jun 25, 2008

Not necessary, Luiz. Install SP2, then run ComboFix.exe again and post the C:\ComboFix.txt

Luiz Gonzaga · Jun 27, 2008

Hi Ried.
I will be installing sp2 soon (maybe tomorrow) , and posting the combofix log.
This message is only so to prevent this thread from going automactaly out of your subscriptions . I don´t know if this apply here , but if so.

Ried · Jun 27, 2008

I appreciate that, Luiz. I'll remain subscribed. :sayyes:

Luiz Gonzaga · Jun 30, 2008

Almost.
Just a little more...

Ried · Jun 30, 2008

And I'm still here. :smile:

Luiz Gonzaga · Jul 16, 2008

Hi Ried.
The last time we´ve spoken you told me to, If the system was operating normally, download and install XP SP2.
The system is ok, but by the time of the infection several critical services were deleted from the registry, so i think that the best would be do a repair install before sp2.
But, doing so, i´m going to activate these services in a system without any security patches after sp1.
Between the repair and sp2 , i must do a bios update. Maybe do an ASR backup, and install updated drivers for the Audigy 2 , modem , graphic adapter. Don´t know if is safe to do these before repair, couse now in every simple install the system seems to freeze for more or less five minutes.

Whell , what do you think about the repair install ?
Thanks.
Luiz.

Ried · Jul 17, 2008

Hi Luiz,

The system is ok, but by the time of the infection several critical services were deleted from the registry, so i think that the best would be do a repair install before sp2.

I saw that, and that's exactly why I told you to upgrade to SP2. That should remedy the situation for you.

Luiz Gonzaga · Jul 17, 2008

Ok
I assume you didn´t tell me explicitaly to apply sp2 firstly.
And that could be done after i corrected the errors in the system.
You see, i saw in the internet that in order to apply sp2, you better do in a healty system. So i tought that maybe first i should correct the services problem by applying the repair install.
Correct me if i´m wrong , ok ?

Thanks
Luiz.

Ried · Jul 17, 2008

I wanted to ensure the infection was gone first--that was the main concern before updating to SP2.

Your system was in the clear, so please do go ahead and install SP2 now. :sayyes:

If you'd prefer I double check due to the lapse in time since you last posted a log, feel free to post a fresh main.txt from dss.exe for review first.

Luiz Gonzaga · Aug 27, 2008

Hi Ried.
I still havent installed sp2.
But that computer has been rarely used since the problem. No internet since then. Just using to learn how to deal with the repair and sp2.

Should i run, as you seggested in the last message ,to double check due to the lapse in time since i last posted a log, the hijackThis ?
DSS is conflicting whit a rootkit ?

Thanks.
Luiz.

Ried · Aug 29, 2008

Hi Luiz,

A particular rootkit will interfere with dss.exe and could cause some problems--if you happen to have that particular rootkit on your system.

Regardless, do not run dss.exe again, and please delete the tool so you don't have to worry about it in the future.

This really is a simple thing to do to repair your system. If you have an XP install disc, then go ahead and run the Repair Install.

Sign of Win32:Rootkit-gen

Registered

Attachments

Registered

TSF Security Manager, Emeritus

Registered

TSF Security Manager, Emeritus

Registered

Registered

TSF Security Manager, Emeritus

Registered

TSF Security Manager, Emeritus

Registered

TSF Security Manager, Emeritus

Registered

TSF Security Manager, Emeritus

Registered

TSF Security Manager, Emeritus

Registered

TSF Security Manager, Emeritus

Registered

TSF Security Manager, Emeritus