 Mspdtc.dll Picked By Avast As Win32:vundrop, Is all of it cleaned?... |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
Forum Guidelines
Read this topic before posting a log. DO NOT post a ComboFix log unless requested to. Only members of the HijackThis Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log. When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc. Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  |
 Jul 7 2008, 01:25 PM
Post
#1
|
|
|
Forum Regular  Group: Members Posts: 176 Joined: 5-May 06 Member No.: 66,788  |
 So it looks my brother did it again.  And here I am once more found in need of your expert help with our home PC. (Home PC running WinXP SP2. Security "suite" includes: Avast antivirus + Sygate firewall + WinPatrol + SpywareBlaster + MVPS Hosts + IE-SpyAd + Spybot S&D + SUPERAntiSpyware + AVG Anti-Spyware + Ad-Aware SE) Most appreciated if you can please check whether all of this new infection is all cleaned...Once I booted, after my brother having used the computer, it just went odd: it would lag/freeze indefinitely, and the Sygate firewall systray icon just wouldn't load. I could hardly bring on the Task Manager, due to the lag/freeze, but eventually it would end up popping up, and I could confirm that the Sygate firewall was actually running, as its process smc.exe was showing, yet the systray icon just wouldn't load, and the computer would just hang, leaving me only the chance to reset. I tried that for a handful of times, but it would always happen the same, so I decided to momentarily uninstall the Sygate firewall. (My first thought at this point was that the Sygate firewall might be having some kind of conflict or something, so the idea was to uninstall and re-install it, to see if that would solve the case. Note that at this point I had no idea that the computer was actually infected. Also just a couple days before I had made a full routine malware scan, registry and system backup, defrag, etc...) I could either hardly access the Control Pannel, due to the lag/freeze, but eventually it showed, and so I managed to uninstall the Sygate firewall. During the uninstallation, however, Avast resident scanner popped up a warning, saying that a malware had been found: Win32VunDrop [Drp], file C:\Windows\System32\mspdtc.dll. There was also a Windows Control Pannel message, saying: "An error has occurred when Windows was processing the file C:\Windows\System32\netsetup.cpl of the Control Pannel.". I clicked ok to the Windows Control Pannel message, and for the time being chose "No action" to the Avast message. The uninstallation of the Sygate firewall completed and I followed the promt for reboot. I had hopped that, after uninstalling the Sygate firewall, eventually the lag/freeze problem would be gone at least, and then I would be able to check out what was with that new malware that Avast had picked. Wrong! The lag/freeze was still there, after reboot, so I could only conclude that this hadn't been cos of the Sygate firewall as first thought, but so it obviously had to be connected with the malware infection. (At once, from the name referred by Avast, I thought this should be related to Vundo/Virtumundo... Yet I'm not at all sure, since I haven't so far experienced any of such popups for fake security programs which seem to be characteristic for Vundo/Virtumundo infections, and neither my brother, at least so he says, got any such popups or noticed any "strange behaviour" while he was last online... So I really don't know, whether this is related to Vundo/Virtumundo after all, or?...) The system/desktop would just end up hanging for some 10+ minutes (even the clock would stay unaltered), untill eventually Avast resident scanner would again end up detecting the malware file. Again I chose "No action" (which is supposed to prevent the malware from being "activated") and so the malware file would then become "neutralized". At this point the lag/freeze would stop (or at least turned rather imperceptible). I went to the Control Pannel, to check both the Security Centre and assure that at least the Windows Firewall would be on. To my surprise, as opening the Security Centre, the message there was: "The Security Centre isn't currently available because the Security Centre service wasn't started or has been interrupted. Close this window, reboot the computer (or restart the Security Centre service) and, next, open the Security Centre again.". And as opening the Windows Firewall, a message popped up saying: "The Windows Firewall settings can't be displayed because the associated service isn't running. Do you wish to start the Windows Firewall/Internet Connection Sharing (ICS) service?". I clicked yes to that and the Windows Firewall turned on. I rebooted, to check that both the Windows Firewall and the Security Centre would be on now. Again, wrong! After the lag/freeze would stop, after Avast resident scanner "neutralizing" the malware file, going back to Control Pannel, the Security Centre remained not available, and the Windows Firewall was off again. I tried it all again, yet, same result. Checking via services.msc I could verify, though, that both the Security Centre and the Windows Firewall services were both set to "automatic". None of the two was started, however. I checked what services the Security Centre and the Windows Firewall depended on [respectively: Remote Procedure Call (RPC) and WMI (Windows Management Instrument) > Remote Procedure Call (RPC) + Event Registry for the Security Centre | Net Connections > Remote Procedure Call (RPC) and WMI (Windows Management Instrument) > Remote Procedure Call (RPC) + Event Registry for the Windows Firewall] and all of them were actually started at that point. In all of my humble ignorance, that did sound somewhat odd... So I went for a new reboot. Yet, this time, after reboot completed, I momentarily disabled Avast resident scanner, so it wouldn't pick and "neutralize" the malware file for the time being. The lag/freeze would obviously remain, then, yet eventually I could end up accessing services.msc, and there I could verify that those services of which both the Security Centre and the Windows Firewall depended on, all would say in their status: "starting..." (which actually verified for most of all the other services too), and they'd just remain so indefinitely, untill I'd re-enable Avast resident scanner and the malware file would be "neutralized" by it. (I guess then that it was supposedly this the reason for the Security Centre and Windows Firewall services, although being set to "automatic", having not started, i.e. the fact that the services which these depended on hadn't started on due time, certainly prevented by the malware, no? Also, if I'd try to enable the Windows Firewall in Control Pannel, previous to the malware being "neutralized" by Avast, the Windows Firewall would just pop the message: "Windows cannot start the Windows Firewall/Internet Connection Sharing (ICS) service.".) Moved on to the cleaning of the malware then. First made a preliminary scan with Deckard's System Scanner, for reference. (Just a note here, to say that never again, since the first time I had run DSS - which I had done back in last March, by then just for my own reference - never again the scanner produced the extra log, only the main one, as it also did not ever again performed all the steps it was supposed to, such as backing up the registry, creating a System Restore point and more. I have ever since always been intrigued by this "behaviour" of DSS?... Nonetheless, after some further searching now, I came across the command for displaying the scanner's settings, "%userprofile%\desktop\dss.exe" /config, as found on techsupportforum.com, and so I do now run DSS this way, then having all settings ticked, as opposed to only HijackThis + Files Created/Modified + Registry Dump + Whitelist Output + Check File Signatures which are the ones shown ticked "by default"; don't know if this the normal to be or?...) Rebooted in Safe Mode and ran SUPERAntiSpyware + AVG Anti-Spyware + Spybot S&D. None of these scanners found nothing. Next ran Avast. File C:\Windows\System32\mspdtc.dll was detected as Win32VunDrop [Drp] (plus a trace of it found on System Restore). At the end of the scan I tried to quarantine the files but this failed in Safe Mode (message was: "The Chest server isn't running. Communication with the remote procedure (RPC) failed.") I rebooted back to normal mode, re-ran Avast, and was able to sucessfully quarantine the malware now. (I don't recall being aware that it wasn't possible to quarantine items with Avast while in Safe Mode, though, hmm...) Rebooted again, following to quarantining the malware, and upon reboot both the file C:\Windows\System32\mspdtc.dll and the lagging/freezing were gone, as well as all services, Security Centre and Windows Firewall included, now all started automatically and quickly and ok. Rebooted once again, now having Internet connected (i.e. the cable modem connected to the computer), and all was a-ok just as well. Next, additionally downloaded and installed Malwarebytes' Anti-Malware (seen that lately this pretty much is among the recommendations), and ran the quick scan (having realtime protection, Avast and WinPatrol, disabled). Nothing was found. Went for re-installing the Sygate firewall. Disconnected from Internet and disabled Windows Firewall first, as obvious. Curiously, however, at this point the Security Centre did not notify about there being no firewall enabled, although it was set to do so. I was intrigued again, went to check there, and the Security Centre did report the Sygate firewall as being enabled, even though it actually wasn't installed!? (Running a new DSS at this point, it too would refer Sygate as the existing firewall!?) I assumed something must have gone wrong during the previous uninstallation (since the system was all lagging/freezing, due to the malware) causing the Sygate firewall not to uninstall properly, and so I re-installed it, uninstalled and re-installed again, and seemingly everything is a-ok with it now too. Everything else also seems to be running just fine. I ran a new scan with SUPERAntiSpyware + AVG Anti-Spyware + Spybot S&D + Avast, and additionally this time also with Ad-Aware SE and Kaspersky Online Scanner, and all reported nothing found (except for Avast, which reported a couple traces of Win32VunDrop [Drp] on System Restore, yet I know all these will be gone when System Restore will be reset/flushed, yes). I'd thus appreciate if you'd please review my DSS logs (I'm including both the preliminary pre-clean one and the final after-clean one, for your reference) to confirm whether everything really got/is cleaned, or whether any additional scanner/clean tool is necessary to be run or anything further needs to be fixed?... I'll paste the main logs, and attach the extra ones (to avoid the post becoming too long), hope that's ok?... (Then again, I do also have logs from HJT, HJT Startup List, Sillent Runners and AutoRuns, both from pre-clean and after-clean; if any at all needed for further reference, please let me know and I'll include them next time.) ---------- DSS main log - pre-clean Deckard's System Scanner v20071014.68 Run by q on 2008-07-05 12:49:47 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 20: 2008-07-05 11:49:56 UTC - RP142 - Deckard's System Scanner Restore Point 19: 2008-07-03 20:13:33 UTC - RP141 - Ponto de verificação do sistema 18: 2008-07-02 11:13:08 UTC - RP140 - Ponto de verificação do sistema 17: 2008-06-30 19:58:41 UTC - RP139 - Ponto de verificação do sistema 16: 2008-06-29 17:59:00 UTC - RP138 - Backup29-06-2008 -- First Restore Point -- 1: 2008-06-17 18:38:46 UTC - RP123 - Installed Creative Live! Cam Manager Backed up registry hives. Performed disk cleanup. -- HijackThis (run as q.exe) --------------------------------------------------- Unable to find log (file not found); running clone. -- HijackThis Clone ------------------------------------------------------------ Emulating logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2008-07-05 12:54:47 Platform: Windows XP Service Pack 2 (5.01.2600) MSIE: Internet Explorer (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\system32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Programas\Alwil Software\Avast4\aswUpdSv.exe C:\Programas\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\CTHELPER.EXE C:\Programas\Alwil Software\Avast4\ashDisp.exe C:\Programas\SiteAdvisor\6261\SiteAdv.exe C:\Programas\BillP Studios\WinPatrol\WinPatrol.exe C:\WINDOWS\V0420Mon.exe C:\Programas\HDD Thermometer\HDD Thermometer.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\spoolsv.exe C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\nvsvc32.exe C:\Programas\SiteAdvisor\6261\SAService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\Programas\Alwil Software\Avast4\ashWebSv.exe C:\Programas\Alwil Software\Avast4\ashMaiSv.exe C:\Documents and Settings\q\Ambiente de trabalho\dss.exe C:\Programas\Trend Micro\HijackThis\q.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Programas\SiteAdvisor\6261\SiteAdv.dll O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Programas\FlashGet\jccatch.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programas\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Programas\FlashGet\getflash.dll O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Programas\SiteAdvisor\6261\SiteAdv.dll O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SiteAdvisor] "C:\Programas\SiteAdvisor\6261\SiteAdv.exe" O4 - HKLM\..\Run: [WinPatrol] C:\Programas\BillP Studios\WinPatrol\winpatrol.exe -expressboot O4 - HKLM\..\Run: [V0420Mon.exe] C:\WINDOWS\V0420Mon.exe O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16 O4 - HKCU\..\Run: [RSD_HDDThermo] C:\Programas\HDD Thermometer\HDD Thermometer.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: &Download All with FlashGet - C:\Programas\FlashGet\jc_all.htm O8 - Extra context menu item: &Download with FlashGet - C:\Programas\FlashGet\jc_link.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programas\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programas\Spybot - Search & Destroy\SDHelper.dll O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2...15035/CTPID.cab O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Programas\Ficheiros comuns\Microsoft Shared\Web Folders\PKMCDO.DLL O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Programas\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programas\Ficheiros comuns\Microsoft Shared\Information Retrieval\MSITSS.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Programas\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Programas\Ficheiros comuns\Microsoft Shared\Web Components\10\OWC10.DLL O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Programas\SiteAdvisor\6261\SiteAdv.dll O20 - Winlogon Notify: !SASWinLogon - C:\Programas\SUPERAntiSpyware\SASWINLO.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashWebSv.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: lxcr_device - Unknown owner - C:\WINDOWS\system32\lxcrcoms.exe O23 - Service: NMIndexingService - Unknown owner - C:\Programas\Ficheiros comuns\Ahead\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Serviço SiteAdvisor (SiteAdvisor Service) - Unknown owner - C:\Programas\SiteAdvisor\6261\SAService.exe -- End of file - 7294 bytes -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R1 cpuidlep (CpuIdle Pro System Driver) - c:\windows\system32\drivers\cpuidlep.sys R1 XPROTECTOR - c:\windows\system32\drivers\oreans.sys R3 emupia (E-mu Plug-in Architecture Driver) - c:\windows\system32\drivers\emupia2k.sys <Not Verified; Creative Technology Ltd; E-mu Plug-In Architecture> S2 PfModNT - c:\windows\system32\drivers\pfmodnt.sys (file missing) S3 DMSKSSRh - c:\docume~1\q\defini~1\temp\dmskssrh.sys (file missing) S3 gmer - c:\windows\system32\drivers\gmer.sys (file missing) S3 hwdatacard (Huawei DataCard USB Modem and USB Serial) - c:\windows\system32\drivers\ewusbmdm.sys (file missing) S3 RadProbe (Radeon Probe Driver) - c:\windows\system32\drivers\radprobe.sys (file missing) S3 SDTHOOK - c:\windows\system32\drivers\sdthook.sys <Not Verified; Panda Software; Panda® Antivirus> -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- S4 NMIndexingService - "c:\programas\ficheiros comuns\ahead\lib\nmindexingservice.exe" (file missing) -- Device Manager: Disabled ---------------------------------------------------- No disabled devices found. -- Process Modules ------------------------------------------------------------- C:\WINDOWS\system32\winlogon.exe (pid 580) 2007-04-19 13:41:36 294912 --a------ C:\Programas\SUPERAntiSpyware\SASWINLO.dll <Not Verified; SUPERAntiSpyware.com; SUPERAntiSpyware WinLogon Processor> C:\WINDOWS\system32\svchost.exe (pid 940) 2004-08-04 08:56:22 24064 --a------ C:\WINDOWS\system32\dmserver.dll <Not Verified; Microsoft Corp.; Gestor de discos lógicos para o Windows NT> C:\WINDOWS\explorer.exe (pid 1300) 2002-03-13 16:25:36 57344 --a------ C:\WINDOWS\system32\CTAGENT.DLL <Not Verified; Creative Technology Ltd; ctagent> -- Files created between 2008-06-05 and 2008-07-05 ----------------------------- 2008-07-05 12:16:55 0 dr-h----- C:\Documents and Settings\q\Recent 2008-06-17 19:44:18 0 d-------- C:\WINDOWS\CtDrvInstall 2008-06-17 19:42:05 0 d-------- C:\Programas\Ficheiros comuns\muvee Technologies 2008-06-17 19:42:03 0 d-------- C:\Programas\muvee Technologies 2008-06-17 19:41:19 0 d-------- C:\Documents and Settings\All Users\Application Data\muvee Technologies 2008-06-17 19:41:01 0 d-------- C:\Documents and Settings\q\Application Data\InstallShield 2008-06-17 19:40:24 0 d-------- C:\Programas\SightSpeed 2008-06-14 14:09:18 0 d-------- C:\Programas\SpywareBlaster 2008-06-11 14:19:16 0 d-------- C:\Documents and Settings\q\.gimp-2.4 2008-06-11 14:18:31 0 d-------- C:\Programas\GIMP-2.0 2008-06-11 13:53:20 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-06-11 13:53:05 0 d-------- C:\Programas\SUPERAntiSpyware 2008-06-11 13:53:05 0 d-------- C:\Documents and Settings\q\Application Data\SUPERAntiSpyware.com 2008-06-05 16:25:18 0 d-------- C:\Programas\DVD Decrypter 2008-06-05 15:05:32 0 d-------- C:\Programas\DVD Audio Extractor -- Find3M Report --------------------------------------------------------------- 2008-07-05 12:17:56 24 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000000-00000000-0000000B-00001102-00000002-80641102}.dat 2008-07-05 12:17:56 24 --a------ C:\WINDOWS\system32\DVCState-{00000000-00000000-0000000B-00001102-00000002-80641102}.dat 2008-07-03 22:39:14 0 d-------- C:\Programas\mIRC 2008-07-03 11:54:21 0 d-------- C:\Programas\FlashGet 2008-07-03 11:21:05 0 d-------- C:\Programas\eMule 2008-07-02 21:14:00 0 d-------- C:\Programas\Lx_cats 2008-06-30 20:36:16 0 d-------- C:\Documents and Settings\q\Application Data\SiteAdvisor 2008-06-27 21:21:51 0 d-------- C:\Programas\Steam 2008-06-18 12:27:59 0 d-------- C:\Documents and Settings\q\Application Data\gtk-2.0 2008-06-18 12:11:31 30336 --a------ C:\Documents and Settings\q\Application Data\GDIPFONTCACHEV1.DAT 2008-06-17 20:38:51 0 d-------- C:\Documents and Settings\q\Application Data\Creative 2008-06-17 19:46:35 0 d--h----- C:\Programas\InstallShield Installation Information 2008-06-17 19:42:05 0 d-------- C:\Programas\Ficheiros comuns 2008-06-17 19:40:14 0 d-------- C:\Programas\Creative 2008-06-11 13:52:38 0 d-------- C:\Programas\Ficheiros comuns\Wise Installation Wizard 2008-06-09 16:41:32 0 d-------- C:\Documents and Settings\q\Application Data\WinPatrol 2008-06-05 15:32:18 0 d-------- C:\Documents and Settings\q\Application Data\dvdcss 2008-05-24 14:03:22 0 d-------- C:\Documents and Settings\q\Application Data\Adobe 2008-05-24 12:45:58 0 d-------- C:\Programas\Veoh Networks 2008-05-24 12:40:08 0 d-------- C:\Programas\BillP Studios 2008-05-24 12:36:14 0 d-------- C:\Programas\Java 2008-05-24 12:35:32 0 d-------- C:\Programas\Ficheiros comuns\Java 2008-05-24 12:30:09 0 d-------- C:\Programas\CCleaner 2008-05-24 12:10:55 0 d-------- C:\Documents and Settings\q\Application Data\Macromedia 2008-05-23 10:42:26 0 d-------- C:\Programas\SiteAdvisor 2008-05-22 11:51:22 0 d-------- C:\Documents and Settings\q\Application Data\Camfrog 2008-05-22 11:49:06 0 d-------- C:\Programas\Camfrog 2008-05-13 18:46:48 20776 --ah----- C:\WINDOWS\system32\mlfcache.dat 2008-05-06 07:01:28 45056 --a------ C:\WINDOWS\system32\wnaspi32.dll <Not Verified; Adaptec; Adaptec's ASPI Layer> 2008-04-11 12:06:35 446372 --a------ C:\WINDOWS\system32\perfh016.dat 2008-04-11 12:06:35 71492 --a------ C:\WINDOWS\system32\perfc016.dat -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WINDVDPatch"="CTHELPER.EXE" [07-02-2002 19:01 C:\WINDOWS\system32\CTHELPER.EXE] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [22-10-2006 13:22] "nwiz"="nwiz.exe" [22-10-2006 13:22 C:\WINDOWS\system32\nwiz.exe] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [16-05-2008 00:19] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [12-01-2006 15:40] "NvMediaCenter"="NvMCTray.dll" [22-10-2006 13:22 C:\WINDOWS\system32\nvmctray.dll] "SiteAdvisor"="C:\Programas\SiteAdvisor\6261\SiteAdv.exe" [16-05-2008 17:50] "WinPatrol"="C:\Programas\BillP Studios\WinPatrol\winpatrol.exe" [25-04-2008 18:31] "V0420Mon.exe"="C:\WINDOWS\V0420Mon.exe" [30-04-2007 02:00] "LXCRCATS"="C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [01-12-2005 19:38] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RSD_HDDThermo"="C:\Programas\HDD Thermometer\HDD Thermometer.exe" [01-04-2005 18:02] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04-08-2004 08:56] "@"="" [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] @= [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programas\SUPERAntiSpyware\SASSEH.DLL [13-05-2008 10:13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Programas\SUPERAntiSpyware\SASWINLO.dll 19-04-2007 13:41 294912 C:\Programas\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] "C:\Programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint] "C:\Programas\Lexmark 2400 Series\ezprint.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection] C:\Programas\Creative\SBLive\PROGRAM\ADGJDet.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcrmon.exe] "C:\Programas\Lexmark 2400 Series\lxcrmon.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ] "C:\Programas\Ahead\Nero BackItUp\NBJ.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg] C:\WINDOWS\UpdReg.EXE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8d4951d0-2d7f-11dd-836d-000ae60cb2ed}] AutoRun\command- G:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{90415800-2d7e-11dd-836c-000ae60cb2ed}] AutoRun\command- G:\AutoRun.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44AA3114-D221-43EC-1C32-1EAC52A2014D}] C:\WINDOWS\system32\msnvl.exe -- Hosts ----------------------------------------------------------------------- 127.0.0.1 ad.a8.net 127.0.0.1 asy.a8ww.net 127.0.0.1 www.abx4.com #[Adware.ABXToolbar] 127.0.0.1 acezip.net #[SiteAdvisor.acezip.net] 127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions] 127.0.0.1 phpadsnew.abac.com 127.0.0.1 a.abnad.net 127.0.0.1 b.abnad.net 127.0.0.1 c.abnad.net #[eTrust.Tracking.Cookie] 127.0.0.1 d.abnad.net 18537 more entries in hosts file. -- End of Deckard's System Scanner: finished at 2008-07-05 12:57:39 ------------ ---------- DSS main log - after-clean Deckard's System Scanner v20071014.68 Run by q on 2008-07-05 21:10:15 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 20: 2008-07-05 20:10:27 UTC - RP146 - Deckard's System Scanner Restore Point 19: 2008-07-05 16:32:11 UTC - RP145 - Installed Sygate Personal Firewall 18: 2008-07-05 16:02:02 UTC - RP144 - Removed Sygate Personal Firewall 17: 2008-07-05 15:54:36 UTC - RP143 - Installed Sygate Personal Firewall 16: 2008-07-05 11:49:56 UTC - RP142 - Deckard's System Scanner Restore Point -- First Restore Point -- 1: 2008-06-17 18:40:13 UTC - RP127 - Installed Creative Live! Cam Vista IM (VF0420) Backed up registry hives. Performed disk cleanup. -- HijackThis (run as q.exe) --------------------------------------------------- Unable to find log (file not found); running clone. -- HijackThis Clone ------------------------------------------------------------ Emulating logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2008-07-05 21:14:56 Platform: Windows XP Service Pack 2 (5.01.2600) MSIE: Internet Explorer (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\system32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Programas\Sygate\SPF\Smc.exe C:\WINDOWS\explorer.exe C:\Programas\Alwil Software\Avast4\aswUpdSv.exe C:\Programas\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\CTHELPER.EXE C:\Programas\Alwil Software\Avast4\ashDisp.exe C:\Programas\SiteAdvisor\6261\SiteAdv.exe C:\Programas\BillP Studios\WinPatrol\WinPatrol.exe C:\WINDOWS\V0420Mon.exe C:\Programas\HDD Thermometer\HDD Thermometer.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\spoolsv.exe C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\nvsvc32.exe C:\Programas\SiteAdvisor\6261\SAService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\Programas\Alwil Software\Avast4\ashMaiSv.exe C:\Programas\Alwil Software\Avast4\ashWebSv.exe C:\Documents and Settings\q\Ambiente de trabalho\dss.exe C:\Programas\Trend Micro\HijackThis\q.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Programas\SiteAdvisor\6261\SiteAdv.dll O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Programas\FlashGet\jccatch.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programas\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Programas\FlashGet\getflash.dll O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Programas\SiteAdvisor\6261\SiteAdv.dll O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SiteAdvisor] "C:\Programas\SiteAdvisor\6261\SiteAdv.exe" O4 - HKLM\..\Run: [WinPatrol] C:\Programas\BillP Studios\WinPatrol\winpatrol.exe -expressboot O4 - HKLM\..\Run: [V0420Mon.exe] C:\WINDOWS\V0420Mon.exe O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16 O4 - HKCU\..\Run: [RSD_HDDThermo] C:\Programas\HDD Thermometer\HDD Thermometer.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: &Download All with FlashGet - C:\Programas\FlashGet\jc_all.htm O8 - Extra context menu item: &Download with FlashGet - C:\Programas\FlashGet\jc_link.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programas\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programas\Spybot - Search & Destroy\SDHelper.dll O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2...15035/CTPID.cab O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Programas\Ficheiros comuns\Microsoft Shared\Web Folders\PKMCDO.DLL O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Programas\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programas\Ficheiros comuns\Microsoft Shared\Information Retrieval\MSITSS.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Programas\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Programas\Ficheiros comuns\Microsoft Shared\Web Components\10\OWC10.DLL O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Programas\SiteAdvisor\6261\SiteAdv.dll O20 - Winlogon Notify: !SASWinLogon - C:\Programas\SUPERAntiSpyware\SASWINLO.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashWebSv.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: lxcr_device - Unknown owner - C:\WINDOWS\system32\lxcrcoms.exe O23 - Service: NMIndexingService - Unknown owner - C:\Programas\Ficheiros comuns\Ahead\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Serviço SiteAdvisor (SiteAdvisor Service) - Unknown owner - C:\Programas\SiteAdvisor\6261\SAService.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programas\Sygate\SPF\Smc.exe -- End of file - 7516 bytes -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R0 Teefer (Teefer for NT) - c:\windows\system32\drivers\teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver> R1 cpuidlep (CpuIdle Pro System Driver) - c:\windows\system32\drivers\cpuidlep.sys R1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt> R1 XPROTECTOR - c:\windows\system32\drivers\oreans.sys R3 emupia (E-mu Plug-in Architecture Driver) - c:\windows\system32\drivers\emupia2k.sys <Not Verified; Creative Technology Ltd; E-mu Plug-In Architecture> S2 PfModNT - c:\windows\system32\drivers\pfmodnt.sys (file missing) S3 DMSKSSRh - c:\docume~1\q\defini~1\temp\dmskssrh.sys (file missing) S3 gmer - c:\windows\system32\drivers\gmer.sys (file missing) S3 hwdatacard (Huawei DataCard USB Modem and USB Serial) - c:\windows\system32\drivers\ewusbmdm.sys (file missing) S3 RadProbe (Radeon Probe Driver) - c:\windows\system32\drivers\radprobe.sys (file missing) S3 SDTHOOK - c:\windows\system32\drivers\sdthook.sys <Not Verified; Panda Software; Panda® Antivirus> -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- S4 NMIndexingService - "c:\programas\ficheiros comuns\ahead\lib\nmindexingservice.exe" (file missing) -- Device Manager: Disabled ---------------------------------------------------- No disabled devices found. -- Process Modules ------------------------------------------------------------- C:\WINDOWS\system32\winlogon.exe (pid 584) 2007-04-19 13:41:36 294912 --a------ C:\Programas\SUPERAntiSpyware\SASWINLO.dll <Not Verified; SUPERAntiSpyware.com; SUPERAntiSpyware WinLogon Processor> C:\WINDOWS\system32\svchost.exe (pid 940) 2004-08-04 08:56:22 24064 --a------ C:\WINDOWS\system32\dmserver.dll <Not Verified; Microsoft Corp.; Gestor de discos lógicos para o Windows NT> C:\WINDOWS\explorer.exe (pid 1164) 2002-03-13 16:25:36 57344 --a------ C:\WINDOWS\system32\CTAGENT.DLL <Not Verified; Creative Technology Ltd; ctagent> -- Files created between 2008-06-05 and 2008-07-05 ----------------------------- 2008-07-05 18:28:19 0 dr-h----- C:\Documents and Settings\q\Recent 2008-07-05 17:32:23 60496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver> 2008-07-05 17:32:22 21075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt> 2008-07-05 17:32:13 0 d-------- C:\Programas\Sygate 2008-07-05 15:55:18 0 d-------- C:\Documents and Settings\q\Application Data\Malwarebytes 2008-07-05 15:55:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-07-05 15:55:14 0 d-------- C:\Programas\Malwarebytes' Anti-Malware 2008-06-17 19:44:18 0 d-------- C:\WINDOWS\CtDrvInstall 2008-06-17 19:42:05 0 d-------- C:\Programas\Ficheiros comuns\muvee Technologies 2008-06-17 19:42:03 0 d-------- C:\Programas\muvee Technologies 2008-06-17 19:41:19 0 d-------- C:\Documents and Settings\All Users\Application Data\muvee Technologies 2008-06-17 19:41:01 0 d-------- C:\Documents and Settings\q\Application Data\InstallShield 2008-06-17 19:40:24 0 d-------- C:\Programas\SightSpeed 2008-06-14 14:09:18 0 d-------- C:\Programas\SpywareBlaster 2008-06-11 14:19:16 0 d-------- C:\Documents and Settings\q\.gimp-2.4 2008-06-11 14:18:31 0 d-------- C:\Programas\GIMP-2.0 2008-06-11 13:53:20 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-06-11 13:53:05 0 d-------- C:\Programas\SUPERAntiSpyware 2008-06-11 13:53:05 0 d-------- C:\Documents and Settings\q\Application Data\SUPERAntiSpyware.com 2008-06-05 16:25:18 0 d-------- C:\Programas\DVD Decrypter 2008-06-05 15:05:32 0 d-------- C:\Programas\DVD Audio Extractor -- Find3M Report --------------------------------------------------------------- 2008-07-05 18:29:21 24 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000000-00000000-0000000B-00001102-00000002-80641102}.dat 2008-07-05 18:29:21 24 --a------ C:\WINDOWS\system32\DVCState-{00000000-00000000-0000000B-00001102-00000002-80641102}.dat 2008-07-05 18:16:14 0 d-------- C:\Programas\mIRC 2008-07-05 18:12:09 0 d-------- C:\Programas\Steam 2008-07-05 18:00:01 0 d-------- C:\Programas\Lx_cats 2008-07-03 11:54:21 0 d-------- C:\Programas\FlashGet 2008-07-03 11:21:05 0 d-------- C:\Programas\eMule 2008-06-30 20:36:16 0 d-------- C:\Documents and Settings\q\Application Data\SiteAdvisor 2008-06-18 12:27:59 0 d-------- C:\Documents and Settings\q\Application Data\gtk-2.0 2008-06-18 12:11:31 30336 --a------ C:\Documents and Settings\q\Application Data\GDIPFONTCACHEV1.DAT 2008-06-17 20:38:51 0 d-------- C:\Documents and Settings\q\Application Data\Creative 2008-06-17 19:46:35 0 d--h----- C:\Programas\InstallShield Installation Information 2008-06-17 19:42:05 0 d-------- C:\Programas\Ficheiros comuns 2008-06-17 19:40:14 0 d-------- C:\Programas\Creative 2008-06-11 13:52:38 0 d-------- C:\Programas\Ficheiros comuns\Wise Installation Wizard 2008-06-09 16:41:32 0 d-------- C:\Documents and Settings\q\Application Data\WinPatrol 2008-06-05 15:32:18 0 d-------- C:\Documents and Settings\q\Application Data\dvdcss 2008-05-24 14:03:22 0 d-------- C:\Documents and Settings\q\Application Data\Adobe 2008-05-24 12:45:58 0 d-------- C:\Programas\Veoh Networks 2008-05-24 12:40:08 0 d-------- C:\Programas\BillP Studios 2008-05-24 12:36:14 0 d-------- C:\Programas\Java 2008-05-24 12:35:32 0 d-------- C:\Programas\Ficheiros comuns\Java 2008-05-24 12:30:09 0 d-------- C:\Programas\CCleaner 2008-05-24 12:10:55 0 d-------- C:\Documents and Settings\q\Application Data\Macromedia 2008-05-23 10:42:26 0 d-------- C:\Programas\SiteAdvisor 2008-05-22 11:51:22 0 d-------- C:\Documents and Settings\q\Application Data\Camfrog 2008-05-22 11:49:06 0 d-------- C:\Programas\Camfrog 2008-05-13 18:46:48 20776 --ah----- C:\WINDOWS\system32\mlfcache.dat 2008-05-06 07:01:28 45056 --a------ C:\WINDOWS\system32\wnaspi32.dll <Not Verified; Adaptec; Adaptec's ASPI Layer> 2008-04-11 12:06:35 446372 --a------ C:\WINDOWS\system32\perfh016.dat 2008-04-11 12:06:35 71492 --a------ C:\WINDOWS\system32\perfc016.dat -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WINDVDPatch"="CTHELPER.EXE" [07-02-2002 19:01 C:\WINDOWS\system32\CTHELPER.EXE] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [22-10-2006 13:22] "nwiz"="nwiz.exe" [22-10-2006 13:22 C:\WINDOWS\system32\nwiz.exe] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [16-05-2008 00:19] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [12-01-2006 15:40] "NvMediaCenter"="NvMCTray.dll" [22-10-2006 13:22 C:\WINDOWS\system32\nvmctray.dll] "SiteAdvisor"="C:\Programas\SiteAdvisor\6261\SiteAdv.exe" [16-05-2008 17:50] "WinPatrol"="C:\Programas\BillP Studios\WinPatrol\winpatrol.exe" [25-04-2008 18:31] "V0420Mon.exe"="C:\WINDOWS\V0420Mon.exe" [30-04-2007 02:00] "SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [15-10-2004 19:40] "LXCRCATS"="C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [01-12-2005 19:38] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RSD_HDDThermo"="C:\Programas\HDD Thermometer\HDD Thermometer.exe" [01-04-2005 18:02] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04-08-2004 08:56] "@"="" [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] @= [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programas\SUPERAntiSpyware\SASSEH.DLL [13-05-2008 10:13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Programas\SUPERAntiSpyware\SASWINLO.dll 19-04-2007 13:41 294912 C:\Programas\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] "C:\Programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint] "C:\Programas\Lexmark 2400 Series\ezprint.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection] C:\Programas\Creative\SBLive\PROGRAM\ADGJDet.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcrmon.exe] "C:\Programas\Lexmark 2400 Series\lxcrmon.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ] "C:\Programas\Ahead\Nero BackItUp\NBJ.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg] C:\WINDOWS\UpdReg.EXE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8d4951d0-2d7f-11dd-836d-000ae60cb2ed}] AutoRun\command- G:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{90415800-2d7e-11dd-836c-000ae60cb2ed}] AutoRun\command- G:\AutoRun.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44AA3114-D221-43EC-1C32-1EAC52A2014D}] C:\WINDOWS\system32\msnvl.exe -- Hosts ----------------------------------------------------------------------- 127.0.0.1 ad.a8.net 127.0.0.1 asy.a8ww.net 127.0.0.1 www.abx4.com #[Adware.ABXToolbar] 127.0.0.1 acezip.net #[SiteAdvisor.acezip.net] 127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions] 127.0.0.1 phpadsnew.abac.com 127.0.0.1 a.abnad.net 127.0.0.1 b.abnad.net 127.0.0.1 c.abnad.net #[eTrust.Tracking.Cookie] 127.0.0.1 d.abnad.net 18537 more entries in hosts file. -- End of Deckard's System Scanner: finished at 2008-07-05 21:18:11 ------------ ---------- Also, for reference, I'm pasting below the last report I got from virustotal.com for the file mspdtc.dll: File mspdtc.dll received on 07.05.2008 11:57:13 (CET) Result: 11/33 (33.34%) Antivirus Version Last Update Result AntiVir 7.8.0.64 2008.07.04 TR/Crypt.XPACK.Gen Avast 4.8.1195.0 2008.07.04 Win32:VunDrop eSafe 7.0.17.0 2008.07.03 Suspicious File GData 2.0.7306.1023 2008.07.05 Trojan.Win32.Agent.tho Ikarus T3.1.1.26.0 2008.07.05 Virus.Win32.VunDrop Kaspersky 7.0.0.125 2008.07.05 Trojan.Win32.Agent.tho Microsoft 1.3704 2008.07.05 Trojan:Win32/Mesoum.A Panda 9.0.0.4 2008.07.04 Suspicious file Prevx1 V2 2008.07.05 Malicious Software Sophos 4.31.0 2008.07.05 Mal/Behav-204 Webwasher-Gateway 6.6.2 2008.07.05 Trojan.Crypt.XPACK.Gen Additional information File size: 61952 bytes MD5...: 7563ecdb81cc7692fb43945452acc5b5 SHA1..: fd2784c49f3f6f1c39f77d453b09e634fe65c636 SHA256: d9f897f595e215503e551fa5411c1c1e9bede899d1cf20b9a3484382f8d3f19b SHA512: a5ee4ab57b89f53437780b9f478992dae9fdd719966db09baae969f9c1aa141b 62d2edecbce3cfc30e62e0865de54e658674d7c41ecfd1274eef7070beb8826d PEiD..: - PEInfo: PE Structure information Prevx info: http://info.prevx.com/aboutprogramtext.asp...C864D0005D74518 ---------- Once more, thank you so much already, for all further help.
Attached File(s)
dss_extra_2008_07_05_pre_clean.txt ( 32.91k )
Number of downloads: 8
dss_extra_2008_07_05_after_clean.txt ( 33.07k )
Number of downloads: 7 |
 |
 
|
|
Jul 19 2008, 05:54 AM
Post
#2
|
|
|
Forum Regular Group: Members Posts: 176 Joined: 5-May 06 Member No.: 66,788 |
Just to add an updated DSS report (since it's been a couple weeks) if wanted/needed:
DSS main report Deckard's System Scanner v20071014.68 Run by q on 2008-07-18 20:08:03 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 20: 2008-07-18 19:08:14 UTC - RP155 - Deckard's System Scanner Restore Point 19: 2008-07-18 11:23:04 UTC - RP154 - Ponto de verificação do sistema 18: 2008-07-17 10:40:14 UTC - RP153 - Ponto de verificação do sistema 17: 2008-07-13 22:39:33 UTC - RP152 - Ponto de verificação do sistema 16: 2008-07-12 20:07:28 UTC - RP151 - Ponto de verificação do sistema -- First Restore Point -- 1: 2008-06-27 20:09:03 UTC - RP136 - Ponto de verificação do sistema Backed up registry hives. Performed disk cleanup. -- HijackThis (run as q.exe) --------------------------------------------------- Unable to find log (file not found); running clone. -- HijackThis Clone ------------------------------------------------------------ Emulating logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2008-07-18 20:12:43 Platform: Windows XP Service Pack 2 (5.01.2600) MSIE: Internet Explorer (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\system32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Programas\Sygate\SPF\Smc.exe C:\WINDOWS\explorer.exe C:\Programas\Alwil Software\Avast4\aswUpdSv.exe C:\Programas\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\system32\spoolsv.exe C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\nvsvc32.exe C:\Programas\SiteAdvisor\6261\SAService.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\MsPMSPSv.exe C:\Programas\Alwil Software\Avast4\ashMaiSv.exe C:\Programas\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\system32\CTHELPER.EXE C:\Programas\Alwil Software\Avast4\ashDisp.exe C:\Programas\SiteAdvisor\6261\SiteAdv.exe C:\Programas\BillP Studios\WinPatrol\WinPatrol.exe C:\WINDOWS\V0420Mon.exe C:\Programas\HDD Thermometer\HDD Thermometer.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\lxcrcoms.exe C:\Documents and Settings\q\Ambiente de trabalho\dss.exe C:\Programas\Trend Micro\HijackThis\q.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Programas\SiteAdvisor\6261\SiteAdv.dll O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Programas\FlashGet\jccatch.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programas\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Programas\FlashGet\getflash.dll O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Programas\SiteAdvisor\6261\SiteAdv.dll O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [SiteAdvisor] "C:\Programas\SiteAdvisor\6261\SiteAdv.exe" O4 - HKLM\..\Run: [WinPatrol] C:\Programas\BillP Studios\WinPatrol\winpatrol.exe -expressboot O4 - HKLM\..\Run: [V0420Mon.exe] C:\WINDOWS\V0420Mon.exe O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16 O4 - HKCU\..\Run: [RSD_HDDThermo] C:\Programas\HDD Thermometer\HDD Thermometer.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O8 - Extra context menu item: &Download All with FlashGet - C:\Programas\FlashGet\jc_all.htm O8 - Extra context menu item: &Download with FlashGet - C:\Programas\FlashGet\jc_link.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programas\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programas\Spybot - Search & Destroy\SDHelper.dll O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2...15035/CTPID.cab O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Programas\Ficheiros comuns\Microsoft Shared\Web Folders\PKMCDO.DLL O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Programas\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programas\Ficheiros comuns\Microsoft Shared\Information Retrieval\MSITSS.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Programas\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Programas\Ficheiros comuns\Microsoft Shared\Web Components\10\OWC10.DLL O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Programas\SiteAdvisor\6261\SiteAdv.dll O20 - Winlogon Notify: !SASWinLogon - C:\Programas\SUPERAntiSpyware\SASWINLO.dll O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashWebSv.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: lxcr_device - Unknown owner - C:\WINDOWS\system32\lxcrcoms.exe O23 - Service: NMIndexingService - Unknown owner - C:\Programas\Ficheiros comuns\Ahead\Lib\NMIndexingService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Serviço SiteAdvisor (SiteAdvisor Service) - Unknown owner - C:\Programas\SiteAdvisor\6261\SAService.exe O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programas\Sygate\SPF\Smc.exe -- End of file - 7550 bytes -- File Associations ----------------------------------------------------------- All associations okay. -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------- R0 Teefer (Teefer for NT) - c:\windows\system32\drivers\teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver> R1 cpuidlep (CpuIdle Pro System Driver) - c:\windows\system32\drivers\cpuidlep.sys R1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt> R1 XPROTECTOR - c:\windows\system32\drivers\oreans.sys R3 emupia (E-mu Plug-in Architecture Driver) - c:\windows\system32\drivers\emupia2k.sys <Not Verified; Creative Technology Ltd; E-mu Plug-In Architecture> S2 PfModNT - c:\windows\system32\drivers\pfmodnt.sys (file missing) S3 DMSKSSRh - c:\docume~1\q\defini~1\temp\dmskssrh.sys (file missing) S3 gmer - c:\windows\system32\drivers\gmer.sys (file missing) S3 hwdatacard (Huawei DataCard USB Modem and USB Serial) - c:\windows\system32\drivers\ewusbmdm.sys (file missing) S3 RadProbe (Radeon Probe Driver) - c:\windows\system32\drivers\radprobe.sys (file missing) S3 SDTHOOK - c:\windows\system32\drivers\sdthook.sys <Not Verified; Panda Software; Panda® Antivirus> -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------------- S4 NMIndexingService - "c:\programas\ficheiros comuns\ahead\lib\nmindexingservice.exe" (file missing) -- Device Manager: Disabled ---------------------------------------------------- No disabled devices found. -- Process Modules ------------------------------------------------------------- C:\WINDOWS\system32\winlogon.exe (pid 584) 2007-04-19 13:41:36 294912 --a------ C:\Programas\SUPERAntiSpyware\SASWINLO.dll <Not Verified; SUPERAntiSpyware.com; SUPERAntiSpyware WinLogon Processor> C:\WINDOWS\system32\svchost.exe (pid 940) 2004-08-04 08:56:22 24064 --a------ C:\WINDOWS\system32\dmserver.dll <Not Verified; Microsoft Corp.; Gestor de discos lógicos para o Windows NT> C:\WINDOWS\explorer.exe (pid 1172) 2002-03-13 16:25:36 57344 --a------ C:\WINDOWS\system32\CTAGENT.DLL <Not Verified; Creative Technology Ltd; ctagent> -- Files created between 2008-06-18 and 2008-07-18 ----------------------------- 2008-07-18 13:58:21 0 dr-h----- C:\Documents and Settings\q\Recent 2008-07-05 17:32:23 60496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver> 2008-07-05 17:32:22 21075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt> 2008-07-05 17:32:13 0 d-------- C:\Programas\Sygate 2008-07-05 15:55:18 0 d-------- C:\Documents and Settings\q\Application Data\Malwarebytes 2008-07-05 15:55:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-07-05 15:55:14 0 d-------- C:\Programas\Malwarebytes' Anti-Malware -- Find3M Report --------------------------------------------------------------- 2008-07-18 19:58:51 0 d-------- C:\Programas\Lx_cats 2008-07-18 13:59:23 24 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000000-00000000-0000000B-00001102-00000002-80641102}.dat 2008-07-18 13:59:23 24 --a------ C:\WINDOWS\system32\DVCState-{00000000-00000000-0000000B-00001102-00000002-80641102}.dat 2008-07-17 21:52:51 0 d-------- C:\Programas\Steam 2008-07-17 19:27:35 0 d-------- C:\Programas\SpywareBlaster 2008-07-15 22:37:38 0 d-------- C:\Programas\mIRC 2008-07-14 14:49:24 0 d-------- C:\Documents and Settings\q\Application Data\gtk-2.0 2008-07-12 12:14:18 0 d-------- C:\Programas\eMule 2008-07-10 16:56:22 0 d-------- C:\Programas\FlashGet 2008-07-07 21:10:13 19484 --ah----- C:\WINDOWS\system32\mlfcache.dat 2008-06-30 20:36:16 0 d-------- C:\Documents and Settings\q\Application Data\SiteAdvisor 2008-06-18 12:11:31 30336 --a------ C:\Documents and Settings\q\Application Data\GDIPFONTCACHEV1.DAT 2008-06-17 20:38:51 0 d-------- C:\Documents and Settings\q\Application Data\Creative 2008-06-17 19:46:35 0 d--h----- C:\Programas\InstallShield Installation Information 2008-06-17 19:42:11 0 d-------- C:\Programas\Ficheiros comuns\muvee Technologies 2008-06-17 19:42:05 0 d-------- C:\Programas\Ficheiros comuns 2008-06-17 19:42:03 0 d-------- C:\Programas\muvee Technologies 2008-06-17 19:41:01 0 d-------- C:\Documents and Settings\q\Application Data\InstallShield 2008-06-17 19:40:39 0 d-------- C:\Programas\SightSpeed 2008-06-17 19:40:14 0 d-------- C:\Programas\Creative 2008-06-11 14:18:36 0 d-------- C:\Programas\GIMP-2.0 2008-06-11 13:53:08 0 d-------- C:\Programas\SUPERAntiSpyware 2008-06-11 13:53:05 0 d-------- C:\Documents and Settings\q\Application Data\SUPERAntiSpyware.com 2008-06-11 13:52:38 0 d-------- C:\Programas\Ficheiros comuns\Wise Installation Wizard 2008-06-09 16:41:32 0 d-------- C:\Documents and Settings\q\Application Data\WinPatrol 2008-06-05 16:25:24 0 d-------- C:\Programas\DVD Decrypter 2008-06-05 15:32:18 0 d-------- C:\Documents and Settings\q\Application Data\dvdcss 2008-06-05 15:05:34 0 d-------- C:\Programas\DVD Audio Extractor 2008-05-24 14:03:22 0 d-------- C:\Documents and Settings\q\Application Data\Adobe 2008-05-24 12:45:58 0 d-------- C:\Programas\Veoh Networks 2008-05-24 12:40:08 0 d-------- C:\Programas\BillP Studios 2008-05-24 12:36:14 0 d-------- C:\Programas\Java 2008-05-24 12:35:32 0 d-------- C:\Programas\Ficheiros comuns\Java 2008-05-24 12:30:09 0 d-------- C:\Programas\CCleaner 2008-05-24 12:10:55 0 d-------- C:\Documents and Settings\q\Application Data\Macromedia 2008-05-23 10:42:26 0 d-------- C:\Programas\SiteAdvisor 2008-05-22 11:51:22 0 d-------- C:\Documents and Settings\q\Application Data\Camfrog 2008-05-22 11:49:06 0 d-------- C:\Programas\Camfrog 2008-05-06 07:01:28 45056 --a------ C:\WINDOWS\system32\wnaspi32.dll <Not Verified; Adaptec; Adaptec's ASPI Layer> -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WINDVDPatch"="CTHELPER.EXE" [07-02-2002 19:01 C:\WINDOWS\system32\CTHELPER.EXE] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [22-10-2006 13:22] "nwiz"="nwiz.exe" [22-10-2006 13:22 C:\WINDOWS\system32\nwiz.exe] "avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [16-05-2008 00:19] "NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [12-01-2006 15:40] "NvMediaCenter"="NvMCTray.dll" [22-10-2006 13:22 C:\WINDOWS\system32\nvmctray.dll] "SiteAdvisor"="C:\Programas\SiteAdvisor\6261\SiteAdv.exe" [16-05-2008 17:50] "WinPatrol"="C:\Programas\BillP Studios\WinPatrol\winpatrol.exe" [25-04-2008 18:31] "V0420Mon.exe"="C:\WINDOWS\V0420Mon.exe" [30-04-2007 02:00] "SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [15-10-2004 19:40] "LXCRCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [01-12-2005 19:38] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RSD_HDDThermo"="C:\Programas\HDD Thermometer\HDD Thermometer.exe" [01-04-2005 18:02] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04-08-2004 08:56] "@"="" [] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer] @= [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programas\SUPERAntiSpyware\SASSEH.DLL [13-05-2008 10:13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] C:\Programas\SUPERAntiSpyware\SASWINLO.dll 19-04-2007 13:41 294912 C:\Programas\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds] @="Service" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}] @="Volume shadow copy" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^Microsoft Office.lnk] path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\Microsoft Office.lnk backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] "C:\Programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint] "C:\Programas\Lexmark 2400 Series\ezprint.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection] C:\Programas\Creative\SBLive\PROGRAM\ADGJDet.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcrmon.exe] "C:\Programas\Lexmark 2400 Series\lxcrmon.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ] "C:\Programas\Ahead\Nero BackItUp\NBJ.exe" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg] C:\WINDOWS\UpdReg.EXE [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8d4951d0-2d7f-11dd-836d-000ae60cb2ed}] AutoRun\command- G:\AutoRun.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{90415800-2d7e-11dd-836c-000ae60cb2ed}] AutoRun\command- G:\AutoRun.exe [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44AA3114-D221-43EC-1C32-1EAC52A2014D}] C:\WINDOWS\system32\msnvl.exe -- Hosts ----------------------------------------------------------------------- 127.0.0.1 ad.a8.net 127.0.0.1 asy.a8ww.net 127.0.0.1 a9rhiwa.cn #[Google.Warning] 127.0.0.1 www.a9rhiwa.cn 127.0.0.1 www.abx4.com #[Adware.ABXToolbar] 127.0.0.1 acezip.net #[SiteAdvisor.acezip.net] 127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions] 127.0.0.1 phpadsnew.abac.com 127.0.0.1 a.abnad.net 127.0.0.1 b.abnad.net 18879 more entries in hosts file. -- End of Deckard's System Scanner: finished at 2008-07-18 20:15:57 ------------ -------------------- P.S. I know our Java is one update behind by now. I shall be updating it as soon as we're done with all the cleaning from this current infection. Also I forgot to mention it on my initial post: I did save the malware file mspdtc.dll if required for any further analysis. Thank you one time again.
Attached File(s)
|
|
|
|
|
Jul 30 2008, 03:38 PM
Post
#3
|
|
 Member Group: HJT Team Posts: 72 Joined: 28-August 06 Member No.: 82,703 |
Hi DeLuk
Apologies it's been a (long!) while that you've been waiting. If you are still needing help, please post fresh DSS logs. Thanks |
|
|
|
|
Jul 31 2008, 08:43 AM
Post
#4
|
|
|
Forum Regular Group: Members Posts: 176 Joined: 5-May 06 Member No.: 66,788 |
Hi Vino Rosso, and thanks back, for reply. (And please, no apologies needed, I'm the one thankful for you guys' support and dedication!)Next are fresh DSS logs for your review as requested. (Computer appears to be running ok/normally thus far.) I may add too that just over the weekend I ran routine scans with both Avast and SUPERAntiSpyware, and all came clean, and today already I ran also scans with Kaspersky Online Scanner and Malwarebytes' Anti-Malware (complete scan this time), and both came clean as well. For reference, additionally (forgot to mention this before), after the malware file having been quarantined by Avast, I had also done a RegSearch for mspdtc, which returned empty. Double checked with manual search via regedit, and no reference to mspdtc was found in the registry. I repeated the search today again, and no trace of it. (Unfortunately, due to the lagging/freezing of the system then, there was no chance to do the same reference search previous to the quarantining of the malware, thus I cannot say whether there might be any reference to mspdtc in the registry while the malware was still "in action".) Other than that, and with regards to the DSS logs, I do also have a couple doubts about some entries in there, which however do not actually relate to the current infection, I wonder though whether I may take the chance to ask you about those, later on, after we're all done with the current infection? Most appreciated. Thanks again for your support. -------------------- DSS main report Deckard's System Scanner v20071014.68 Run by q on 2008-07-31 11:06:04 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- System Restore -------------------------------------------------------------- Successfully created a Deckard's System Scanner Restore Point. -- Last 5 Restore Point(s) -- 20: 2008-07-31 10:06:17 UTC - RP160 - Deckard's System Scanner Restore Point 19: 2008-07 |