Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mspdtc.dll Picked By Avast As Win32:vundrop


  • This topic is locked This topic is locked
25 replies to this topic

#1 DeLuk

DeLuk

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:07:23 AM

Posted 07 July 2008 - 01:25 PM

Greetings to the forum. :)

So it looks my brother did it again. :thumbsup: And here I am once more found in need of your expert help with our home PC. (Home PC running WinXP SP2. Security "suite" includes: Avast antivirus + Sygate firewall + WinPatrol + SpywareBlaster + MVPS Hosts + IE-SpyAd + Spybot S&D + SUPERAntiSpyware + AVG Anti-Spyware + Ad-Aware SE) Most appreciated if you can please check whether all of this new infection is all cleaned...

Once I booted, after my brother having used the computer, it just went odd: it would lag/freeze indefinitely, and the Sygate firewall systray icon just wouldn't load. I could hardly bring on the Task Manager, due to the lag/freeze, but eventually it would end up popping up, and I could confirm that the Sygate firewall was actually running, as its process smc.exe was showing, yet the systray icon just wouldn't load, and the computer would just hang, leaving me only the chance to reset. I tried that for a handful of times, but it would always happen the same, so I decided to momentarily uninstall the Sygate firewall. (My first thought at this point was that the Sygate firewall might be having some kind of conflict or something, so the idea was to uninstall and re-install it, to see if that would solve the case. Note that at this point I had no idea that the computer was actually infected. Also just a couple days before I had made a full routine malware scan, registry and system backup, defrag, etc...)

I could either hardly access the Control Pannel, due to the lag/freeze, but eventually it showed, and so I managed to uninstall the Sygate firewall. During the uninstallation, however, Avast resident scanner popped up a warning, saying that a malware had been found: Win32VunDrop [Drp], file C:\Windows\System32\mspdtc.dll. There was also a Windows Control Pannel message, saying: "An error has occurred when Windows was processing the file C:\Windows\System32\netsetup.cpl of the Control Pannel.". I clicked ok to the Windows Control Pannel message, and for the time being chose "No action" to the Avast message. The uninstallation of the Sygate firewall completed and I followed the promt for reboot. I had hopped that, after uninstalling the Sygate firewall, eventually the lag/freeze problem would be gone at least, and then I would be able to check out what was with that new malware that Avast had picked. Wrong! The lag/freeze was still there, after reboot, so I could only conclude that this hadn't been cos of the Sygate firewall as first thought, but so it obviously had to be connected with the malware infection. (At once, from the name referred by Avast, I thought this should be related to Vundo/Virtumundo... Yet I'm not at all sure, since I haven't so far experienced any of such popups for fake security programs which seem to be characteristic for Vundo/Virtumundo infections, and neither my brother, at least so he says, got any such popups or noticed any "strange behaviour" while he was last online... So I really don't know, whether this is related to Vundo/Virtumundo after all, or?...)

The system/desktop would just end up hanging for some 10+ minutes (even the clock would stay unaltered), untill eventually Avast resident scanner would again end up detecting the malware file. Again I chose "No action" (which is supposed to prevent the malware from being "activated") and so the malware file would then become "neutralized". At this point the lag/freeze would stop (or at least turned rather imperceptible). I went to the Control Pannel, to check both the Security Centre and assure that at least the Windows Firewall would be on. To my surprise, as opening the Security Centre, the message there was: "The Security Centre isn't currently available because the Security Centre service wasn't started or has been interrupted. Close this window, reboot the computer (or restart the Security Centre service) and, next, open the Security Centre again.". And as opening the Windows Firewall, a message popped up saying: "The Windows Firewall settings can't be displayed because the associated service isn't running. Do you wish to start the Windows Firewall/Internet Connection Sharing (ICS) service?". I clicked yes to that and the Windows Firewall turned on.

I rebooted, to check that both the Windows Firewall and the Security Centre would be on now. Again, wrong! After the lag/freeze would stop, after Avast resident scanner "neutralizing" the malware file, going back to Control Pannel, the Security Centre remained not available, and the Windows Firewall was off again. I tried it all again, yet, same result. Checking via services.msc I could verify, though, that both the Security Centre and the Windows Firewall services were both set to "automatic". None of the two was started, however. I checked what services the Security Centre and the Windows Firewall depended on [respectively: Remote Procedure Call (RPC) and WMI (Windows Management Instrument) > Remote Procedure Call (RPC) + Event Registry for the Security Centre | Net Connections > Remote Procedure Call (RPC) and WMI (Windows Management Instrument) > Remote Procedure Call (RPC) + Event Registry for the Windows Firewall] and all of them were actually started at that point. In all of my humble ignorance, that did sound somewhat odd... So I went for a new reboot. Yet, this time, after reboot completed, I momentarily disabled Avast resident scanner, so it wouldn't pick and "neutralize" the malware file for the time being. The lag/freeze would obviously remain, then, yet eventually I could end up accessing services.msc, and there I could verify that those services of which both the Security Centre and the Windows Firewall depended on, all would say in their status: "starting..." (which actually verified for most of all the other services too), and they'd just remain so indefinitely, untill I'd re-enable Avast resident scanner and the malware file would be "neutralized" by it. (I guess then that it was supposedly this the reason for the Security Centre and Windows Firewall services, although being set to "automatic", having not started, i.e. the fact that the services which these depended on hadn't started on due time, certainly prevented by the malware, no? Also, if I'd try to enable the Windows Firewall in Control Pannel, previous to the malware being "neutralized" by Avast, the Windows Firewall would just pop the message: "Windows cannot start the Windows Firewall/Internet Connection Sharing (ICS) service.".)

Moved on to the cleaning of the malware then. First made a preliminary scan with Deckard's System Scanner, for reference. (Just a note here, to say that never again, since the first time I had run DSS - which I had done back in last March, by then just for my own reference - never again the scanner produced the extra log, only the main one, as it also did not ever again performed all the steps it was supposed to, such as backing up the registry, creating a System Restore point and more. I have ever since always been intrigued by this "behaviour" of DSS?... Nonetheless, after some further searching now, I came across the command for displaying the scanner's settings, "%userprofile%\desktop\dss.exe" /config, as found on techsupportforum.com, and so I do now run DSS this way, then having all settings ticked, as opposed to only HijackThis + Files Created/Modified + Registry Dump + Whitelist Output + Check File Signatures which are the ones shown ticked "by default"; don't know if this the normal to be or?...)

Rebooted in Safe Mode and ran SUPERAntiSpyware + AVG Anti-Spyware + Spybot S&D. None of these scanners found nothing. Next ran Avast. File C:\Windows\System32\mspdtc.dll was detected as Win32VunDrop [Drp] (plus a trace of it found on System Restore). At the end of the scan I tried to quarantine the files but this failed in Safe Mode (message was: "The Chest server isn't running. Communication with the remote procedure (RPC) failed.") I rebooted back to normal mode, re-ran Avast, and was able to sucessfully quarantine the malware now. (I don't recall being aware that it wasn't possible to quarantine items with Avast while in Safe Mode, though, hmm...) Rebooted again, following to quarantining the malware, and upon reboot both the file C:\Windows\System32\mspdtc.dll and the lagging/freezing were gone, as well as all services, Security Centre and Windows Firewall included, now all started automatically and quickly and ok. Rebooted once again, now having Internet connected (i.e. the cable modem connected to the computer), and all was a-ok just as well. Next, additionally downloaded and installed Malwarebytes' Anti-Malware (seen that lately this pretty much is among the recommendations), and ran the quick scan (having realtime protection, Avast and WinPatrol, disabled). Nothing was found.

Went for re-installing the Sygate firewall. Disconnected from Internet and disabled Windows Firewall first, as obvious. Curiously, however, at this point the Security Centre did not notify about there being no firewall enabled, although it was set to do so. I was intrigued again, went to check there, and the Security Centre did report the Sygate firewall as being enabled, even though it actually wasn't installed!? (Running a new DSS at this point, it too would refer Sygate as the existing firewall!?) I assumed something must have gone wrong during the previous uninstallation (since the system was all lagging/freezing, due to the malware) causing the Sygate firewall not to uninstall properly, and so I re-installed it, uninstalled and re-installed again, and seemingly everything is a-ok with it now too. Everything else also seems to be running just fine. I ran a new scan with SUPERAntiSpyware + AVG Anti-Spyware + Spybot S&D + Avast, and additionally this time also with Ad-Aware SE and Kaspersky Online Scanner, and all reported nothing found (except for Avast, which reported a couple traces of Win32VunDrop [Drp] on System Restore, yet I know all these will be gone when System Restore will be reset/flushed, yes).

I'd thus appreciate if you'd please review my DSS logs (I'm including both the preliminary pre-clean one and the final after-clean one, for your reference) to confirm whether everything really got/is cleaned, or whether any additional scanner/clean tool is necessary to be run or anything further needs to be fixed?... I'll paste the main logs, and attach the extra ones (to avoid the post becoming too long), hope that's ok?... (Then again, I do also have logs from HJT, HJT Startup List, Sillent Runners and AutoRuns, both from pre-clean and after-clean; if any at all needed for further reference, please let me know and I'll include them next time.)

----------

DSS main log - pre-clean

Deckard's System Scanner v20071014.68
Run by q on 2008-07-05 12:49:47
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
20: 2008-07-05 11:49:56 UTC - RP142 - Deckard's System Scanner Restore Point
19: 2008-07-03 20:13:33 UTC - RP141 - Ponto de verificação do sistema
18: 2008-07-02 11:13:08 UTC - RP140 - Ponto de verificação do sistema
17: 2008-06-30 19:58:41 UTC - RP139 - Ponto de verificação do sistema
16: 2008-06-29 17:59:00 UTC - RP138 - Backup29-06-2008


-- First Restore Point --
1: 2008-06-17 18:38:46 UTC - RP123 - Installed Creative Live! Cam Manager


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as q.exe) ---------------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-05 12:54:47
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programas\Alwil Software\Avast4\ashDisp.exe
C:\Programas\SiteAdvisor\6261\SiteAdv.exe
C:\Programas\BillP Studios\WinPatrol\WinPatrol.exe
C:\WINDOWS\V0420Mon.exe
C:\Programas\HDD Thermometer\HDD Thermometer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programas\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Documents and Settings\q\Ambiente de trabalho\dss.exe
C:\Programas\Trend Micro\HijackThis\q.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Programas\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Programas\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programas\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Programas\FlashGet\getflash.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Programas\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Programas\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Programas\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [V0420Mon.exe] C:\WINDOWS\V0420Mon.exe
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [RSD_HDDThermo] C:\Programas\HDD Thermometer\HDD Thermometer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Programas\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Programas\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programas\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programas\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2...15035/CTPID.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Programas\Ficheiros comuns\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Programas\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programas\Ficheiros comuns\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Programas\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Programas\Ficheiros comuns\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Programas\SiteAdvisor\6261\SiteAdv.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Programas\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcr_device - Unknown owner - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Programas\Ficheiros comuns\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Serviço SiteAdvisor (SiteAdvisor Service) - Unknown owner - C:\Programas\SiteAdvisor\6261\SAService.exe


--
End of file - 7294 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 cpuidlep (CpuIdle Pro System Driver) - c:\windows\system32\drivers\cpuidlep.sys
R1 XPROTECTOR - c:\windows\system32\drivers\oreans.sys
R3 emupia (E-mu Plug-in Architecture Driver) - c:\windows\system32\drivers\emupia2k.sys <Not Verified; Creative Technology Ltd; E-mu Plug-In Architecture>

S2 PfModNT - c:\windows\system32\drivers\pfmodnt.sys (file missing)
S3 DMSKSSRh - c:\docume~1\q\defini~1\temp\dmskssrh.sys (file missing)
S3 gmer - c:\windows\system32\drivers\gmer.sys (file missing)
S3 hwdatacard (Huawei DataCard USB Modem and USB Serial) - c:\windows\system32\drivers\ewusbmdm.sys (file missing)
S3 RadProbe (Radeon Probe Driver) - c:\windows\system32\drivers\radprobe.sys (file missing)
S3 SDTHOOK - c:\windows\system32\drivers\sdthook.sys <Not Verified; Panda Software; Panda® Antivirus>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S4 NMIndexingService - "c:\programas\ficheiros comuns\ahead\lib\nmindexingservice.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\winlogon.exe (pid 580)
2007-04-19 13:41:36 294912 --a------ C:\Programas\SUPERAntiSpyware\SASWINLO.dll <Not Verified; SUPERAntiSpyware.com; SUPERAntiSpyware WinLogon Processor>

C:\WINDOWS\system32\svchost.exe (pid 940)
2004-08-04 08:56:22 24064 --a------ C:\WINDOWS\system32\dmserver.dll <Not Verified; Microsoft Corp.; Gestor de discos lógicos para o Windows NT>

C:\WINDOWS\explorer.exe (pid 1300)
2002-03-13 16:25:36 57344 --a------ C:\WINDOWS\system32\CTAGENT.DLL <Not Verified; Creative Technology Ltd; ctagent>


-- Files created between 2008-06-05 and 2008-07-05 -----------------------------

2008-07-05 12:16:55 0 dr-h----- C:\Documents and Settings\q\Recent
2008-06-17 19:44:18 0 d-------- C:\WINDOWS\CtDrvInstall
2008-06-17 19:42:05 0 d-------- C:\Programas\Ficheiros comuns\muvee Technologies
2008-06-17 19:42:03 0 d-------- C:\Programas\muvee Technologies
2008-06-17 19:41:19 0 d-------- C:\Documents and Settings\All Users\Application Data\muvee Technologies
2008-06-17 19:41:01 0 d-------- C:\Documents and Settings\q\Application Data\InstallShield
2008-06-17 19:40:24 0 d-------- C:\Programas\SightSpeed
2008-06-14 14:09:18 0 d-------- C:\Programas\SpywareBlaster
2008-06-11 14:19:16 0 d-------- C:\Documents and Settings\q\.gimp-2.4
2008-06-11 14:18:31 0 d-------- C:\Programas\GIMP-2.0
2008-06-11 13:53:20 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-11 13:53:05 0 d-------- C:\Programas\SUPERAntiSpyware
2008-06-11 13:53:05 0 d-------- C:\Documents and Settings\q\Application Data\SUPERAntiSpyware.com
2008-06-05 16:25:18 0 d-------- C:\Programas\DVD Decrypter
2008-06-05 15:05:32 0 d-------- C:\Programas\DVD Audio Extractor


-- Find3M Report ---------------------------------------------------------------

2008-07-05 12:17:56 24 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000000-00000000-0000000B-00001102-00000002-80641102}.dat
2008-07-05 12:17:56 24 --a------ C:\WINDOWS\system32\DVCState-{00000000-00000000-0000000B-00001102-00000002-80641102}.dat
2008-07-03 22:39:14 0 d-------- C:\Programas\mIRC
2008-07-03 11:54:21 0 d-------- C:\Programas\FlashGet
2008-07-03 11:21:05 0 d-------- C:\Programas\eMule
2008-07-02 21:14:00 0 d-------- C:\Programas\Lx_cats
2008-06-30 20:36:16 0 d-------- C:\Documents and Settings\q\Application Data\SiteAdvisor
2008-06-27 21:21:51 0 d-------- C:\Programas\Steam
2008-06-18 12:27:59 0 d-------- C:\Documents and Settings\q\Application Data\gtk-2.0
2008-06-18 12:11:31 30336 --a------ C:\Documents and Settings\q\Application Data\GDIPFONTCACHEV1.DAT
2008-06-17 20:38:51 0 d-------- C:\Documents and Settings\q\Application Data\Creative
2008-06-17 19:46:35 0 d--h----- C:\Programas\InstallShield Installation Information
2008-06-17 19:42:05 0 d-------- C:\Programas\Ficheiros comuns
2008-06-17 19:40:14 0 d-------- C:\Programas\Creative
2008-06-11 13:52:38 0 d-------- C:\Programas\Ficheiros comuns\Wise Installation Wizard
2008-06-09 16:41:32 0 d-------- C:\Documents and Settings\q\Application Data\WinPatrol
2008-06-05 15:32:18 0 d-------- C:\Documents and Settings\q\Application Data\dvdcss
2008-05-24 14:03:22 0 d-------- C:\Documents and Settings\q\Application Data\Adobe
2008-05-24 12:45:58 0 d-------- C:\Programas\Veoh Networks
2008-05-24 12:40:08 0 d-------- C:\Programas\BillP Studios
2008-05-24 12:36:14 0 d-------- C:\Programas\Java
2008-05-24 12:35:32 0 d-------- C:\Programas\Ficheiros comuns\Java
2008-05-24 12:30:09 0 d-------- C:\Programas\CCleaner
2008-05-24 12:10:55 0 d-------- C:\Documents and Settings\q\Application Data\Macromedia
2008-05-23 10:42:26 0 d-------- C:\Programas\SiteAdvisor
2008-05-22 11:51:22 0 d-------- C:\Documents and Settings\q\Application Data\Camfrog
2008-05-22 11:49:06 0 d-------- C:\Programas\Camfrog
2008-05-13 18:46:48 20776 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-05-06 07:01:28 45056 --a------ C:\WINDOWS\system32\wnaspi32.dll <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-04-11 12:06:35 446372 --a------ C:\WINDOWS\system32\perfh016.dat
2008-04-11 12:06:35 71492 --a------ C:\WINDOWS\system32\perfc016.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WINDVDPatch"="CTHELPER.EXE" [07-02-2002 19:01 C:\WINDOWS\system32\CTHELPER.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [22-10-2006 13:22]
"nwiz"="nwiz.exe" [22-10-2006 13:22 C:\WINDOWS\system32\nwiz.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [16-05-2008 00:19]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [12-01-2006 15:40]
"NvMediaCenter"="NvMCTray.dll" [22-10-2006 13:22 C:\WINDOWS\system32\nvmctray.dll]
"SiteAdvisor"="C:\Programas\SiteAdvisor\6261\SiteAdv.exe" [16-05-2008 17:50]
"WinPatrol"="C:\Programas\BillP Studios\WinPatrol\winpatrol.exe" [25-04-2008 18:31]
"V0420Mon.exe"="C:\WINDOWS\V0420Mon.exe" [30-04-2007 02:00]
"LXCRCATS"="C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [01-12-2005 19:38]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RSD_HDDThermo"="C:\Programas\HDD Thermometer\HDD Thermometer.exe" [01-04-2005 18:02]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04-08-2004 08:56]
"@"="" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programas\SUPERAntiSpyware\SASSEH.DLL [13-05-2008 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programas\SUPERAntiSpyware\SASWINLO.dll 19-04-2007 13:41 294912 C:\Programas\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
"C:\Programas\Lexmark 2400 Series\ezprint.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
C:\Programas\Creative\SBLive\PROGRAM\ADGJDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcrmon.exe]
"C:\Programas\Lexmark 2400 Series\lxcrmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
"C:\Programas\Ahead\Nero BackItUp\NBJ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8d4951d0-2d7f-11dd-836d-000ae60cb2ed}]
AutoRun\command- G:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{90415800-2d7e-11dd-836c-000ae60cb2ed}]
AutoRun\command- G:\AutoRun.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44AA3114-D221-43EC-1C32-1EAC52A2014D}]
C:\WINDOWS\system32\msnvl.exe



-- Hosts -----------------------------------------------------------------------

127.0.0.1 ad.a8.net
127.0.0.1 asy.a8ww.net
127.0.0.1 www.abx4.com #[Adware.ABXToolbar]
127.0.0.1 acezip.net #[SiteAdvisor.acezip.net]
127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions]
127.0.0.1 phpadsnew.abac.com
127.0.0.1 a.abnad.net
127.0.0.1 b.abnad.net
127.0.0.1 c.abnad.net #[eTrust.Tracking.Cookie]
127.0.0.1 d.abnad.net

18537 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-05 12:57:39 ------------

----------

DSS main log - after-clean

Deckard's System Scanner v20071014.68
Run by q on 2008-07-05 21:10:15
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
20: 2008-07-05 20:10:27 UTC - RP146 - Deckard's System Scanner Restore Point
19: 2008-07-05 16:32:11 UTC - RP145 - Installed Sygate Personal Firewall
18: 2008-07-05 16:02:02 UTC - RP144 - Removed Sygate Personal Firewall
17: 2008-07-05 15:54:36 UTC - RP143 - Installed Sygate Personal Firewall
16: 2008-07-05 11:49:56 UTC - RP142 - Deckard's System Scanner Restore Point


-- First Restore Point --
1: 2008-06-17 18:40:13 UTC - RP127 - Installed Creative Live! Cam Vista IM (VF0420)


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as q.exe) ---------------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-05 21:14:56
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Sygate\SPF\Smc.exe
C:\WINDOWS\explorer.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programas\Alwil Software\Avast4\ashDisp.exe
C:\Programas\SiteAdvisor\6261\SiteAdv.exe
C:\Programas\BillP Studios\WinPatrol\WinPatrol.exe
C:\WINDOWS\V0420Mon.exe
C:\Programas\HDD Thermometer\HDD Thermometer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programas\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\Documents and Settings\q\Ambiente de trabalho\dss.exe
C:\Programas\Trend Micro\HijackThis\q.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Programas\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Programas\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programas\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Programas\FlashGet\getflash.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Programas\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Programas\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Programas\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [V0420Mon.exe] C:\WINDOWS\V0420Mon.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [RSD_HDDThermo] C:\Programas\HDD Thermometer\HDD Thermometer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Programas\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Programas\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programas\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programas\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2...15035/CTPID.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Programas\Ficheiros comuns\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Programas\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programas\Ficheiros comuns\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Programas\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Programas\Ficheiros comuns\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Programas\SiteAdvisor\6261\SiteAdv.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Programas\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcr_device - Unknown owner - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Programas\Ficheiros comuns\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Serviço SiteAdvisor (SiteAdvisor Service) - Unknown owner - C:\Programas\SiteAdvisor\6261\SAService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programas\Sygate\SPF\Smc.exe


--
End of file - 7516 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Teefer (Teefer for NT) - c:\windows\system32\drivers\teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
R1 cpuidlep (CpuIdle Pro System Driver) - c:\windows\system32\drivers\cpuidlep.sys
R1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
R1 XPROTECTOR - c:\windows\system32\drivers\oreans.sys
R3 emupia (E-mu Plug-in Architecture Driver) - c:\windows\system32\drivers\emupia2k.sys <Not Verified; Creative Technology Ltd; E-mu Plug-In Architecture>

S2 PfModNT - c:\windows\system32\drivers\pfmodnt.sys (file missing)
S3 DMSKSSRh - c:\docume~1\q\defini~1\temp\dmskssrh.sys (file missing)
S3 gmer - c:\windows\system32\drivers\gmer.sys (file missing)
S3 hwdatacard (Huawei DataCard USB Modem and USB Serial) - c:\windows\system32\drivers\ewusbmdm.sys (file missing)
S3 RadProbe (Radeon Probe Driver) - c:\windows\system32\drivers\radprobe.sys (file missing)
S3 SDTHOOK - c:\windows\system32\drivers\sdthook.sys <Not Verified; Panda Software; Panda® Antivirus>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S4 NMIndexingService - "c:\programas\ficheiros comuns\ahead\lib\nmindexingservice.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\winlogon.exe (pid 584)
2007-04-19 13:41:36 294912 --a------ C:\Programas\SUPERAntiSpyware\SASWINLO.dll <Not Verified; SUPERAntiSpyware.com; SUPERAntiSpyware WinLogon Processor>

C:\WINDOWS\system32\svchost.exe (pid 940)
2004-08-04 08:56:22 24064 --a------ C:\WINDOWS\system32\dmserver.dll <Not Verified; Microsoft Corp.; Gestor de discos lógicos para o Windows NT>

C:\WINDOWS\explorer.exe (pid 1164)
2002-03-13 16:25:36 57344 --a------ C:\WINDOWS\system32\CTAGENT.DLL <Not Verified; Creative Technology Ltd; ctagent>


-- Files created between 2008-06-05 and 2008-07-05 -----------------------------

2008-07-05 18:28:19 0 dr-h----- C:\Documents and Settings\q\Recent
2008-07-05 17:32:23 60496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
2008-07-05 17:32:22 21075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
2008-07-05 17:32:13 0 d-------- C:\Programas\Sygate
2008-07-05 15:55:18 0 d-------- C:\Documents and Settings\q\Application Data\Malwarebytes
2008-07-05 15:55:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-05 15:55:14 0 d-------- C:\Programas\Malwarebytes' Anti-Malware
2008-06-17 19:44:18 0 d-------- C:\WINDOWS\CtDrvInstall
2008-06-17 19:42:05 0 d-------- C:\Programas\Ficheiros comuns\muvee Technologies
2008-06-17 19:42:03 0 d-------- C:\Programas\muvee Technologies
2008-06-17 19:41:19 0 d-------- C:\Documents and Settings\All Users\Application Data\muvee Technologies
2008-06-17 19:41:01 0 d-------- C:\Documents and Settings\q\Application Data\InstallShield
2008-06-17 19:40:24 0 d-------- C:\Programas\SightSpeed
2008-06-14 14:09:18 0 d-------- C:\Programas\SpywareBlaster
2008-06-11 14:19:16 0 d-------- C:\Documents and Settings\q\.gimp-2.4
2008-06-11 14:18:31 0 d-------- C:\Programas\GIMP-2.0
2008-06-11 13:53:20 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-06-11 13:53:05 0 d-------- C:\Programas\SUPERAntiSpyware
2008-06-11 13:53:05 0 d-------- C:\Documents and Settings\q\Application Data\SUPERAntiSpyware.com
2008-06-05 16:25:18 0 d-------- C:\Programas\DVD Decrypter
2008-06-05 15:05:32 0 d-------- C:\Programas\DVD Audio Extractor


-- Find3M Report ---------------------------------------------------------------

2008-07-05 18:29:21 24 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000000-00000000-0000000B-00001102-00000002-80641102}.dat
2008-07-05 18:29:21 24 --a------ C:\WINDOWS\system32\DVCState-{00000000-00000000-0000000B-00001102-00000002-80641102}.dat
2008-07-05 18:16:14 0 d-------- C:\Programas\mIRC
2008-07-05 18:12:09 0 d-------- C:\Programas\Steam
2008-07-05 18:00:01 0 d-------- C:\Programas\Lx_cats
2008-07-03 11:54:21 0 d-------- C:\Programas\FlashGet
2008-07-03 11:21:05 0 d-------- C:\Programas\eMule
2008-06-30 20:36:16 0 d-------- C:\Documents and Settings\q\Application Data\SiteAdvisor
2008-06-18 12:27:59 0 d-------- C:\Documents and Settings\q\Application Data\gtk-2.0
2008-06-18 12:11:31 30336 --a------ C:\Documents and Settings\q\Application Data\GDIPFONTCACHEV1.DAT
2008-06-17 20:38:51 0 d-------- C:\Documents and Settings\q\Application Data\Creative
2008-06-17 19:46:35 0 d--h----- C:\Programas\InstallShield Installation Information
2008-06-17 19:42:05 0 d-------- C:\Programas\Ficheiros comuns
2008-06-17 19:40:14 0 d-------- C:\Programas\Creative
2008-06-11 13:52:38 0 d-------- C:\Programas\Ficheiros comuns\Wise Installation Wizard
2008-06-09 16:41:32 0 d-------- C:\Documents and Settings\q\Application Data\WinPatrol
2008-06-05 15:32:18 0 d-------- C:\Documents and Settings\q\Application Data\dvdcss
2008-05-24 14:03:22 0 d-------- C:\Documents and Settings\q\Application Data\Adobe
2008-05-24 12:45:58 0 d-------- C:\Programas\Veoh Networks
2008-05-24 12:40:08 0 d-------- C:\Programas\BillP Studios
2008-05-24 12:36:14 0 d-------- C:\Programas\Java
2008-05-24 12:35:32 0 d-------- C:\Programas\Ficheiros comuns\Java
2008-05-24 12:30:09 0 d-------- C:\Programas\CCleaner
2008-05-24 12:10:55 0 d-------- C:\Documents and Settings\q\Application Data\Macromedia
2008-05-23 10:42:26 0 d-------- C:\Programas\SiteAdvisor
2008-05-22 11:51:22 0 d-------- C:\Documents and Settings\q\Application Data\Camfrog
2008-05-22 11:49:06 0 d-------- C:\Programas\Camfrog
2008-05-13 18:46:48 20776 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-05-06 07:01:28 45056 --a------ C:\WINDOWS\system32\wnaspi32.dll <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-04-11 12:06:35 446372 --a------ C:\WINDOWS\system32\perfh016.dat
2008-04-11 12:06:35 71492 --a------ C:\WINDOWS\system32\perfc016.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WINDVDPatch"="CTHELPER.EXE" [07-02-2002 19:01 C:\WINDOWS\system32\CTHELPER.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [22-10-2006 13:22]
"nwiz"="nwiz.exe" [22-10-2006 13:22 C:\WINDOWS\system32\nwiz.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [16-05-2008 00:19]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [12-01-2006 15:40]
"NvMediaCenter"="NvMCTray.dll" [22-10-2006 13:22 C:\WINDOWS\system32\nvmctray.dll]
"SiteAdvisor"="C:\Programas\SiteAdvisor\6261\SiteAdv.exe" [16-05-2008 17:50]
"WinPatrol"="C:\Programas\BillP Studios\WinPatrol\winpatrol.exe" [25-04-2008 18:31]
"V0420Mon.exe"="C:\WINDOWS\V0420Mon.exe" [30-04-2007 02:00]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [15-10-2004 19:40]
"LXCRCATS"="C:\WINDOWS\system32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [01-12-2005 19:38]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RSD_HDDThermo"="C:\Programas\HDD Thermometer\HDD Thermometer.exe" [01-04-2005 18:02]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04-08-2004 08:56]
"@"="" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programas\SUPERAntiSpyware\SASSEH.DLL [13-05-2008 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programas\SUPERAntiSpyware\SASWINLO.dll 19-04-2007 13:41 294912 C:\Programas\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
"C:\Programas\Lexmark 2400 Series\ezprint.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
C:\Programas\Creative\SBLive\PROGRAM\ADGJDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcrmon.exe]
"C:\Programas\Lexmark 2400 Series\lxcrmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
"C:\Programas\Ahead\Nero BackItUp\NBJ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8d4951d0-2d7f-11dd-836d-000ae60cb2ed}]
AutoRun\command- G:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{90415800-2d7e-11dd-836c-000ae60cb2ed}]
AutoRun\command- G:\AutoRun.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44AA3114-D221-43EC-1C32-1EAC52A2014D}]
C:\WINDOWS\system32\msnvl.exe



-- Hosts -----------------------------------------------------------------------

127.0.0.1 ad.a8.net
127.0.0.1 asy.a8ww.net
127.0.0.1 www.abx4.com #[Adware.ABXToolbar]
127.0.0.1 acezip.net #[SiteAdvisor.acezip.net]
127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions]
127.0.0.1 phpadsnew.abac.com
127.0.0.1 a.abnad.net
127.0.0.1 b.abnad.net
127.0.0.1 c.abnad.net #[eTrust.Tracking.Cookie]
127.0.0.1 d.abnad.net

18537 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-05 21:18:11 ------------

----------

Also, for reference, I'm pasting below the last report I got from virustotal.com for the file mspdtc.dll:

File mspdtc.dll received on 07.05.2008 11:57:13 (CET)

Result: 11/33 (33.34%)

Antivirus Version Last Update Result

AntiVir 7.8.0.64 2008.07.04 TR/Crypt.XPACK.Gen
Avast 4.8.1195.0 2008.07.04 Win32:VunDrop
eSafe 7.0.17.0 2008.07.03 Suspicious File
GData 2.0.7306.1023 2008.07.05 Trojan.Win32.Agent.tho
Ikarus T3.1.1.26.0 2008.07.05 Virus.Win32.VunDrop
Kaspersky 7.0.0.125 2008.07.05 Trojan.Win32.Agent.tho
Microsoft 1.3704 2008.07.05 Trojan:Win32/Mesoum.A
Panda 9.0.0.4 2008.07.04 Suspicious file
Prevx1 V2 2008.07.05 Malicious Software
Sophos 4.31.0 2008.07.05 Mal/Behav-204
Webwasher-Gateway 6.6.2 2008.07.05 Trojan.Crypt.XPACK.Gen

Additional information
File size: 61952 bytes
MD5...: 7563ecdb81cc7692fb43945452acc5b5
SHA1..: fd2784c49f3f6f1c39f77d453b09e634fe65c636
SHA256: d9f897f595e215503e551fa5411c1c1e9bede899d1cf20b9a3484382f8d3f19b
SHA512: a5ee4ab57b89f53437780b9f478992dae9fdd719966db09baae969f9c1aa141b
62d2edecbce3cfc30e62e0865de54e658674d7c41ecfd1274eef7070beb8826d
PEiD..: -
PEInfo: PE Structure information

Prevx info: http://info.prevx.com/aboutprogramtext.asp...C864D0005D74518

----------

Once more, thank you so much already, for all further help. :)

Attached Files



BC AdBot (Login to Remove)

 


#2 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:07:23 AM

Posted 19 July 2008 - 05:54 AM

Just to add an updated DSS report (since it's been a couple weeks) if wanted/needed:


DSS main report


Deckard's System Scanner v20071014.68
Run by q on 2008-07-18 20:08:03
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
20: 2008-07-18 19:08:14 UTC - RP155 - Deckard's System Scanner Restore Point
19: 2008-07-18 11:23:04 UTC - RP154 - Ponto de verificação do sistema
18: 2008-07-17 10:40:14 UTC - RP153 - Ponto de verificação do sistema
17: 2008-07-13 22:39:33 UTC - RP152 - Ponto de verificação do sistema
16: 2008-07-12 20:07:28 UTC - RP151 - Ponto de verificação do sistema


-- First Restore Point --
1: 2008-06-27 20:09:03 UTC - RP136 - Ponto de verificação do sistema


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as q.exe) ---------------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-18 20:12:43
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Sygate\SPF\Smc.exe
C:\WINDOWS\explorer.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programas\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programas\Alwil Software\Avast4\ashDisp.exe
C:\Programas\SiteAdvisor\6261\SiteAdv.exe
C:\Programas\BillP Studios\WinPatrol\WinPatrol.exe
C:\WINDOWS\V0420Mon.exe
C:\Programas\HDD Thermometer\HDD Thermometer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Documents and Settings\q\Ambiente de trabalho\dss.exe
C:\Programas\Trend Micro\HijackThis\q.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Programas\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Programas\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programas\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Programas\FlashGet\getflash.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Programas\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Programas\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Programas\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [V0420Mon.exe] C:\WINDOWS\V0420Mon.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [RSD_HDDThermo] C:\Programas\HDD Thermometer\HDD Thermometer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Programas\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Programas\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programas\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programas\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2...15035/CTPID.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Programas\Ficheiros comuns\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Programas\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programas\Ficheiros comuns\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Programas\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Programas\Ficheiros comuns\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Programas\SiteAdvisor\6261\SiteAdv.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Programas\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcr_device - Unknown owner - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Programas\Ficheiros comuns\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Serviço SiteAdvisor (SiteAdvisor Service) - Unknown owner - C:\Programas\SiteAdvisor\6261\SAService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programas\Sygate\SPF\Smc.exe


--
End of file - 7550 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Teefer (Teefer for NT) - c:\windows\system32\drivers\teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
R1 cpuidlep (CpuIdle Pro System Driver) - c:\windows\system32\drivers\cpuidlep.sys
R1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
R1 XPROTECTOR - c:\windows\system32\drivers\oreans.sys
R3 emupia (E-mu Plug-in Architecture Driver) - c:\windows\system32\drivers\emupia2k.sys <Not Verified; Creative Technology Ltd; E-mu Plug-In Architecture>

S2 PfModNT - c:\windows\system32\drivers\pfmodnt.sys (file missing)
S3 DMSKSSRh - c:\docume~1\q\defini~1\temp\dmskssrh.sys (file missing)
S3 gmer - c:\windows\system32\drivers\gmer.sys (file missing)
S3 hwdatacard (Huawei DataCard USB Modem and USB Serial) - c:\windows\system32\drivers\ewusbmdm.sys (file missing)
S3 RadProbe (Radeon Probe Driver) - c:\windows\system32\drivers\radprobe.sys (file missing)
S3 SDTHOOK - c:\windows\system32\drivers\sdthook.sys <Not Verified; Panda Software; Panda® Antivirus>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S4 NMIndexingService - "c:\programas\ficheiros comuns\ahead\lib\nmindexingservice.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\winlogon.exe (pid 584)
2007-04-19 13:41:36 294912 --a------ C:\Programas\SUPERAntiSpyware\SASWINLO.dll <Not Verified; SUPERAntiSpyware.com; SUPERAntiSpyware WinLogon Processor>

C:\WINDOWS\system32\svchost.exe (pid 940)
2004-08-04 08:56:22 24064 --a------ C:\WINDOWS\system32\dmserver.dll <Not Verified; Microsoft Corp.; Gestor de discos lógicos para o Windows NT>

C:\WINDOWS\explorer.exe (pid 1172)
2002-03-13 16:25:36 57344 --a------ C:\WINDOWS\system32\CTAGENT.DLL <Not Verified; Creative Technology Ltd; ctagent>


-- Files created between 2008-06-18 and 2008-07-18 -----------------------------

2008-07-18 13:58:21 0 dr-h----- C:\Documents and Settings\q\Recent
2008-07-05 17:32:23 60496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
2008-07-05 17:32:22 21075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
2008-07-05 17:32:13 0 d-------- C:\Programas\Sygate
2008-07-05 15:55:18 0 d-------- C:\Documents and Settings\q\Application Data\Malwarebytes
2008-07-05 15:55:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-05 15:55:14 0 d-------- C:\Programas\Malwarebytes' Anti-Malware


-- Find3M Report ---------------------------------------------------------------

2008-07-18 19:58:51 0 d-------- C:\Programas\Lx_cats
2008-07-18 13:59:23 24 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000000-00000000-0000000B-00001102-00000002-80641102}.dat
2008-07-18 13:59:23 24 --a------ C:\WINDOWS\system32\DVCState-{00000000-00000000-0000000B-00001102-00000002-80641102}.dat
2008-07-17 21:52:51 0 d-------- C:\Programas\Steam
2008-07-17 19:27:35 0 d-------- C:\Programas\SpywareBlaster
2008-07-15 22:37:38 0 d-------- C:\Programas\mIRC
2008-07-14 14:49:24 0 d-------- C:\Documents and Settings\q\Application Data\gtk-2.0
2008-07-12 12:14:18 0 d-------- C:\Programas\eMule
2008-07-10 16:56:22 0 d-------- C:\Programas\FlashGet
2008-07-07 21:10:13 19484 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-06-30 20:36:16 0 d-------- C:\Documents and Settings\q\Application Data\SiteAdvisor
2008-06-18 12:11:31 30336 --a------ C:\Documents and Settings\q\Application Data\GDIPFONTCACHEV1.DAT
2008-06-17 20:38:51 0 d-------- C:\Documents and Settings\q\Application Data\Creative
2008-06-17 19:46:35 0 d--h----- C:\Programas\InstallShield Installation Information
2008-06-17 19:42:11 0 d-------- C:\Programas\Ficheiros comuns\muvee Technologies
2008-06-17 19:42:05 0 d-------- C:\Programas\Ficheiros comuns
2008-06-17 19:42:03 0 d-------- C:\Programas\muvee Technologies
2008-06-17 19:41:01 0 d-------- C:\Documents and Settings\q\Application Data\InstallShield
2008-06-17 19:40:39 0 d-------- C:\Programas\SightSpeed
2008-06-17 19:40:14 0 d-------- C:\Programas\Creative
2008-06-11 14:18:36 0 d-------- C:\Programas\GIMP-2.0
2008-06-11 13:53:08 0 d-------- C:\Programas\SUPERAntiSpyware
2008-06-11 13:53:05 0 d-------- C:\Documents and Settings\q\Application Data\SUPERAntiSpyware.com
2008-06-11 13:52:38 0 d-------- C:\Programas\Ficheiros comuns\Wise Installation Wizard
2008-06-09 16:41:32 0 d-------- C:\Documents and Settings\q\Application Data\WinPatrol
2008-06-05 16:25:24 0 d-------- C:\Programas\DVD Decrypter
2008-06-05 15:32:18 0 d-------- C:\Documents and Settings\q\Application Data\dvdcss
2008-06-05 15:05:34 0 d-------- C:\Programas\DVD Audio Extractor
2008-05-24 14:03:22 0 d-------- C:\Documents and Settings\q\Application Data\Adobe
2008-05-24 12:45:58 0 d-------- C:\Programas\Veoh Networks
2008-05-24 12:40:08 0 d-------- C:\Programas\BillP Studios
2008-05-24 12:36:14 0 d-------- C:\Programas\Java
2008-05-24 12:35:32 0 d-------- C:\Programas\Ficheiros comuns\Java
2008-05-24 12:30:09 0 d-------- C:\Programas\CCleaner
2008-05-24 12:10:55 0 d-------- C:\Documents and Settings\q\Application Data\Macromedia
2008-05-23 10:42:26 0 d-------- C:\Programas\SiteAdvisor
2008-05-22 11:51:22 0 d-------- C:\Documents and Settings\q\Application Data\Camfrog
2008-05-22 11:49:06 0 d-------- C:\Programas\Camfrog
2008-05-06 07:01:28 45056 --a------ C:\WINDOWS\system32\wnaspi32.dll <Not Verified; Adaptec; Adaptec's ASPI Layer>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WINDVDPatch"="CTHELPER.EXE" [07-02-2002 19:01 C:\WINDOWS\system32\CTHELPER.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [22-10-2006 13:22]
"nwiz"="nwiz.exe" [22-10-2006 13:22 C:\WINDOWS\system32\nwiz.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [16-05-2008 00:19]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [12-01-2006 15:40]
"NvMediaCenter"="NvMCTray.dll" [22-10-2006 13:22 C:\WINDOWS\system32\nvmctray.dll]
"SiteAdvisor"="C:\Programas\SiteAdvisor\6261\SiteAdv.exe" [16-05-2008 17:50]
"WinPatrol"="C:\Programas\BillP Studios\WinPatrol\winpatrol.exe" [25-04-2008 18:31]
"V0420Mon.exe"="C:\WINDOWS\V0420Mon.exe" [30-04-2007 02:00]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [15-10-2004 19:40]
"LXCRCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [01-12-2005 19:38]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RSD_HDDThermo"="C:\Programas\HDD Thermometer\HDD Thermometer.exe" [01-04-2005 18:02]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04-08-2004 08:56]
"@"="" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programas\SUPERAntiSpyware\SASSEH.DLL [13-05-2008 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programas\SUPERAntiSpyware\SASWINLO.dll 19-04-2007 13:41 294912 C:\Programas\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
"C:\Programas\Lexmark 2400 Series\ezprint.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
C:\Programas\Creative\SBLive\PROGRAM\ADGJDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcrmon.exe]
"C:\Programas\Lexmark 2400 Series\lxcrmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
"C:\Programas\Ahead\Nero BackItUp\NBJ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8d4951d0-2d7f-11dd-836d-000ae60cb2ed}]
AutoRun\command- G:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{90415800-2d7e-11dd-836c-000ae60cb2ed}]
AutoRun\command- G:\AutoRun.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44AA3114-D221-43EC-1C32-1EAC52A2014D}]
C:\WINDOWS\system32\msnvl.exe



-- Hosts -----------------------------------------------------------------------

127.0.0.1 ad.a8.net
127.0.0.1 asy.a8ww.net
127.0.0.1 a9rhiwa.cn #[Google.Warning]
127.0.0.1 www.a9rhiwa.cn
127.0.0.1 www.abx4.com #[Adware.ABXToolbar]
127.0.0.1 acezip.net #[SiteAdvisor.acezip.net]
127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions]
127.0.0.1 phpadsnew.abac.com
127.0.0.1 a.abnad.net
127.0.0.1 b.abnad.net

18879 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-18 20:15:57 ------------


--------------------


P.S. I know our Java is one update behind by now. I shall be updating it as soon as we're done with all the cleaning from this current infection.

Also I forgot to mention it on my initial post: I did save the malware file mspdtc.dll if required for any further analysis.

Thank you one time again. :thumbsup:

Attached Files



#3 Vino Rosso

Vino Rosso

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:07:23 AM

Posted 30 July 2008 - 03:38 PM

Hi DeLuk

Apologies it's been a (long!) while that you've been waiting. If you are still needing help, please post fresh DSS logs.

Thanks

#4 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:07:23 AM

Posted 31 July 2008 - 08:43 AM

Hi Vino Rosso, and thanks back, for reply. :thumbsup: (And please, no apologies needed, I'm the one thankful for you guys' support and dedication!)

Next are fresh DSS logs for your review as requested. (Computer appears to be running ok/normally thus far.) I may add too that just over the weekend I ran routine scans with both Avast and SUPERAntiSpyware, and all came clean, and today already I ran also scans with Kaspersky Online Scanner and Malwarebytes' Anti-Malware (complete scan this time), and both came clean as well. For reference, additionally (forgot to mention this before), after the malware file having been quarantined by Avast, I had also done a RegSearch for mspdtc, which returned empty. Double checked with manual search via regedit, and no reference to mspdtc was found in the registry. I repeated the search today again, and no trace of it. (Unfortunately, due to the lagging/freezing of the system then, there was no chance to do the same reference search previous to the quarantining of the malware, thus I cannot say whether there might be any reference to mspdtc in the registry while the malware was still "in action".)

Other than that, and with regards to the DSS logs, I do also have a couple doubts about some entries in there, which however do not actually relate to the current infection, I wonder though whether I may take the chance to ask you about those, later on, after we're all done with the current infection? Most appreciated.

Thanks again for your support. :)


--------------------


DSS main report

Deckard's System Scanner v20071014.68
Run by q on 2008-07-31 11:06:04
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
20: 2008-07-31 10:06:17 UTC - RP160 - Deckard's System Scanner Restore Point
19: 2008-07-30 19:45:47 UTC - RP159 - Ponto de verificação do sistema
18: 2008-07-29 12:25:46 UTC - RP158 - Ponto de verificação do sistema
17: 2008-07-25 11:55:05 UTC - RP157 - Ponto de verificação do sistema
16: 2008-07-24 10:14:24 UTC - RP156 - Ponto de verificação do sistema


-- First Restore Point --
1: 2008-07-03 20:13:33 UTC - RP141 - Ponto de verificação do sistema


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as q.exe) ---------------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-07-31 11:10:39
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Sygate\SPF\Smc.exe
C:\WINDOWS\explorer.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programas\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programas\Alwil Software\Avast4\ashDisp.exe
C:\Programas\SiteAdvisor\6261\SiteAdv.exe
C:\Programas\BillP Studios\WinPatrol\WinPatrol.exe
C:\WINDOWS\V0420Mon.exe
C:\Programas\HDD Thermometer\HDD Thermometer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Documents and Settings\q\Ambiente de trabalho\dss.exe
C:\Programas\Trend Micro\HijackThis\q.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Programas\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Programas\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programas\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Programas\FlashGet\getflash.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Programas\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Programas\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Programas\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [V0420Mon.exe] C:\WINDOWS\V0420Mon.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [RSD_HDDThermo] C:\Programas\HDD Thermometer\HDD Thermometer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Programas\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Programas\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programas\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programas\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2...15035/CTPID.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Programas\Ficheiros comuns\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Programas\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programas\Ficheiros comuns\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Programas\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Programas\Ficheiros comuns\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Programas\SiteAdvisor\6261\SiteAdv.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Programas\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcr_device - Unknown owner - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Programas\Ficheiros comuns\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Serviço SiteAdvisor (SiteAdvisor Service) - Unknown owner - C:\Programas\SiteAdvisor\6261\SAService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programas\Sygate\SPF\Smc.exe


--
End of file - 7550 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Teefer (Teefer for NT) - c:\windows\system32\drivers\teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
R1 cpuidlep (CpuIdle Pro System Driver) - c:\windows\system32\drivers\cpuidlep.sys
R1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
R1 XPROTECTOR - c:\windows\system32\drivers\oreans.sys
R3 emupia (E-mu Plug-in Architecture Driver) - c:\windows\system32\drivers\emupia2k.sys <Not Verified; Creative Technology Ltd; E-mu Plug-In Architecture>

S2 PfModNT - c:\windows\system32\drivers\pfmodnt.sys (file missing)
S3 DMSKSSRh - c:\docume~1\q\defini~1\temp\dmskssrh.sys (file missing)
S3 gmer - c:\windows\system32\drivers\gmer.sys (file missing)
S3 hwdatacard (Huawei DataCard USB Modem and USB Serial) - c:\windows\system32\drivers\ewusbmdm.sys (file missing)
S3 RadProbe (Radeon Probe Driver) - c:\windows\system32\drivers\radprobe.sys (file missing)
S3 SDTHOOK - c:\windows\system32\drivers\sdthook.sys <Not Verified; Panda Software; Panda® Antivirus>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S4 NMIndexingService - "c:\programas\ficheiros comuns\ahead\lib\nmindexingservice.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\winlogon.exe (pid 584)
2007-04-19 13:41:36 294912 --a------ C:\Programas\SUPERAntiSpyware\SASWINLO.dll <Not Verified; SUPERAntiSpyware.com; SUPERAntiSpyware WinLogon Processor>

C:\WINDOWS\system32\svchost.exe (pid 940)
2004-08-04 08:56:22 24064 --a------ C:\WINDOWS\system32\dmserver.dll <Not Verified; Microsoft Corp.; Gestor de discos lógicos para o Windows NT>

C:\WINDOWS\explorer.exe (pid 1168)
2002-03-13 16:25:36 57344 --a------ C:\WINDOWS\system32\CTAGENT.DLL <Not Verified; Creative Technology Ltd; ctagent>


-- Files created between 2008-06-30 and 2008-07-31 -----------------------------

2008-07-31 08:10:36 0 dr-h----- C:\Documents and Settings\q\Recent
2008-07-05 17:32:23 60496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
2008-07-05 17:32:22 21075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
2008-07-05 17:32:13 0 d-------- C:\Programas\Sygate
2008-07-05 15:55:18 0 d-------- C:\Documents and Settings\q\Application Data\Malwarebytes
2008-07-05 15:55:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-05 15:55:14 0 d-------- C:\Programas\Malwarebytes' Anti-Malware


-- Find3M Report ---------------------------------------------------------------

2008-07-31 11:01:35 0 d-------- C:\Programas\Lx_cats
2008-07-31 08:11:36 24 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000000-00000000-0000000B-00001102-00000002-80641102}.dat
2008-07-31 08:11:36 24 --a------ C:\WINDOWS\system32\DVCState-{00000000-00000000-0000000B-00001102-00000002-80641102}.dat
2008-07-31 00:47:06 0 d-------- C:\Programas\SpywareBlaster
2008-07-30 22:26:32 0 d-------- C:\Programas\Steam
2008-07-30 18:17:33 0 d-------- C:\Programas\FlashGet
2008-07-27 15:46:07 0 d-------- C:\Programas\mIRC
2008-07-19 15:41:49 23272 --a------ C:\Documents and Settings\q\Application Data\GDIPFONTCACHEV1.DAT
2008-07-14 14:49:24 0 d-------- C:\Documents and Settings\q\Application Data\gtk-2.0
2008-07-12 12:14:18 0 d-------- C:\Programas\eMule
2008-07-07 21:10:13 19484 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-06-30 20:36:16 0 d-------- C:\Documents and Settings\q\Application Data\SiteAdvisor
2008-06-17 20:38:51 0 d-------- C:\Documents and Settings\q\Application Data\Creative
2008-06-17 19:46:35 0 d--h----- C:\Programas\InstallShield Installation Information
2008-06-17 19:42:11 0 d-------- C:\Programas\Ficheiros comuns\muvee Technologies
2008-06-17 19:42:05 0 d-------- C:\Programas\Ficheiros comuns
2008-06-17 19:42:03 0 d-------- C:\Programas\muvee Technologies
2008-06-17 19:41:01 0 d-------- C:\Documents and Settings\q\Application Data\InstallShield
2008-06-17 19:40:39 0 d-------- C:\Programas\SightSpeed
2008-06-17 19:40:14 0 d-------- C:\Programas\Creative
2008-06-11 14:18:36 0 d-------- C:\Programas\GIMP-2.0
2008-06-11 13:53:08 0 d-------- C:\Programas\SUPERAntiSpyware
2008-06-11 13:53:05 0 d-------- C:\Documents and Settings\q\Application Data\SUPERAntiSpyware.com
2008-06-11 13:52:38 0 d-------- C:\Programas\Ficheiros comuns\Wise Installation Wizard
2008-06-09 16:41:32 0 d-------- C:\Documents and Settings\q\Application Data\WinPatrol
2008-06-05 16:25:24 0 d-------- C:\Programas\DVD Decrypter
2008-06-05 15:32:18 0 d-------- C:\Documents and Settings\q\Application Data\dvdcss
2008-06-05 15:05:34 0 d-------- C:\Programas\DVD Audio Extractor
2008-05-06 07:01:28 45056 --a------ C:\WINDOWS\system32\wnaspi32.dll <Not Verified; Adaptec; Adaptec's ASPI Layer>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WINDVDPatch"="CTHELPER.EXE" [07-02-2002 19:01 C:\WINDOWS\system32\CTHELPER.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [22-10-2006 13:22]
"nwiz"="nwiz.exe" [22-10-2006 13:22 C:\WINDOWS\system32\nwiz.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [19-07-2008 15:38]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [12-01-2006 15:40]
"NvMediaCenter"="NvMCTray.dll" [22-10-2006 13:22 C:\WINDOWS\system32\nvmctray.dll]
"SiteAdvisor"="C:\Programas\SiteAdvisor\6261\SiteAdv.exe" [16-05-2008 17:50]
"WinPatrol"="C:\Programas\BillP Studios\WinPatrol\winpatrol.exe" [25-04-2008 18:31]
"V0420Mon.exe"="C:\WINDOWS\V0420Mon.exe" [30-04-2007 02:00]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [15-10-2004 19:40]
"LXCRCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [01-12-2005 19:38]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RSD_HDDThermo"="C:\Programas\HDD Thermometer\HDD Thermometer.exe" [01-04-2005 18:02]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04-08-2004 08:56]
"@"="" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programas\SUPERAntiSpyware\SASSEH.DLL [13-05-2008 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programas\SUPERAntiSpyware\SASWINLO.dll 19-04-2007 13:41 294912 C:\Programas\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
"C:\Programas\Lexmark 2400 Series\ezprint.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
C:\Programas\Creative\SBLive\PROGRAM\ADGJDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcrmon.exe]
"C:\Programas\Lexmark 2400 Series\lxcrmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
"C:\Programas\Ahead\Nero BackItUp\NBJ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8d4951d0-2d7f-11dd-836d-000ae60cb2ed}]
AutoRun\command- G:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{90415800-2d7e-11dd-836c-000ae60cb2ed}]
AutoRun\command- G:\AutoRun.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44AA3114-D221-43EC-1C32-1EAC52A2014D}]
C:\WINDOWS\system32\msnvl.exe



-- Hosts -----------------------------------------------------------------------

127.0.0.1 ad.a8.net
127.0.0.1 asy.a8ww.net
127.0.0.1 a9rhiwa.cn #[Google.Warning]
127.0.0.1 www.a9rhiwa.cn
127.0.0.1 www.abx4.com #[Adware.ABXToolbar]
127.0.0.1 acezip.net #[SiteAdvisor.acezip.net]
127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions]
127.0.0.1 phpadsnew.abac.com
127.0.0.1 a.abnad.net
127.0.0.1 b.abnad.net

18879 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-31 11:13:52 ------------


--------------------


If useful for reference here's also the last report I had gotten from VirusTotal for the file mspdtc.dll (as of 24-07):

AhnLab-V3 2008.7.24.0 2008.07.24 Win-Trojan/Mesoum.61952
AntiVir 7.8.1.11 2008.07.24 TR/Crypt.XPACK.Gen
Avast 4.8.1195.0 2008.07.24 Win32:VunDrop
AVG 8.0.0.130 2008.07.24 Win32/Heur
BitDefender 7.2 2008.07.24 Trojan.Generic.365111
CAT-QuickHeal 9.50 2008.07.22 Trojan.Agent.tho
ClamAV 0.93.1 2008.07.24 Trojan.Agent-34103
DrWeb 4.44.0.09170 2008.07.24 Trojan.Starter.546
eSafe 7.0.17.0 2008.07.23 Suspicious File
F-Secure 7.60.13501.0 2008.07.24 Trojan.Win32.Agent.tho
Fortinet 3.14.0.0 2008.07.24 PossibleThreat
GData 2.0.7306.1023 2008.07.24 Trojan.Win32.Agent.tho
Ikarus T3.1.1.34.0 2008.07.24 Virus.Win32.VunDrop
Kaspersky 7.0.0.125 2008.07.24 Trojan.Win32.Agent.tho
Microsoft 1.3704 2008.07.24 Trojan:Win32/Mesoum.A
NOD32v2 3293 2008.07.23 Win32/Agent.THO
Panda 9.0.0.4 2008.07.24 Suspicious file
Prevx1 V2 2008.07.24 Malicious Software
Sophos 4.31.0 2008.07.24 Mal/Behav-204
Sunbelt 3.1.1536.1 2008.07.18 Trojan.Win32.Agent.tho
TheHacker 6.2.96.387 2008.07.23 Trojan/Agent.tho
VBA32 3.12.8.1 2008.07.23 Trojan.Win32.Agent.tho
Webwasher-Gateway 6.6.2 2008.07.24 Trojan.Crypt.XPACK.Gen

File size: 61952 bytes

Prevx info: http://info.prevx.com/aboutprogramtext.asp...C864D0005D74518
ThreatExpert info: http://www.threatexpert.com/report.aspx?md...b43945452acc5b5

http://www.virustotal.com/analisis/55c3b45...5fe4b7dd89d794d

Attached Files


Edited by DeLuk, 31 July 2008 - 08:50 AM.


#5 Vino Rosso

Vino Rosso

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:07:23 AM

Posted 31 July 2008 - 06:05 PM

Hi DeLuk

You've done a good job with cleaning the computer as your logs generally look good but there are a couple of entries I'd like to eliminate.

1 - Delete suspect files/folders
Using Windows Explorer, browse for the following file and delete as instructed

If you cannot see this file, you may have to reveal hidden files as follows:
In Windows Explorer, select Tools > Folder Options > View
Set 'Hidden files and folders' to Show hidden files and folders
Untick Hide extensions for known file types.
Untick Hide protected operating system files.
OK

C:\WINDOWS\System32\msnvl.exe <=== Delete this file only

2 - Back up the Registry
This is so the registry can be restored to this point if we need it.
Download ERUNT from >here< (scroll down to the server links for erunt-setup.exe) and save it to your Desktop
Double-click on erunt-setup.exe to install ERUNT following the default selections
Allow ERUNT to backup your registry, again using the default folder of C:\Windows\ERUNT\[today's date]
Click OK and 'Yes' to allow ERUNT to create the folder
ERUNT can be used to automatically backup the registry at start-up - an option recommended.

Note: Please do NOT continue until the above step has been completed.

3 - Registry Fix
Open Notepad, it must be Notepad not Wordpad.
Drag your mouse over the content of the quote box below to highlight all the text
Copy (Ctrl+C) and Paste (Ctrl+V) everything from the Quote box below into Notepad

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44AA3114-D221-43EC-1C32-1EAC52A2014D}]


Note: In Notepad, there must be NO blank lines before the word 'REGEDIT4' and there MUST be one blank line at the end of all the lines. To do this, place the cursor at the end of the last line of text and press Return/Enter on the keyboard.

In Notepad, go to File > Save
Name the file "Fix.reg" (including the quotes)
Save the file to your desktop.
Close Notepad
Right-click on Fix.reg on your Desktop and select Merge
OK any warnings then re-boot your computer.

4 - Kaspersky Online Scan
With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
Please do an online scan with >Kaspersky Online Scanner<. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    o Scan using the following Anti-Virus database:
    + Extended (If available otherwise Standard)
    o Scan Options:
    + Scan Archives
    + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run.
  • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As... button (see red arrow below)

    Posted Image
  • In the Save as... prompt, select Desktop
  • In the File name box, name the file KasScan-ddmmyy (or similar)
  • In the Save as type prompt, select Text file (see below)

    Posted Image
  • Copy and paste the report in your next post.
Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.

5 - Check on status
After you have completed the above, please reboot and provide:
  • the Kaspersky Scan report
  • a new HijackThis log and
  • a description of how your PC is behaving - what problems are you now experiencing?
Thanks
Vino

#6 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:07:23 AM

Posted 01 August 2008 - 04:37 PM

Hi Vino Rosso, and thank you again, for reply. :spacer:

With regards to this latest infection, related with that file mspdtc.dll, I was indeed to believe that to be cleaned by now. As though the infection involved the Windows Security Centre having been "messed with", which I took as no good sign for sure, so I came for an expert look over the case to confirm the final ok. With malware it's certainly never too much to be sure. :)

Then again, back to the DSS logs, and apart from this latest infection, funny that you just picked that entry relating to C:\WINDOWS\System32\msnvl.exe, as as a matter of fact that one's actually among those extra doubts I mentioned I was wishing to ask you about later on. :)

As I was saying in my initial post, back in last March I had done a DSS scan for first time, just for my own reference by then, which followed to a scan with AutoRuns, as there were some entries in there saying "File not found", which urged me to do some further searching about. And one of those entries indeed was that relating to C:\WINDOWS\System32\msnvl.exe. As I could learn from my search then, this file relates to malware (as reported by Sophos as well as BC's Startup List too). I thus can only guess this trace of it found in the registry must possibly/probably be some leftover from some old infection or something (?), as, as I say, no such file msnvl.exe was found anywhere in the system already back then when I ran those scans back in last March. In fact, by then I had also done a registry search, both for msnvl and the id-string associated with that malware, 44AA3114-D221-43EC-1C32-1EAC52A2014D, and time of last writing in each of the keys found was actually May 2005, if at all relevant to mention. In any case I repeated the search for the file today again. No file was found. Repeated also the registry search today as well, previous to applying the registry fix. I'm pasting next the keys found, for reference:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44AA3114-D221-43EC-1C32-1EAC52A2014D}]
"StubPath"="C:\\WINDOWS\\system32\\msnvl.exe"

[HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{44AA3114-D221-43EC-1C32-1EAC52A2014D}]

[HKEY_USERS\S-1-5-21-1202660629-1060284298-1708537768-1003\Software\Microsoft\Active Setup\Installed Components\{44AA3114-D221-43EC-1C32-1EAC52A2014D}]


Followed up with the registry fix. Backed up the registry with ERUNT (I actually do have ERUNT installed since over a year now :)) and applied the fix as instructed. Merge was ok. Reboot was ok.

Did a new registry search for both msnvl and 44AA3114-D221-43EC-1C32-1EAC52A2014D to double check. The HKLM key is obviously gone. The HKCU and HKU ones remain. (Wondering whether these too should be due for removal/fix, or?...)

Then again, as I was also saying in my previous post, I had just run a routine scan with Kaspersky Online Scanner just yesterday (online scanner version 7.0, Java, ran from Firefox), along with one with Malwarebytes' Anti-Malware, both of which came clean. Still I ran a new scan, today, as requested (online scanner version 5.0, ActiveX, ran from IE). All clean (only mirc, of course, gets flagged).


--------------------


Kaspersky Online Scan report

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, August 01, 2008 9:13:19 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/08/2008
Kaspersky Anti-Virus database records: 1041049
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 59582
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 01:35:50

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Definições locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\q\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\q\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\q\Definições locais\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\q\Definições locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\q\Definições locais\Histórico\History.IE5\MSHist012008080120080802\index.dat Object is locked skipped
C:\Documents and Settings\q\Definições locais\Temp\~DF23B9.tmp Object is locked skipped
C:\Documents and Settings\q\Definições locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\q\ntuser.dat Object is locked skipped
C:\Documents and Settings\q\ntuser.dat.LOG Object is locked skipped
C:\Programas\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Programas\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Programas\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Programas\Alwil Software\Avast4\DATA\log\selfdef.log Object is locked skipped
C:\Programas\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
C:\Programas\Sygate\SPF\debug.log Object is locked skipped
C:\Programas\Sygate\SPF\rawlog.log Object is locked skipped
C:\Programas\Sygate\SPF\seclog.log Object is locked skipped
C:\Programas\Sygate\SPF\syslog.log Object is locked skipped
C:\Programas\Sygate\SPF\tralog.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP160\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\temp\Perflib_Perfdata_564.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{8E12C9B1-F7B5-42CA-A78E-C628A7FD5F9F}\RP160\change.log Object is locked skipped

Scan process completed.


--------------------


As requested as well, I'm also including next a fresh HJT log. (Just in case, I'll include one from DSS also. I understand part of those posts are "preset", so, as not certain whether you meant indeed to ask for an HJT log only, rather than an updated DSS one, so I'll include both, as I say, "just in case". :spacer: Not attaching the DSS extra log this time around however. If needed, though, let me know. It's basically the same as yesterday's, anyway, only difference is really now the reference to Kaspersky Online Scanner in the Add/Remove Programs section, and also, of course, the Application Event Log section also differs.) Other than that, regarding how the computer is behaving, as I was just saying yesterday, all appears to be running just fine. :spacer:

Thank you one time again for your time and help! :thumbsup:


--------------------


HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:36:23, on 01-08-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programas\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programas\SiteAdvisor\6261\SiteAdv.exe
C:\Programas\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\V0420Mon.exe
C:\Programas\HDD Thermometer\HDD Thermometer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Programas\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Programas\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Programas\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Programas\FlashGet\getflash.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Programas\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Programas\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Programas\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [V0420Mon.exe] C:\WINDOWS\V0420Mon.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [RSD_HDDThermo] C:\Programas\HDD Thermometer\HDD Thermometer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Programas\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Programas\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/ka...can_unicode.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2...15035/CTPID.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Programas\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Serviço SiteAdvisor (SiteAdvisor Service) - Unknown owner - C:\Programas\SiteAdvisor\6261\SAService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programas\Sygate\SPF\smc.exe

--
End of file - 6142 bytes


--------------------


DSS main log

Deckard's System Scanner v20071014.68
Run by q on 2008-08-01 21:37:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 5 Restore Point(s) --
20: 2008-07-31 10:06:17 UTC - RP160 - Deckard's System Scanner Restore Point
19: 2008-07-30 19:45:47 UTC - RP159 - Ponto de verificação do sistema
18: 2008-07-29 12:25:46 UTC - RP158 - Ponto de verificação do sistema
17: 2008-07-25 11:55:05 UTC - RP157 - Ponto de verificação do sistema
16: 2008-07-24 10:14:24 UTC - RP156 - Ponto de verificação do sistema


-- First Restore Point --
1: 2008-07-03 20:13:33 UTC - RP141 - Ponto de verificação do sistema


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as q.exe) ---------------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-01 21:41:59
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Sygate\SPF\Smc.exe
C:\WINDOWS\explorer.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programas\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programas\Alwil Software\Avast4\ashDisp.exe
C:\Programas\SiteAdvisor\6261\SiteAdv.exe
C:\Programas\BillP Studios\WinPatrol\WinPatrol.exe
C:\WINDOWS\V0420Mon.exe
C:\Programas\HDD Thermometer\HDD Thermometer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Documents and Settings\q\Ambiente de trabalho\dss.exe
C:\Programas\Trend Micro\HijackThis\q.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Programas\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Programas\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programas\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Programas\FlashGet\getflash.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Programas\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Programas\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Programas\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [V0420Mon.exe] C:\WINDOWS\V0420Mon.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [RSD_HDDThermo] C:\Programas\HDD Thermometer\HDD Thermometer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Programas\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Programas\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programas\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programas\Spybot - Search & Destroy\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus-en/ka...can_unicode.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/softwareupdate/su2...15035/CTPID.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Programas\Ficheiros comuns\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: lid - {5C135180-9973-46D9-ABF4-148267CBB8BF} - C:\WINDOWS\system32\msvidctl.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Programas\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Programas\Ficheiros comuns\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Programas\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Programas\Ficheiros comuns\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - C:\Programas\SiteAdvisor\6261\SiteAdv.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Programas\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programas\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTSVCCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programas\Ficheiros comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: lxcr_device - Unknown owner - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: NMIndexingService - Unknown owner - C:\Programas\Ficheiros comuns\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Serviço SiteAdvisor (SiteAdvisor Service) - Unknown owner - C:\Programas\SiteAdvisor\6261\SAService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Programas\Sygate\SPF\Smc.exe


--
End of file - 7687 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Teefer (Teefer for NT) - c:\windows\system32\drivers\teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
R1 cpuidlep (CpuIdle Pro System Driver) - c:\windows\system32\drivers\cpuidlep.sys
R1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
R1 XPROTECTOR - c:\windows\system32\drivers\oreans.sys
R3 emupia (E-mu Plug-in Architecture Driver) - c:\windows\system32\drivers\emupia2k.sys <Not Verified; Creative Technology Ltd; E-mu Plug-In Architecture>

S2 PfModNT - c:\windows\system32\drivers\pfmodnt.sys (file missing)
S3 DMSKSSRh - c:\docume~1\q\defini~1\temp\dmskssrh.sys (file missing)
S3 gmer - c:\windows\system32\drivers\gmer.sys (file missing)
S3 hwdatacard (Huawei DataCard USB Modem and USB Serial) - c:\windows\system32\drivers\ewusbmdm.sys (file missing)
S3 RadProbe (Radeon Probe Driver) - c:\windows\system32\drivers\radprobe.sys (file missing)
S3 SDTHOOK - c:\windows\system32\drivers\sdthook.sys <Not Verified; Panda Software; Panda® Antivirus>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S4 NMIndexingService - "c:\programas\ficheiros comuns\ahead\lib\nmindexingservice.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\winlogon.exe (pid 584)
2007-04-19 13:41:36 294912 --a------ C:\Programas\SUPERAntiSpyware\SASWINLO.dll <Not Verified; SUPERAntiSpyware.com; SUPERAntiSpyware WinLogon Processor>

C:\WINDOWS\system32\svchost.exe (pid 940)
2004-08-04 08:56:22 24064 --a------ C:\WINDOWS\system32\dmserver.dll <Not Verified; Microsoft Corp.; Gestor de discos lógicos para o Windows NT>

C:\WINDOWS\explorer.exe (pid 1172)
2002-03-13 16:25:36 57344 --a------ C:\WINDOWS\system32\CTAGENT.DLL <Not Verified; Creative Technology Ltd; ctagent>


-- Files created between 2008-07-01 and 2008-08-01 -----------------------------

2008-08-01 21:22:09 0 dr-h----- C:\Documents and Settings\q\Recent
2008-08-01 15:24:37 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-08-01 15:24:35 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-07-05 17:32:23 60496 --a------ C:\WINDOWS\system32\drivers\Teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
2008-07-05 17:32:22 21075 --a------ C:\WINDOWS\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
2008-07-05 17:32:13 0 d-------- C:\Programas\Sygate
2008-07-05 15:55:18 0 d-------- C:\Documents and Settings\q\Application Data\Malwarebytes
2008-07-05 15:55:15 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-05 15:55:14 0 d-------- C:\Programas\Malwarebytes' Anti-Malware


-- Find3M Report ---------------------------------------------------------------

2008-08-01 21:29:18 0 d-------- C:\Programas\Lx_cats
2008-08-01 21:26:48 24 --a------ C:\WINDOWS\system32\DVCStateBkp-{00000000-00000000-0000000B-00001102-00000002-80641102}.dat
2008-08-01 21:26:48 24 --a------ C:\WINDOWS\system32\DVCState-{00000000-00000000-0000000B-00001102-00000002-80641102}.dat
2008-08-01 13:46:15 0 d-------- C:\Programas\Steam
2008-07-31 23:34:15 0 d-------- C:\Programas\mIRC
2008-07-31 00:47:06 0 d-------- C:\Programas\SpywareBlaster
2008-07-30 18:17:33 0 d-------- C:\Programas\FlashGet
2008-07-19 15:41:49 23272 --a------ C:\Documents and Settings\q\Application Data\GDIPFONTCACHEV1.DAT
2008-07-14 14:49:24 0 d-------- C:\Documents and Settings\q\Application Data\gtk-2.0
2008-07-12 12:14:18 0 d-------- C:\Programas\eMule
2008-07-07 21:10:13 19484 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-06-30 20:36:16 0 d-------- C:\Documents and Settings\q\Application Data\SiteAdvisor
2008-06-17 20:38:51 0 d-------- C:\Documents and Settings\q\Application Data\Creative
2008-06-17 19:46:35 0 d--h----- C:\Programas\InstallShield Installation Information
2008-06-17 19:42:11 0 d-------- C:\Programas\Ficheiros comuns\muvee Technologies
2008-06-17 19:42:05 0 d-------- C:\Programas\Ficheiros comuns
2008-06-17 19:42:03 0 d-------- C:\Programas\muvee Technologies
2008-06-17 19:41:01 0 d-------- C:\Documents and Settings\q\Application Data\InstallShield
2008-06-17 19:40:39 0 d-------- C:\Programas\SightSpeed
2008-06-17 19:40:14 0 d-------- C:\Programas\Creative
2008-06-11 14:18:36 0 d-------- C:\Programas\GIMP-2.0
2008-06-11 13:53:08 0 d-------- C:\Programas\SUPERAntiSpyware
2008-06-11 13:53:05 0 d-------- C:\Documents and Settings\q\Application Data\SUPERAntiSpyware.com
2008-06-11 13:52:38 0 d-------- C:\Programas\Ficheiros comuns\Wise Installation Wizard
2008-06-09 16:41:32 0 d-------- C:\Documents and Settings\q\Application Data\WinPatrol
2008-06-05 16:25:24 0 d-------- C:\Programas\DVD Decrypter
2008-06-05 15:32:18 0 d-------- C:\Documents and Settings\q\Application Data\dvdcss
2008-06-05 15:05:34 0 d-------- C:\Programas\DVD Audio Extractor
2008-05-06 07:01:28 45056 --a------ C:\WINDOWS\system32\wnaspi32.dll <Not Verified; Adaptec; Adaptec's ASPI Layer>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WINDVDPatch"="CTHELPER.EXE" [07-02-2002 19:01 C:\WINDOWS\system32\CTHELPER.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [22-10-2006 13:22]
"nwiz"="nwiz.exe" [22-10-2006 13:22 C:\WINDOWS\system32\nwiz.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [19-07-2008 15:38]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [12-01-2006 15:40]
"NvMediaCenter"="NvMCTray.dll" [22-10-2006 13:22 C:\WINDOWS\system32\nvmctray.dll]
"SiteAdvisor"="C:\Programas\SiteAdvisor\6261\SiteAdv.exe" [16-05-2008 17:50]
"WinPatrol"="C:\Programas\BillP Studios\WinPatrol\winpatrol.exe" [25-04-2008 18:31]
"V0420Mon.exe"="C:\WINDOWS\V0420Mon.exe" [30-04-2007 02:00]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [15-10-2004 19:40]
"LXCRCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [01-12-2005 19:38]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RSD_HDDThermo"="C:\Programas\HDD Thermometer\HDD Thermometer.exe" [01-04-2005 18:02]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04-08-2004 08:56]
"@"="" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programas\SUPERAntiSpyware\SASSEH.DLL [13-05-2008 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programas\SUPERAntiSpyware\SASWINLO.dll 19-04-2007 13:41 294912 C:\Programas\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Arranque^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]
"C:\Programas\Lexmark 2400 Series\ezprint.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]
C:\Programas\Creative\SBLive\PROGRAM\ADGJDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcrmon.exe]
"C:\Programas\Lexmark 2400 Series\lxcrmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
"C:\Programas\Ahead\Nero BackItUp\NBJ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
C:\WINDOWS\UpdReg.EXE


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8d4951d0-2d7f-11dd-836d-000ae60cb2ed}]
AutoRun\command- G:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{90415800-2d7e-11dd-836c-000ae60cb2ed}]
AutoRun\command- G:\AutoRun.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 ad.a8.net
127.0.0.1 asy.a8ww.net
127.0.0.1 a9rhiwa.cn #[Google.Warning]
127.0.0.1 www.a9rhiwa.cn
127.0.0.1 www.abx4.com #[Adware.ABXToolbar]
127.0.0.1 acezip.net #[SiteAdvisor.acezip.net]
127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions]
127.0.0.1 phpadsnew.abac.com
127.0.0.1 a.abnad.net
127.0.0.1 b.abnad.net

18879 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-08-01 21:45:01 ------------


--------------------

Edited by DeLuk, 01 August 2008 - 04:39 PM.


#7 Vino Rosso

Vino Rosso

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:07:23 AM

Posted 02 August 2008 - 01:39 PM

Hi DeLuk

... I thus can only guess this trace of it found in the registry must possibly/probably be some leftover from some old infection or something (?), as, as I say, no such file msnvl.exe was found anywhere in the system already back then when I ran those scans back in last March.

OK, well it seems that the registry entries can be tidied up. As you may well know, malware, and for that matter any software, may well be removed but it is not that easy to ensure that all associated registry entries are also removed.

Did a new registry search for both msnvl and 44AA3114-D221-43EC-1C32-1EAC52A2014D to double check. The HKLM key is obviously gone. The HKCU and HKU ones remain. (Wondering whether these too should be due for removal/fix, or?...)

As discussed above, these entries can also be removed.

Then again, as I was also saying in my previous post, I had just run a routine scan with Kaspersky Online Scanner just yesterday (online scanner version 7.0, Java, ran from Firefox), along with one with Malwarebytes' Anti-Malware, both of which came clean. Still I ran a new scan, today, as requested (online scanner version 5.0, ActiveX, ran from IE). All clean (only mirc, of course, gets flagged).

The newer 'Java' version is still under consideration... well, from my point of view anyway. I have found that it is not as good as the original ActiveX version as it does not report locked files.

Unless you are having any other problems, I see only one other thing to do... update Java.

1 - Update Java
You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of perceived vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system.
  • Download the latest version of Java by clicking >here<.
  • Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications." - usually fourth in the list.
  • Click the "Download" button to the right.
  • Select 'Windows' in the Platform drop-down.
  • Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove ALL older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove ALL Java versions.
  • Reboot your computer once all Java components are removed.
  • Using Windows Explorer, delete the C:\Program Files\Java folder.
  • Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the latest version of Java.
Once the above has been completed, please post back with any final problems you may be experiencing with your computer.

Thanks
Vino

#8 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:07:23 AM

Posted 03 August 2008 - 11:24 AM

Hi Vino Rosso, and thanks for new reply. :)

Re. Kaspersky Online Scanner:

The newer 'Java' version is still under consideration... well, from my point of view anyway. I have found that it is not as good as the original ActiveX version as it does not report locked files.


Indeed. Only infected/suspicious files are reported now with this newer Java version. Also, another down point, anyway at least for me, it takes about almost the double of time, for the scan to complete. :thumbsup: All in all, thanks for the handy link to the previous ActiveX version, which is no longer available at the main kaspersky.com site.

Speaking of Java:

Unless you are having any other problems, I see only one other thing to do... update Java.


Yes as I was saying at the start:

P.S. I know our Java is one update behind by now. I shall be updating it as soon as we're done with all the cleaning from this current infection.


Ok, done now, updated already. :)

And back then to tidying up the registry from those leftovers from that msnvl.exe-related old infection. Thank you for confirming that both those remaining HKCU and HKU keys can be removed as well. I'd then only ask you if you'd please only further confirm if I may use the same method as previously (i.e. apply a .reg fix) as well as also what the "contents" of this new .reg fix file should now be (namely regarding the "header" if REGEDIT 4 as before or Windows Registry Editor Version 5.00). Please do confirm:

REGEDIT 4

[-HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{44AA3114-D221-43EC-1C32-1EAC52A2014D}]

[-HKEY_USERS\S-1-5-21-1202660629-1060284298-1708537768-1003\Software\Microsoft\Active Setup\Installed Components\{44AA3114-D221-43EC-1C32-1EAC52A2014D}]


Other than this, well, there's really only one other extra doubt I'd wish to ask you about if I may (?), still back to the DSS logs. :) (Well, in fact, there's also a couple more lil' things, but these don't actually relate to malware, thus maybe this isn't even the appropriate place in the forum to ask about nor should I "steal" more of your time and trouble you with it...) This remaining doubt relates to the following entry which is found within the Drivers section of the main log:

S3 DMSKSSRh - c:\docume~1\q\defini~1\temp\dmskssrh.sys (file missing)

I noticed that already in that first DSS scan made back in last March. Also in the AutoRuns scan made by then (and which I also repeated now) there is reference to this DMSKSSRh.sys file:

HKLM\System\CurrentControlSet\Services
+ DMSKSSRh File not found: C:\DOCUME~1\q\DEFINI~1\Temp\DMSKSSRh.sys


(File reported not found. Which stands obvious, as its location was in a Temp folder, and anyway I regularly clean those. In any case, I just made a search for it today again, and no such DMSKSSRh.sys file is to be found anywhere in the system.)

I had done some searching around on this file, back then, and I could see that such entries referring to it are even rather common to appear in DSS logs, as well as ComboFix logs too, respectively:

DSS >>> S3 DMSKSSRh - c:\docume~1\<user>\locals~1\temp\dmskssrh.sys (file missing)
ComboFix >>> S3 DMSKSSRh;DMSKSSRh;C:\DOCUME~1\<user>\LOCALS~1\Temp\DMSKSSRh.sys []

Then again, seemingly, Ewido, back in 2006, would detect this DMSKSSRh.sys file as malware (backdoor), as according to for ex. the report in this thread at spywareinfo.com. Greatis does also report it as dangerous (trojan/backdoor).

I wonder, thus, whether this too may be also some remainder of possibly some old infection?...

If going to Windows Device Manager, and choosing to show hidden devices, within non Plug and Play devices there is this one DMSKSSRh. Device is reported to be functioning correctly. Current status is "stopped". Start type is "on demand".

For reference I did also a RegSearch for dmskssrh which returned as follows:

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 03-08-2008 13:57:16 for strings:
; 'dmskssrh'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DMSKSSRH]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DMSKSSRH\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DMSKSSRH\0000]
"Service"="DMSKSSRh"
"DeviceDesc"="DMSKSSRh"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DMSKSSRH\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DMSKSSRh]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DMSKSSRh]
; Contents of value:
; \??\C:\DOCUME~1\q\DEFINI~1\Temp\DMSKSSRh.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,44,00,4f,00,43,00,\
55,00,4d,00,45,00,7e,00,31,00,5c,00,71,00,5c,00,44,00,45,00,46,00,49,00,4e,\
00,49,00,7e,00,31,00,5c,00,54,00,65,00,6d,00,70,00,5c,00,44,00,4d,00,53,00,\
4b,00,53,00,53,00,52,00,68,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="DMSKSSRh"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DMSKSSRh\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_DMSKSSRH]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_DMSKSSRH\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_DMSKSSRH\0000]
"Service"="DMSKSSRh"
"DeviceDesc"="DMSKSSRh"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_DMSKSSRH\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\DMSKSSRh]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\DMSKSSRh]
; Contents of value:
; \??\C:\DOCUME~1\q\DEFINI~1\Temp\DMSKSSRh.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,44,00,4f,00,43,00,\
55,00,4d,00,45,00,7e,00,31,00,5c,00,71,00,5c,00,44,00,45,00,46,00,49,00,4e,\
00,49,00,7e,00,31,00,5c,00,54,00,65,00,6d,00,70,00,5c,00,44,00,4d,00,53,00,\
4b,00,53,00,53,00,52,00,68,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="DMSKSSRh"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\DMSKSSRh\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_DMSKSSRH]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_DMSKSSRH\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_DMSKSSRH\0000]
"Service"="DMSKSSRh"
"DeviceDesc"="DMSKSSRh"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_DMSKSSRH\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_DMSKSSRH\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\DMSKSSRh]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\DMSKSSRh]
; Contents of value:
; \??\C:\DOCUME~1\q\DEFINI~1\Temp\DMSKSSRh.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,44,00,4f,00,43,00,\
55,00,4d,00,45,00,7e,00,31,00,5c,00,71,00,5c,00,44,00,45,00,46,00,49,00,4e,\
00,49,00,7e,00,31,00,5c,00,54,00,65,00,6d,00,70,00,5c,00,44,00,4d,00,53,00,\
4b,00,53,00,53,00,52,00,68,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="DMSKSSRh"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\DMSKSSRh\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\DMSKSSRh\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\DMSKSSRh\Enum]
"0"="Root\\LEGACY_DMSKSSRH\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DMSKSSRH]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DMSKSSRH\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DMSKSSRH\0000]
"Service"="DMSKSSRh"
"DeviceDesc"="DMSKSSRh"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DMSKSSRH\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DMSKSSRH\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DMSKSSRh]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DMSKSSRh]
; Contents of value:
; \??\C:\DOCUME~1\q\DEFINI~1\Temp\DMSKSSRh.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,44,00,4f,00,43,00,\
55,00,4d,00,45,00,7e,00,31,00,5c,00,71,00,5c,00,44,00,45,00,46,00,49,00,4e,\
00,49,00,7e,00,31,00,5c,00,54,00,65,00,6d,00,70,00,5c,00,44,00,4d,00,53,00,\
4b,00,53,00,53,00,52,00,68,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="DMSKSSRh"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DMSKSSRh\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DMSKSSRh\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DMSKSSRh\Enum]
"0"="Root\\LEGACY_DMSKSSRH\\0000"

; End Of The Log...


On a side note, if relevant to mention, time of last writing in those keys is, for some July 2007, for others December 2007, and for others yet is today, time of latest boot (changes with each new boot).

I wonder, then, whether anything here too should be due for removal/fix?... (Or eventually first the DMSKSSRh device should be removed via Windows Device Manager or?...) Please do advise.

Thank you greatly, once more, for your support and patience. :spacer:

Edited by DeLuk, 03 August 2008 - 11:31 AM.


#9 Vino Rosso

Vino Rosso

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:07:23 AM

Posted 05 August 2008 - 05:07 PM

Hi

On the reg fix for msnvl, it hard to say whether the HKEY_USERS entry, by itself, is for the console user account or the secondary account. Either way, the reg fix will work as it stands.

1 - Registry Fix
Open Notepad, it must be Notepad not Wordpad.
Drag your mouse over the content of the quote box below to highlight all the text
Copy (Ctrl+C) and Paste (Ctrl+V) everything from the Quote box below into Notepad

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Active Setup\Installed Components\{44AA3114-D221-43EC-1C32-1EAC52A2014D}]

[-HKEY_USERS\S-1-5-21-1202660629-1060284298-1708537768-1003\Software\Microsoft\Active Setup\Installed Components\{44AA3114-D221-43EC-1C32-1EAC52A2014D}]


Note: In Notepad, there must be NO blank lines before the word 'REGEDIT4' and there MUST be one blank line at the end of all the lines. To do this, place the cursor at the end of the last line of text and press Return/Enter on the keyboard.

In Notepad, go to File > Save
Name the file "Fix1.reg" (including the quotes)
Save the file to your desktop.
Close Notepad
Right-click on Fix1.reg on your Desktop and select Merge
OK any warnings then re-boot your computer.

As for dmskssrh.sys, I did see the entry and realised that it was likely that a previous scan removed the driver file. I thought that the old infection would have left many registry entries... confirmed by your post of the registry search using Bobbi Flekman's tool. Removing many of the entries is not as straight forward as the above reg fix, as elevated permissions may be required. I would need to read up on a few of the locations as, hands up, there are some I haven't dealt with for a while. I would say that the risk involved in removing the entries far outweighs any benefit but, if you wish to remove them, I'll see what I can do. Please let me know what you wish to do.

Vino

#10 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:07:23 AM

Posted 06 August 2008 - 10:35 AM

Hi Vino Rosso, and thank you again, for reply. :spacer:

Regarding those remaining leftovers in the registry from the msnvl.exe-related infection: thank you for confirming the reg fix. Applied it already. (Having previously backed up the registry of course. Certainly never too much to stress the importance of this step, even for anyone else reading this thread, futurely. :)) Merge ok. Reboot ok.

And as with regards to DMSKSSRh.sys: thank you for further enlightenment. I fully understand your point. And taking also into account your consideration:

... I would say that the risk involved in removing the entries far outweighs any benefit...


I think this layman will humbly keep off from venturing going for any reg fix there, then. :) All in all, if it meant no harm those keys being there before, certainly it'll mean no harm either them remaining, I reckon. (Also, I don't want to cause all so much trouble for you, moreover when it's unneeded, certainly not. :spacer:) Anyways, maybe sometime later I'll bring up the issue to the forum again, along with those other extra doubts not malware related that I also wish to ask about, and by then I'll think about it again...

Only just wondering yet, though, regarding that entry for DMSKSSRh found in Windows Device Manager. By any means should this be removed from there anyway? Or should it actually also be left as is, there too? (Would it be of any benefit to just get DMSKSSRh removed in Windows Device Manager, i.e. simply select it, and choose to uninstall?... Or could it in fact eventually lead to some sort of error or conflict, to try that, due to the fact that the file DMSKSSRh.sys itself actually does not exist anymore?...) Again, I'd appreciate you'd please advise.

And also again, thank you, for all help. :thumbsup: (And overall pardon all of my ignorance, which surely stands out, in some of my asking... :))

#11 Vino Rosso

Vino Rosso

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:07:23 AM

Posted 07 August 2008 - 12:57 AM

Hi

I'm currently doing some more reading into this, which I'll explain later, meanwhile can you please remove DMSKSSRh in Windows Device Manager then run another Registry Search for DMSKSSRh and post the results.

Thanks

#12 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:07:23 AM

Posted 07 August 2008 - 02:31 PM

Hi Vino Rosso, and thank you one time again, for your efforts and willingness. :)

Ok I've done as instructed and so removed DMSKSSRh in Windows Device Manager (right-clicked DMSKSSRh and chose uninstall). (Previously I created a new System Restore Point to have for backup just in case.) There was a prompt to confirm the removal of the device from the system. Followingly there was a prompt for reboot. Removal ok. Reboot ok.

Next then I'm pasting the log from the new RegSearch for dmskssrh as requested:

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 07-08-2008 18:51:00 for strings:
; 'dmskssrh'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DMSKSSRH]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DMSKSSRh]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DMSKSSRh]
; Contents of value:
; \??\C:\DOCUME~1\q\DEFINI~1\Temp\DMSKSSRh.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,44,00,4f,00,43,00,\
55,00,4d,00,45,00,7e,00,31,00,5c,00,71,00,5c,00,44,00,45,00,46,00,49,00,4e,\
00,49,00,7e,00,31,00,5c,00,54,00,65,00,6d,00,70,00,5c,00,44,00,4d,00,53,00,\
4b,00,53,00,53,00,52,00,68,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="DMSKSSRh"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DMSKSSRh\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_DMSKSSRH]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_DMSKSSRH\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_DMSKSSRH\0000]
"Service"="DMSKSSRh"
"DeviceDesc"="DMSKSSRh"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_DMSKSSRH\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\DMSKSSRh]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\DMSKSSRh]
; Contents of value:
; \??\C:\DOCUME~1\q\DEFINI~1\Temp\DMSKSSRh.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,44,00,4f,00,43,00,\
55,00,4d,00,45,00,7e,00,31,00,5c,00,71,00,5c,00,44,00,45,00,46,00,49,00,4e,\
00,49,00,7e,00,31,00,5c,00,54,00,65,00,6d,00,70,00,5c,00,44,00,4d,00,53,00,\
4b,00,53,00,53,00,52,00,68,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="DMSKSSRh"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\DMSKSSRh\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_DMSKSSRH]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\DMSKSSRh]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\DMSKSSRh]
; Contents of value:
; \??\C:\DOCUME~1\q\DEFINI~1\Temp\DMSKSSRh.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,44,00,4f,00,43,00,\
55,00,4d,00,45,00,7e,00,31,00,5c,00,71,00,5c,00,44,00,45,00,46,00,49,00,4e,\
00,49,00,7e,00,31,00,5c,00,54,00,65,00,6d,00,70,00,5c,00,44,00,4d,00,53,00,\
4b,00,53,00,53,00,52,00,68,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="DMSKSSRh"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\DMSKSSRh\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DMSKSSRH]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DMSKSSRh]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DMSKSSRh]
; Contents of value:
; \??\C:\DOCUME~1\q\DEFINI~1\Temp\DMSKSSRh.sys
"ImagePath"=hex(2):5c,00,3f,00,3f,00,5c,00,43,00,3a,00,5c,00,44,00,4f,00,43,00,\
55,00,4d,00,45,00,7e,00,31,00,5c,00,71,00,5c,00,44,00,45,00,46,00,49,00,4e,\
00,49,00,7e,00,31,00,5c,00,54,00,65,00,6d,00,70,00,5c,00,44,00,4d,00,53,00,\
4b,00,53,00,53,00,52,00,68,00,2e,00,73,00,79,00,73,00,00,00
"DisplayName"="DMSKSSRh"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DMSKSSRh\Security]

; End Of The Log...



If my cross-checking is right then seems these were the keys that got removed along the way:

----------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DMSKSSRH\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DMSKSSRH\0000]
"Service"="DMSKSSRh"
"DeviceDesc"="DMSKSSRh"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DMSKSSRH\0000\LogConf]


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_DMSKSSRH\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_DMSKSSRH\0000]
"Service"="DMSKSSRh"
"DeviceDesc"="DMSKSSRh"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_DMSKSSRH\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_DMSKSSRH\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\DMSKSSRh\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\DMSKSSRh\Enum]
"0"="Root\\LEGACY_DMSKSSRH\\0000"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DMSKSSRH\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DMSKSSRH\0000]
"Service"="DMSKSSRh"
"DeviceDesc"="DMSKSSRh"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DMSKSSRH\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DMSKSSRH\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DMSKSSRh\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DMSKSSRh\Enum]
"0"="Root\\LEGACY_DMSKSSRH\\0000"

----------

i.e.

From [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DMSKSSRH]

all sub-keys are gone;

From [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_DMSKSSRH]

all sub-keys are gone;

From [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\DMSKSSRh]

following sub-key \Enum is gone:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\DMSKSSRh\Enum]

From [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DMSKSSRH]

all sub-keys are gone;

From [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DMSKSSRh]

following sub-key \Enum is gone:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DMSKSSRh\Enum]

----------

Hmm, in my humble ignorance, by now I can't help to find it somewhat intriguing and wonder, why is it that the sub-keys from [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_DMSKSSRH] in ControlSet003 weren't removed along, as they were respectively in ControlSet001 and ControlSet004 and CurrentControlSet... Curious or?... :thumbsup:

Well, I stand-by, for further instructions, if any.

And thank YOU once more. :)


P.S. For the sake of it I also ran new scans with both DSS and AutoRuns and the respective lines referring to DMSKSSRh are obviously still there (since the respective \CurrentControlSet\Services sub-key in the registry which relates to DMSKSSRh and points to DMSKSSRh.sys is still there too, correct?)...

DSS:
S3 DMSKSSRh - c:\docume~1\q\defini~1\temp\dmskssrh.sys (file missing)

AutoRuns:
HKLM\System\CurrentControlSet\Services
+ DMSKSSRh File not found: C:\DOCUME~1\q\DEFINI~1\Temp\DMSKSSRh.sys


#13 Vino Rosso

Vino Rosso

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:07:23 AM

Posted 07 August 2008 - 04:32 PM

Hi

OK, let's take the simplest option first and see how we get on.

1 - Back up the Registry
Please run a backup with ERUNT.

Note: Please do NOT continue until the above step has been completed.

2 - Registry Fix
Open Notepad, it must be Notepad not Wordpad.
Drag your mouse over the content of the quote box below to highlight all the text
Copy (Ctrl+C) and Paste (Ctrl+V) everything from the Quote box below into Notepad

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DMSKSSRH]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DMSKSSRh]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DMSKSSRh]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_DMSKSSRH]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\DMSKSSRh]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_DMSKSSRH]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\DMSKSSRh]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DMSKSSRH]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DMSKSSRh]


Note: In Notepad, there must be NO blank lines before the word 'REGEDIT4' and there MUST be one blank line at the end of all the lines. To do this, place the cursor at the end of the last line of text and press Return/Enter on the keyboard.

In Notepad, go to File > Save
Name the file "Fix2.reg" (including the quotes)
Save the file to your desktop.
Close Notepad
Right-click on Fix2.reg on your Desktop and select Merge
OK any warnings then re-boot your computer.

Now please run another scan with Bobbi Flekman's RegSearch and post the results.
I suspect the Legacy keys will still be there.

Vino

#14 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:07:23 AM

Posted 08 August 2008 - 10:20 AM

Hi again Vino Rosso, and thanks for new reply. :)

Just a little doubt here regarding this new reg fix. I notice the following appears twice in it:

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DMSKSSRh]

Would you just please confirm, whether that is a typo, or is it indeed really meant to be so, or? Since it's editing the registry that's involved, just wanted to make double sure, before proceeding. :thumbsup:

Thank you again.

#15 Vino Rosso

Vino Rosso

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:07:23 AM

Posted 08 August 2008 - 10:38 AM

Yes, a duplication on my part... or an echo :thumbsup: Obviously the key can't be removed twice so it wouldn't have been a problem.

The fix should be:

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_DMSKSSRH]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DMSKSSRh]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_DMSKSSRH]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\DMSKSSRh]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_DMSKSSRH]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\DMSKSSRh]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_DMSKSSRH]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DMSKSSRh]

There are some more steps to take if the legacy keys remain.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users