Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Banker Trojan


  • Please log in to reply
36 replies to this topic

#1 DeLuk

DeLuk

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:10:45 PM

Posted 28 July 2008 - 01:48 PM

Greetings to the forum once more. :)

My brother just brought me his girlfriend's laptop to check what's with an item Avast had picked. From the printscreen they had made, I could see that was something found on System Restore, and which apparently had been cleaned already anyway, as a new scan confirmed. I was to find the laptop infected with yet something else though, as I went for checking the firewall's traffic log, to see whether there happened to be anything suspicious, and indeed there seemed to be some "fishy" traffic. The following files all had connected to 02b4714.netsolhost.com [205.178.145.65] on port 80 (in the following order of connection time):

Abrir29384[1].scr (11.776 bytes, located on a Temporary Internet Files subfolder / 2 outgoing connection attempts, first allowed, second blocked)
Abrir29384.scr (11.776 bytes, by then on the Recycle Bin, but originally located on an user-created subfolder within My Documents / 2 outgoing connection attempts, first allowed, second blocked)
C:\WINDOWS\system.exe (370.176 bytes / 1 only outgoing connection, allowed)

At this point I could only wonder what does one want a firewall for if one's to allow all, including suspicious traffic? :thumbsup:

No further connections to (nor from) that host, after those attempts.

All this traffic had occurred on July 14th, at around 9:00. (In between at around the same time that day there is also a couple outgoing connections to this odd host, goam.es.kr [125.248.146.90], associated application is Avast's AshWebSv. No idea whether this should be taken as "fishy" too, or as at all related, hmm...) As well, those 3 files had a creation/modification date and time of also July 14th at around 9:00. Thus, as per usual, first step I did was a search for any other files with about the same creation/modification date and time, for reference. And there were actually a couple more (in the following order of creation time):

C:\Progresso.exe (1.634.831 bytes)
C:\WINDOWS\system32\GbpDist.dll (2.855.424 bytes)
C:\WINDOWS\system32\gbpservice.exe (41.472 bytes)
C:\Wininet (0 bytes)

Additionally, the file gbpservice.exe had the following properties info:

Description: Generic Host Process for Win32 Services
Company: Microsoft Corporation
Language: Portuguese (Brazil)
File version: 1.0.0.0
Product version: 1.0.0.0

At once I submitted all files for analysis at both VirusTotal and Jotti. I'm pasting below the results (as of July 17th) for reference:

File Abrir29384.scr

AntiVir 7.8.0.68 2008.07.17 TR/Crypt.CFI.Gen
Authentium 5.1.0.4 2008.07.16 W32/Heuristic-217!Eldorado
BitDefender 7.2 2008.07.17 Generic.Malware.dld!.B99B6A65
eSafe 7.0.17.0 2008.07.17 Suspicious File
F-Prot 4.4.4.56 2008.07.16 W32/Heuristic-217!Eldorado
F-Secure 7.60.13501.0 2008.07.17 Suspicious:W32/Malware!Gemini
Ikarus T3.1.1.34.0 2008.07.17 Win32.SuspectCrc
Kaspersky 7.0.0.125 2008.07.17 Heur.Trojan.Generic
Microsoft 1.3704 2008.07.17 TrojanDownloader:Win32/Small.gen!B
Norman 5.80.02 2008.07.17 W32/Smalltroj.FLRZ
Panda 9.0.0.4 2008.07.16 Suspicious file
Sophos 4.31.0 2008.07.17 Mal/Behav-103
TrendMicro 8.700.0.1004 2008.07.17 PAK_Generic.001
Webwasher-Gateway 6.6.2 2008.07.17 Trojan.Crypt.CFI.Gen

File size: 11776 bytes

packers (Kaspersky): PE_Patch.UPX, UPX
packers (Authentium): UPX
packers (F-Prot): UPX

http://www.virustotal.com/analisis/a90de26...b634ea533e593d2

----------

File system.exe

Authentium 5.1.0.4 2008.07.16 W32/Banload.E.gen!Eldorado
BitDefender 7.2 2008.07.17 Trojan.Crypt.Delf.X
F-Prot 4.4.4.56 2008.07.16 W32/Banload.E.gen!Eldorado
F-Secure 7.60.13501.0 2008.07.17 W32/Downloader
Ikarus T3.1.1.34.0 2008.07.17 Trojan-Downloader.Win32.Banload.atl
Kaspersky 7.0.0.125 2008.07.17 Heur.Trojan.Generic
Microsoft 1.3704 2008.07.17 TrojanDownloader:Win32/Banload.gen!B
NOD32v2 3276 2008.07.17 probably unknown NewHeur_PE virus
Norman 5.80.02 2008.07.17 W32/Downloader
Panda 9.0.0.4 2008.07.16 Suspicious file
Symantec 10 2008.07.17 Downloader.Bancos!gen

File size: 370176 bytes

Norman Sandbox: [ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File length: 370176 bytes.

[ Changes to filesystem ]
* Creates file C:\Progresso.exe.

[ Changes to registry ]
* Accesses Registry key \"HKCU\Software\Borland\Locales\".
* Accesses Registry key \"HKLM\Software\Borland\Locales\".
* Accesses Registry key \"HKCU\Software\Borland\Delphi\Locales\".
* Creates key \"HKLM\System\CurrentControlSet\Services\gbpdist\".
* Sets value \"DisplayName\"=\"gbpdist\" in key \"HKLM\System\CurrentControlSet\Services\gbpdist\".
* Sets value \"ErrorControl\"=\"\" in key \"HKLM\System\CurrentControlSet\Services\gbpdist\".
* Sets value \"ImagePath\"=\"\"C:\WINDOWS\system32\gbpservice.exe\"\" in key \"HKLM\System\CurrentControlSet\Services\gbpdist\".
* Sets value \"ObjectName\"=\"LocalSystem\" in key \"HKLM\System\CurrentControlSet\Services\gbpdist\".
* Sets value \"Start\"=\"\" in key \"HKLM\System\CurrentControlSet\Services\gbpdist\".
* Sets value \"Type\"=\"\" in key \"HKLM\System\CurrentControlSet\Services\gbpdist\".
* Creates key \"HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d9ad1747-7b19-4dea-bc02-0ab12c4fc468}\".
* Creates key \"HKCR\CLSID\{d9ad1747-7b19-4dea-bc02-0ab12c4fc468}\InProcServer32\".
* Sets value \"\"=\"C:\WINDOWS\system32\GbpDist.dll\" in key \"HKCR\CLSID\{d9ad1747-7b19-4dea-bc02-0ab12c4fc468}\InProcServer32\".
* Sets value \"ThreadingModel\"=\"Apartment\" in key \"HKCR\CLSID\{d9ad1747-7b19-4dea-bc02-0ab12c4fc468}\InProcServer32\".

[ Network services ]
* Downloads file from 02b4714.netsolhost.com/Uploads/i.jpg as C:\Progresso.exe.
* Connects to \"02b4714.netsolhost.com\" on port 80 (TCP).
* Opens URL: 02b4714.netsolhost.com/Uploads/i.jpg.

[ Security issues ]
* Starting downloaded file - potential security problem.

[ Process/window information ]
* Creates an event called .
* Creates a mutex Loading.

http://www.virustotal.com/analisis/28ea54e...e5c663902ab058c

Latest analysis (20-07): http://www.virustotal.com/analisis/9822393...4b4f1543df9dbe4

----------

File GbpDist.dll

BitDefender 7.2 2008.07.17 Trojan.Crypt.Delf.X
Panda 9.0.0.4 2008.07.16 Suspicious file
VBA32 3.12.8.0 2008.07.17 suspected of Malware.Delf.103 (paranoid heuristics)

File size: 2855424 bytes

http://www.virustotal.com/analisis/4783cf2...6a250b9337d03ac

Latest analysis (20-07): http://www.virustotal.com/analisis/d9bb113...8e974e0ec0e9112

----------

File gbpservice.exe

AntiVir 7.8.0.68 2008.07.17 HEUR/Crypted
Authentium 5.1.0.4 2008.07.16 W32/Heuristic-VFM!Eldorado
F-Prot 4.4.4.56 2008.07.16 W32/Heuristic-VFM!Eldorado
F-Secure 7.60.13501.0 2008.07.17 Suspicious:W32/Malware!Gemini
Webwasher-Gateway 6.6.2 2008.07.17 Heuristic.Crypted

File size: 41472 bytes

http://www.virustotal.com/analisis/6a75026...ae4add3f012c395

Latest analysis (25-07): http://www.virustotal.com/analisis/d06236e...8fbce867cbb2ff7

----------

File Progresso.exe

AntiVir 7.8.0.68 2008.07.17 HEUR/Crypted
Authentium 5.1.0.4 2008.07.16 W32/Heuristic-VFM!Eldorado
BitDefender 7.2 2008.07.17 Trojan.Crypt.Delf.X
F-Prot 4.4.4.56 2008.07.16 W32/Heuristic-VFM!Eldorado
Norman 5.80.02 2008.07.17 Malware.DGHE
VBA32 3.12.8.0 2008.07.17 suspected of Malware.Delf.103 (paranoid heuristics)
Webwasher-Gateway 6.6.2 2008.07.17 Heuristic.Crypted

File size: 1634831 bytes

packers (F-Prot): RAR
packers (Authentium): RAR

http://www.virustotal.com/analisis/981e16e...0762a0ed11d21b1

Latest analysis (24-07): http://www.virustotal.com/analisis/97dbdca...70fc7c5ead5873d


From Deckard's System Scanner logs I could see there was a BHO relating to GbpDist.dll:

O2 - BHO: (no name) - {d9ad1747-7b19-4dea-bc02-0ab12c4fc468} - C:\WINDOWS\system32\GbpDist.dll

As well as a service relating to gbpservice.exe too:

S2 gbpdist - "c:\windows\system32\gbpservice.exe" <Not Verified; Microsoft Corporation; >

Checking via services.msc, this gbpdist service was set to automatic, yet it would never be started though. Apparently everytime it would fail to start, as I could confirm the error in the System Event Viewer and as DSS also reports it:

Event Record #/Type16856 / Error
Event ID/Source: 7000 / Service Control Manager
Event Description:
The service gbpdist failed to start due to the following error:
The service did not respond on due time to the start or control request.

Event Record #/Type16855 / Error
Event ID/Source: 7009 / Service Control Manager
Event Description:
Waiting time ran out (30000 miliseconds) standing by for the start of the service gbpdist.


(Perhaps something that "went wrong" in the infection-completion and which caused the service not to be able to start after all?...)

On SpywareGuard's log there was also reference to that GbpDist.dll related BHO:

NEW BHO DETECTION ALERT
On 19:04:33 07-15-2008 a new BHO installation attempt was detected.
BHO: {d9ad1747-7b19-4dea-bc02-0ab12c4fc468}
ProgramID: n/a
File Location: C:\WINDOWS\system32\GbpDist.dll
User Action Taken: KEEP BHO


User's choice had been to keep the BHO! Again I can only wonder what does one want such protective/preventive programs for if one's to allow everything to pass on? :)

Norman Sandbox analysis to file GbpDist.dll also reports that it connects to maikizin.iespana.es:

[ General information ]
* File length: 2855424 bytes.
* MD5 hash: 6d7d0b26389b117fc74618142f88a98d.

[ Changes to filesystem ]
* Creates file C:\Wininet.

[ Changes to registry ]
* Accesses Registry key "HKCU\Software\Borland\Locales".
* Accesses Registry key "HKLM\Software\Borland\Locales".
* Accesses Registry key "HKCU\Software\Borland\Delphi\Locales".

[ Network services ]
* Connects to "maikizin.iespana.es" on port 80 (IP).

[ Process/window information ]
* Creates an event called .


And indeed, checking the firewall's log, there is also outgoing traffic (associated application is Avast's AshWebSv) to maikizin.iespana.es [82.196.5.226] on port 80. Two times, one on the 14th, about an hour after infection occurred (and curiously about a minute after the file C:\Wininet was created), and the other time on the 17th, few minutes after I connected the laptop to the internet in order to analyse the malware files at VirusTotal and Jotti etc (certainly on a moment I opened IE for some motive, as I can as well confirm from the firewall's log, otherwise I always used and use Firefox anyway, certainly then leaving no chance for action from that BHO related with GbpDist.dll I'd suppose). No further connections to (nor from) that host, other than those two times.

Also did a RegSearch for the strings: gbpdist + gbpservice + the BHO id d9ad1747-7b19-4dea-bc02-0ab12c4fc468 which returned as follows:

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 18-07-2008 10:46:01 for strings:
; 'd9ad1747-7b19-4dea-bc02-0ab12c4fc468'
; 'gbpdist'
; 'gbpservice'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d9ad1747-7b19-4dea-bc02-0ab12c4fc468}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d9ad1747-7b19-4dea-bc02-0ab12c4fc468}\InProcServer32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d9ad1747-7b19-4dea-bc02-0ab12c4fc468}\InProcServer32]
@="C:\\WINDOWS\\system32\\GbpDist.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d9ad1747-7b19-4dea-bc02-0ab12c4fc468}]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GBPDIST]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GBPDIST\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GBPDIST\0000]
"Service"="gbpdist"
"DeviceDesc"="gbpdist"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gbpdist]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gbpdist]
"DisplayName"="gbpdist"
; Contents of value:
; "C:\WINDOWS\system32\gbpservice.exe"
"ImagePath"=hex(2):22,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,\
53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,67,00,62,\
00,70,00,73,00,65,00,72,00,76,00,69,00,63,00,65,00,2e,00,65,00,78,00,65,00,\
22,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gbpdist\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\gbpdist\Enum]
"0"="Root\\LEGACY_GBPDIST\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_GBPDIST]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_GBPDIST\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_GBPDIST\0000]
"Service"="gbpdist"
"DeviceDesc"="gbpdist"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gbpdist]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\gbpdist]
"DisplayName"="gbpdist"
; Contents of value:
; "C:\WINDOWS\system32\gbpservice.exe"
"ImagePath"=hex(2):22,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,\
53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,67,00,62,\
00,70,00,73,00,65,00,72,00,76,00,69,00,63,00,65,00,2e,00,65,00,78,00,65,00,\
22,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GBPDIST]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GBPDIST\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GBPDIST\0000]
"Service"="gbpdist"
"DeviceDesc"="gbpdist"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gbpdist]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gbpdist]
"DisplayName"="gbpdist"
; Contents of value:
; "C:\WINDOWS\system32\gbpservice.exe"
"ImagePath"=hex(2):22,00,43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,\
53,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,67,00,62,\
00,70,00,73,00,65,00,72,00,76,00,69,00,63,00,65,00,2e,00,65,00,78,00,65,00,\
22,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gbpdist\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gbpdist\Enum]
"0"="Root\\LEGACY_GBPDIST\\0000"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D9AD1747-7B19-4DEA-BC02-0AB12C4FC468}]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D9AD1747-7B19-4DEA-BC02-0AB12C4FC468}\iexplore]

; End Of The Log...


Relating to the BHO there was yet the following key which I exported (and as also reported by Norman Sandbox):

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{d9ad1747-7b19-4dea-bc02-0ab12c4fc468}]

[HKEY_CLASSES_ROOT\CLSID\{d9ad1747-7b19-4dea-bc02-0ab12c4fc468}\InProcServer32]
@="C:\\WINDOWS\\system32\\GbpDist.dll"
"ThreadingModel"="Apartment"


After doing a preliminary scan with DSS, for reference, so I moved on to the cleaning of the malware. Cleaned all temp files and, additionally to Avast, also ran SUPERAntiSpyware + AVG Anti-Spyware + Spybot S&D + Ad-Aware SE, all of which reported nothing found. Had installed also Malwarebytes' Anti-Malware and ran the quick scan, followed also by Kaspersky Online Scan, both of which reported nothing found either. All in all, since at this point not many of the scanners at VitusTotal and Jotti identified these malware files yet, so I held on a couple days more, to see if more scanners would pick them later on, to then proceed with more of the cleaning. And indeed, by the 20th, both Avast and MBAM picked something more of the infection, respectively:

Avast:
C:\WINDOWS\system.exe >>> Win32:Trojan-gen {Other}

MBAM:
C:\WINDOWS\system32\GbpDist.dll (Trojan.BHO)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d9ad1747-7b19-4dea-bc02-0ab12c4fc468} (Trojan.BHO)
HKEY_CLASSES_ROOT\CLSID\{d9ad1747-7b19-4dea-bc02-0ab12c4fc468} (Trojan.BHO)


All items were successfully quarantined by the respective scanners.

At this point, the BHO was gone from IE's add-ons list. The gbpdist service was still present, however.

Then again, since, according to the report from VirusTotal by then, the remaining files, Progresso.exe and gbpservice.exe, were due to be picked by BitDefender and F-Secure respectively, so I ran the online scan of each of them. No great luck, however. F-Secure did not pick gbpservice.exe after all, and BitDefender failed to disinfect/remove Progresso.exe. (None of the scanners reported anything else either.) I held on a couple days more then, and luckily again, by the 24th, Avast again now picked C:\Progresso.exe\GbpDist.dll as Win32:Trojan-gen {Other}. Item was successfully quarantined. (I did wonder, though, if the file that Avast picked inside C:\Progresso.exe\ was GbpDist.dll, how come then MBMA didn't/won't pick that too, when it originally picked the file GbpDist.dll which was on C:\WINDOWS\system32\?...)

At this point I was rather intrigued about the file C:\Progresso.exe (I had thought it would be gone after Avast had quarantined that item) and re-submitted it for analysis at VirusTotal and Jotti. And indeed it was still being reported as malware by some of the scanners (latest VirusTotal report as of July 25th). I checked the properties of the RAR SFX archive and it did say it still included 1 file. Checking the comment tab there was also the comment as follows:

;The comment below contains SFX sequence command

Path=C:\Windows\System32\
SavePath
Silent=1
Overwrite=1


I checked the properties of the original file C:\Progresso.exe (which I had saved in a password protected zip, along with all the other malware files, if required later for any further analysis) and the same comment was there and that RAR SFX archive did originally indeed include 2 files (one of them was GbpDist.dll as Avast had just picked and the other was gbpservice.exe as I was later to find out).

(As at this point the detection of also gbpservice.exe at Virustotal and Jotti pretty much matched that of C:\Progresso.exe and both were due to be picked by Avira AntiVir, by then I was considering to temporarily uninstall Avast, and install Avira AntiVir, just in order to have both those remaining files cleaned. Thought I'd held on a couple days more though...)

And luckily again, just the next day, the 25th, Avast again now picked both the following files:

C:\WINDOWS\system32\gbpservice.exe >>> Win32:Trojan-gen {Other}
C:\Progresso.exe\gbpservice.exe >>> Win32:Trojan-gen {Other}

Both items were successfully quarantined.

Service gbpdist is no longer present.

So, at this point, the only (?) infection-related files remaining are C:\Progresso.exe (RAR SFX archive, now supposedly empty, 106.509 bytes, including 0 files, and clean according to the latest analysis at VirusTotal and Jotti) and C:\Wininet (0 bytes file).

Following to this, I re-ran all scanners I had ran previously (Avast + SUPERAntiSpyware + AVG Anti-Spyware + Spybot S&D + Ad-Aware SE + MBAM + Kaspersky Online Scanner), and all came clean now.

Actually only MBAM reports 3 items, which in fact it did since first run, but these, as not related with this current infection, I always chose to take no action on them. Wonder if I should anyway, though? Items are:

HKEY_CLASSES_ROOT\oberontb.band (Adware.Gamesbar)
HKEY_CLASSES_ROOT\oberontb.band.1 (Adware.Gamesbar)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch)


(I think those oberon items relate to some online games or games toolbar which the owner of the laptop has or had installed, not sure, so I'm not too sure either whether I should "mess" with those, as perhaps it's wanted anyway?... There is actually a GamesBar folder within %ProgramFiles% and which includes an .exe file named OBGet from Oberon... Or perhaps this is just some leftover from something that's been uninstalled by now, and should actually be removed as well, hmm?... Then again, as for that WMP related item, no idea about that one?...)

I also did a new RegSearch for gbpdist + gbpservice + the BHO id d9ad1747-7b19-4dea-bc02-0ab12c4fc468 which now returns as follows:

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 25-07-2008 19:32:39 for strings:
; 'd9ad1747-7b19-4dea-bc02-0ab12c4fc468'
; 'gbpdist'
; 'gbpservice'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GBPDIST]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GBPDIST\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GBPDIST\0000]
"Service"="gbpdist"
"DeviceDesc"="gbpdist"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_GBPDIST]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_GBPDIST\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_GBPDIST\0000]
"Service"="gbpdist"
"DeviceDesc"="gbpdist"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GBPDIST]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GBPDIST\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GBPDIST\0000]
"Service"="gbpdist"
"DeviceDesc"="gbpdist"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D9AD1747-7B19-4DEA-BC02-0AB12C4FC468}]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D9AD1747-7B19-4DEA-BC02-0AB12C4FC468}\iexplore]

; End Of The Log...


I wonder whether any of these keys/values should still be due for removal/fix, or?...

I'm including next the DSS logs for your analysis (I'm including both the preliminary pre-clean one and the final after-clean one, for your reference) and would greatly appreciate that you'd please advise whether any additional scanner/clean tool is necessary to be run or anything further needs to be fixed?... I'll paste the main logs, and attach the extra ones (to avoid the post becoming even longer), hope that's ok?...


----------


DSS main report - pre-clean

Deckard's System Scanner v20071014.68
Run by SONIA on 2008-07-17 20:07:58
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------



-- Last 5 Restore Point(s) --
27: 2008-07-17 10:52:57 UTC - RP89 - Deckard's System Scanner Restore Point
26: 2008-07-17 10:02:24 UTC - RP88 - Ponto de verificação do sistema
25: 2008-07-13 10:58:30 UTC - RP87 - Software Distribution Service 3.0
24: 2008-07-09 18:25:01 UTC - RP86 - Software Distribution Service 3.0
23: 2008-07-04 20:00:39 UTC - RP85 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-06-08 12:19:25 UTC - RP63 - Instalado Windows Live installer


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as SONIA.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:08:59, on 17-07-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\SONIA\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\SONIA.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sapo.pt/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by SAPO
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Programa Auxiliar de Início de Sessão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {d9ad1747-7b19-4dea-bc02-0ab12c4fc468} - C:\WINDOWS\system32\GbpDist.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Wireless Console 2] C:\Program Files\Wireless Console 2\wcourier.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [ABLKSR] C:\WINDOWS\ABLKSR\ABLKSR.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: ASUS ChkMail.lnk = C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 9416 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080131-195310-755 O4 - HKLM\..\Run: [PelSetupRun] E:\setup.exe

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Teefer (Teefer for NT) - c:\windows\system32\drivers\teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
R1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.10.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.10.0>
R2 s24trans (Transporte WLAN) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>

S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
S3 wceusbsh (Windows CE USB Serial Host Driver) - c:\windows\system32\drivers\wceusbsh.sys <Not Verified; Microsoft Corporation; Windows CE USB Serial Host Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 RegSrvc (Intel® PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel® PROSet/Wireless Registry Service>

S2 gbpdist - "c:\windows\system32\gbpservice.exe" <Not Verified; Microsoft Corporation; >
S3 iPod Service - "c:\program files\ipod\bin\ipodservice.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96D-E325-11CE-BFC1-08002BE10318}
Description: Motorola SM56 Data Fax Modem
Device ID: HDAUDIO\FUNC_02&VEN_1057&DEV_3055&SUBSYS_104310C6&REV_1007\4&22A96E28&0&0101
Manufacturer: Motorola Inc
Name: Motorola SM56 Data Fax Modem
PNP Device ID: HDAUDIO\FUNC_02&VEN_1057&DEV_3055&SUBSYS_104310C6&REV_1007\4&22A96E28&0&0101
Service: Modem


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\winlogon.exe (pid 908)
2007-04-19 12:41:36 294912 --a------ C:\Program Files\SUPERAntiSpyware\SASWINLO.dll <Not Verified; SUPERAntiSpyware.com; SUPERAntiSpyware WinLogon Processor>

C:\WINDOWS\explorer.exe (pid 2032)
2007-11-14 17:31:54 339968 --a------ C:\Program Files\OpenOffice.org 2.3\program\shlxthdl.dll <Not Verified; Sun Microsystems, Inc.; >
2007-11-14 11:33:48 98304 --a------ C:\Program Files\OpenOffice.org 2.3\program\uwinapi.dll <Not Verified; Sun Microsystems, Inc.; >
2007-11-14 11:30:22 577536 --a------ C:\Program Files\OpenOffice.org 2.3\program\stlport_vc7145.dll <Not Verified; STLport Consulting, Inc.; STLport Standard ANSI C++ Libarary>
2001-12-05 05:00:00 68096 --a------ C:\Program Files\Internet Explorer\MUI\0816\BROWSELC.DLL <Not Verified; Microsoft Corporation; Sistema operativo Microsoft® Windows®>
2008-07-13 00:02:52 2855424 --a------ C:\WINDOWS\system32\GbpDist.dll


-- Files created between 2008-06-17 and 2008-07-17 -----------------------------

2008-07-17 19:56:28 0 dr-h----- C:\Documents and Settings\SONIA\Recent
2008-07-17 19:48:13 0 d-------- C:\Documents and Settings\SONIA\Application Data\Malwarebytes
2008-07-17 19:48:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-17 19:48:10 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-17 11:43:40 1959 --a------ C:\WINDOWS\contact
2008-07-14 10:28:14 0 --a------ C:\Wininet
2008-07-14 09:19:56 41472 --a------ C:\WINDOWS\system32\gbpservice.exe <Not Verified; Microsoft Corporation; >
2008-07-14 09:19:56 2855424 --a------ C:\WINDOWS\system32\GbpDist.dll
2008-07-14 09:12:33 1634831 --a------ C:\Progresso.exe
2008-07-14 09:10:28 370176 --a------ C:\WINDOWS\system.exe
2008-07-09 18:09:24 0 d-------- C:\Documents and Settings\LocalService\Application Data\Help
2008-07-02 13:02:03 0 d--h----- C:\WINDOWS\msdownld.tmp
2008-07-02 12:57:05 0 d-------- C:\WINDOWS\network diagnostic
2008-07-02 11:14:34 0 d-------- C:\Program Files\Atrativa Games


-- Find3M Report ---------------------------------------------------------------

2008-06-08 13:20:00 0 d--hs---- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-06 00:41:02 0 d-------- C:\Program Files\Cake Mania 2
2008-06-04 18:59:54 0 d-------- C:\Documents and Settings\SONIA\Application Data\Ludia
2008-06-04 14:20:10 0 d-------- C:\Documents and Settings\SONIA\Application Data\MysteryStudio
2008-05-29 14:23:12 0 d-------- C:\Program Files\Sygate
2008-05-25 21:03:12 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-01 14:40:20 72967 --a------ C:\WINDOWS\OptionPluss_PCCardInstallerUninstall.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d9ad1747-7b19-4dea-bc02-0ab12c4fc468}]
13-07-2008 00:02 2855424 --a------ C:\WINDOWS\system32\GbpDist.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="C:\WINDOWS\ATK0100\HControl.exe" [22-02-2006 21:40]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [21-11-2005 08:51]
"nwiz"="nwiz.exe" [21-11-2005 08:51 C:\WINDOWS\system32\nwiz.exe]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [05-08-2005 13:56]
"RemoteControl"="C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe" [02-11-2004 20:24]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09-07-2001 11:50]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [07-01-2005 17:07 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [06-09-2005 05:39 C:\WINDOWS\RTHDCPL.EXE]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [20-10-2005 23:26]
"Wireless Console 2"="C:\Program Files\Wireless Console 2\wcourier.exe" [17-10-2005 17:09]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [14-04-2006 11:51]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [14-04-2006 11:52]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [14-04-2006 11:56]
"Power_Gear"="C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe" [06-03-2006 17:13]
"ASUS Live Update"="C:\Program Files\ASUS\ASUS Live Update\ALU.exe" [21-02-2006 15:20]
"ABLKSR"="C:\WINDOWS\ABLKSR\ABLKSR.exe" [02-01-2006 19:14]
"SMSERIAL"="sm56hlpr.exe" [26-05-2005 16:12 C:\WINDOWS\sm56hlpr.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [16-05-2008 00:19]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [16-02-2007 10:54]
"lxcrmon.exe"="C:\Program Files\Lexmark 2400 Series\lxcrmon.exe" [22-01-2006 17:45]
"EzPrint"="C:\Program Files\Lexmark 2400 Series\ezprint.exe" [07-02-2006 05:10]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [02-02-2006 08:11]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25-09-2007 01:11]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11-01-2008 22:16]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [15-10-2004 19:40]
"LXCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [20-07-2005 17:47]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [16-03-2006 02:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [17-06-2007 15:06]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [13-11-2006 15:25]

C:\Documents and Settings\SONIA\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [29-08-2003 19:05:35]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ASUS ChkMail.lnk - C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe [14-11-2006 20:27:37]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13-02-2001 11:01:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [17-07-2008 19:09 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19-04-2007 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3133a370-9d94-11db-ad9d-0018de978965}]
Auto\command- G:\RavMon.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMon.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4539aca0-1879-11dd-aff9-0018de978965}]
AutoRun\command- F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4539aca1-1879-11dd-aff9-0018de978965}]
AutoRun\command- F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4ab0245e-1a8e-11dd-affd-0018de978965}]
AutoRun\command- F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5ccbecc-1877-11dd-aff8-0018de978965}]
AutoRun\command- F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d395ba76-1873-11dd-aff7-0018de978965}]
AutoRun\command- F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d395ba77-1873-11dd-aff7-0018de978965}]
AutoRun\command- F:\AutoRun.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 ad.a8.net
127.0.0.1 asy.a8ww.net
127.0.0.1 www.abx4.com #[Adware.ABXToolbar]
127.0.0.1 acezip.net #[SiteAdvisor.acezip.net]
127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions]
127.0.0.1 phpadsnew.abac.com
127.0.0.1 a.abnad.net
127.0.0.1 b.abnad.net
127.0.0.1 c.abnad.net #[eTrust.Tracking.Cookie]
127.0.0.1 d.abnad.net

18188 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-17 20:09:43 ------------


----------


DSS main report - current

Deckard's System Scanner v20071014.68
Run by SONIA on 2008-07-25 19:39:03
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
29: 2008-07-25 18:39:09 UTC - RP91 - Deckard's System Scanner Restore Point
28: 2008-07-25 11:55:30 UTC - RP90 - Ponto de verificação do sistema
27: 2008-07-17 10:52:57 UTC - RP89 - Deckard's System Scanner Restore Point
26: 2008-07-17 10:02:24 UTC - RP88 - Ponto de verificação do sistema
25: 2008-07-13 10:58:30 UTC - RP87 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-06-08 12:19:25 UTC - RP63 - Instalado Windows Live installer


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as SONIA.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:40:17, on 25-07-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\SONIA\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\SONIA.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sapo.pt/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by SAPO
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Programa Auxiliar de Início de Sessão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Wireless Console 2] C:\Program Files\Wireless Console 2\wcourier.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [ABLKSR] C:\WINDOWS\ABLKSR\ABLKSR.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: ASUS ChkMail.lnk = C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 9958 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080131-195310-755 O4 - HKLM\..\Run: [PelSetupRun] E:\setup.exe

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Teefer (Teefer for NT) - c:\windows\system32\drivers\teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
R1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.10.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.10.0>
R2 s24trans (Transporte WLAN) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>

S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
S3 wceusbsh (Windows CE USB Serial Host Driver) - c:\windows\system32\drivers\wceusbsh.sys <Not Verified; Microsoft Corporation; Windows CE USB Serial Host Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 RegSrvc (Intel® PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel® PROSet/Wireless Registry Service>

S3 iPod Service - "c:\program files\ipod\bin\ipodservice.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96D-E325-11CE-BFC1-08002BE10318}
Description: Motorola SM56 Data Fax Modem
Device ID: HDAUDIO\FUNC_02&VEN_1057&DEV_3055&SUBSYS_104310C6&REV_1007\4&22A96E28&0&0101
Manufacturer: Motorola Inc
Name: Motorola SM56 Data Fax Modem
PNP Device ID: HDAUDIO\FUNC_02&VEN_1057&DEV_3055&SUBSYS_104310C6&REV_1007\4&22A96E28&0&0101
Service: Modem


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\winlogon.exe (pid 908)
2007-04-19 12:41:36 294912 --a------ C:\Program Files\SUPERAntiSpyware\SASWINLO.dll <Not Verified; SUPERAntiSpyware.com; SUPERAntiSpyware WinLogon Processor>

C:\WINDOWS\explorer.exe (pid 580)
2007-11-14 17:31:54 339968 --a------ C:\Program Files\OpenOffice.org 2.3\program\shlxthdl.dll <Not Verified; Sun Microsystems, Inc.; >
2007-11-14 11:33:48 98304 --a------ C:\Program Files\OpenOffice.org 2.3\program\uwinapi.dll <Not Verified; Sun Microsystems, Inc.; >
2007-11-14 11:30:22 577536 --a------ C:\Program Files\OpenOffice.org 2.3\program\stlport_vc7145.dll <Not Verified; STLport Consulting, Inc.; STLport Standard ANSI C++ Libarary>
2001-12-05 05:00:00 68096 --a------ C:\Program Files\Internet Explorer\MUI\0816\BROWSELC.DLL <Not Verified; Microsoft Corporation; Sistema operativo Microsoft® Windows®>


-- Files created between 2008-06-25 and 2008-07-25 -----------------------------

2008-07-25 19:33:58 0 dr-h----- C:\Documents and Settings\SONIA\Recent
2008-07-20 19:59:28 0 d-------- C:\fsaua.data
2008-07-20 18:07:40 0 d-------- C:\WINDOWS\BDOSCAN8
2008-07-18 10:43:32 0 d-------- C:\RegSearch
2008-07-17 19:48:13 0 d-------- C:\Documents and Settings\SONIA\Application Data\Malwarebytes
2008-07-17 19:48:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-17 19:48:10 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-17 11:43:40 1959 --a------ C:\WINDOWS\contact
2008-07-14 10:28:14 0 --a------ C:\Wininet
2008-07-14 09:12:33 106509 --a------ C:\Progresso.exe
2008-07-09 18:09:24 0 d-------- C:\Documents and Settings\LocalService\Application Data\Help
2008-07-02 13:02:03 0 d--h----- C:\WINDOWS\msdownld.tmp
2008-07-02 12:57:05 0 d-------- C:\WINDOWS\network diagnostic
2008-07-02 11:14:34 0 d-------- C:\Program Files\Atrativa Games


-- Find3M Report ---------------------------------------------------------------

2008-06-08 13:20:00 0 d--hs---- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-06 00:41:02 0 d-------- C:\Program Files\Cake Mania 2
2008-06-04 18:59:54 0 d-------- C:\Documents and Settings\SONIA\Application Data\Ludia
2008-06-04 14:20:10 0 d-------- C:\Documents and Settings\SONIA\Application Data\MysteryStudio
2008-05-29 14:23:12 0 d-------- C:\Program Files\Sygate
2008-05-25 21:03:12 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-01 14:40:20 72967 --a------ C:\WINDOWS\OptionPluss_PCCardInstallerUninstall.exe


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="C:\WINDOWS\ATK0100\HControl.exe" [22-02-2006 21:40]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [21-11-2005 08:51]
"nwiz"="nwiz.exe" [21-11-2005 08:51 C:\WINDOWS\system32\nwiz.exe]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [05-08-2005 13:56]
"RemoteControl"="C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe" [02-11-2004 20:24]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09-07-2001 11:50]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [07-01-2005 17:07 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [06-09-2005 05:39 C:\WINDOWS\RTHDCPL.EXE]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [20-10-2005 23:26]
"Wireless Console 2"="C:\Program Files\Wireless Console 2\wcourier.exe" [17-10-2005 17:09]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [14-04-2006 11:51]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [14-04-2006 11:52]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [14-04-2006 11:56]
"Power_Gear"="C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe" [06-03-2006 17:13]
"ASUS Live Update"="C:\Program Files\ASUS\ASUS Live Update\ALU.exe" [21-02-2006 15:20]
"ABLKSR"="C:\WINDOWS\ABLKSR\ABLKSR.exe" [02-01-2006 19:14]
"SMSERIAL"="sm56hlpr.exe" [26-05-2005 16:12 C:\WINDOWS\sm56hlpr.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [16-05-2008 00:19]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [16-02-2007 10:54]
"lxcrmon.exe"="C:\Program Files\Lexmark 2400 Series\lxcrmon.exe" [22-01-2006 17:45]
"EzPrint"="C:\Program Files\Lexmark 2400 Series\ezprint.exe" [07-02-2006 05:10]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [02-02-2006 08:11]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25-09-2007 01:11]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11-01-2008 22:16]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [15-10-2004 19:40]
"LXCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [20-07-2005 17:47]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [16-03-2006 02:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [17-06-2007 15:06]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [13-11-2006 15:25]

C:\Documents and Settings\SONIA\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [29-08-2003 19:05:35]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ASUS ChkMail.lnk - C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe [14-11-2006 20:27:37]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13-02-2001 11:01:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [17-07-2008 19:09 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19-04-2007 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3133a370-9d94-11db-ad9d-0018de978965}]
Auto\command- G:\RavMon.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMon.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4539aca0-1879-11dd-aff9-0018de978965}]
AutoRun\command- F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4539aca1-1879-11dd-aff9-0018de978965}]
AutoRun\command- F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4ab0245e-1a8e-11dd-affd-0018de978965}]
AutoRun\command- F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5ccbecc-1877-11dd-aff8-0018de978965}]
AutoRun\command- F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d395ba76-1873-11dd-aff7-0018de978965}]
AutoRun\command- F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d395ba77-1873-11dd-aff7-0018de978965}]
AutoRun\command- F:\AutoRun.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 ad.a8.net
127.0.0.1 asy.a8ww.net
127.0.0.1 www.abx4.com #[Adware.ABXToolbar]
127.0.0.1 acezip.net #[SiteAdvisor.acezip.net]
127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions]
127.0.0.1 phpadsnew.abac.com
127.0.0.1 a.abnad.net
127.0.0.1 b.abnad.net
127.0.0.1 c.abnad.net #[eTrust.Tracking.Cookie]
127.0.0.1 d.abnad.net

18188 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-07-25 19:41:03 ------------


----------


Just a couple notes yet, regarding both DSS main logs.

Regarding the preliminary pre-clean scan, note that I had done a scan yet previous to this one, and curiously there isn't included the following line in the "Process Modules" section:

2008-07-13 00:02:52 2855424 --a------ C:\WINDOWS\system32\GbpDist.dll

Also note, when I ran this scan, I did not have the internet connected to the laptop, i.e. the modem cable was disconnected, whereas when I ran that other previous scan, the internet connection was actually on. No idea whether the fact that that line appears in one of the logs and not in the other is just some coincidence, or may actually be related with the fact of the internet being connected or not, don't know?...

On the other hand, regarding the current after-clean scan, I wonder, why in the "File Associations" section now shows:

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


Once more, thank you so much already, for all further help. :)

P.S. I know some programs on this laptop (such as Java or SpywareBlaster) aren't up-to-date. (Suppose the owner neglects these kind of routines a bit...) I shall be updating it as soon as we're done with all the cleaning from this current infection.

Also, given the fact that the computer has been infected with a banker trojan, at once I urged the owner to reset all passwords with any banking institutions etc, certainly yes!

And yet I do as well apologise for the rather long post, and all the many details included, some even perhaps useless, I don't know, but in any case I thought I'd detail it all the most I could, hoping that it may be of help, who knows, to any other users "googling" for helpful hints in any such similar case as mine... Thank you for your understanding, and again, patience, overall.

Attached Files


Edited by DeLuk, 29 July 2008 - 05:41 AM.


BC AdBot (Login to Remove)

 


#2 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:05:45 PM

Posted 08 August 2008 - 03:15 PM

Hi and welcome back :)

Nice detailed explanations you gave.
You're good at this stuff. :thumbsup:

When we get cleaned up I will suggest you reset his firewall so there isn't any programs that should have not been let out in allow list any more.
Not sure how to do that but there must be a "reset" in it someplace ... otherwise you may want to uninstall/re-install his firewall.
Then you can help him set it up & give him tips and such what to be trusting.
I think they have little understanding what is OK and what is not OK.

-------------------

Since it has been several days since last post -- can I see new dss logs please?
We'll have to run it a bit different this time to get both logs.

Assuming dss.exe is still on desktop...
Click start> run> type:
"%userprofile%\desktop\dss.exe" /config

Hit OK
click "select all"
Hit "scan"
When scan is done -- post both logs please.

You have a flash drive infection on that machine too so don't be using any USB drives if they have been near that laptop.
The flash drives will need cleanup too.
This includes camera, thumb drives, external drives and so on.

And -- if you still have samples of those nasty files... can you upload them here please:

http://www.bleepingcomputer.com/submit-mal....php?channel=20

Don't forget to say who it is from & to gimme the password to the zips.

Thanks :)
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#3 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:10:45 PM

Posted 09 August 2008 - 06:06 PM

Well greetings back to Ontario too! :spacer:

(Goodness, I almost even feel embarrassed, of you remembering this help-seeker... :spacer: It was sure, though, one looong ride, last time, huh? I mean, 101 posts, uff, that does leave its "scar", doesn't it! And here I am yet again, yea, bro and girlfriend do keep me returning "on a regular basis"... :) Oh and ain't them just the perfect couple! Latest trend seems to be "sync'ed infections": as if not having enough back at the start of the year, they just repeated the dose now, again getting both laptop and desktop infected simultaneously... *sigh* Hopefully though ain't as bad a "treat" this time as it was back in January. That login/logoff loop on the desktop by then sure had me panic... And yet funny too, at that time I was even "tempted" to "link you" to that thread of mine here, eheh, as on my searches I ran across a thread at SpywareWarrior where by coincidence you were helping someone also with a similar trojan infection, so I thought whether any detail about it on my thread couldn't even turn out helpful to solving that other case too... But then the person being helped there also never posted back with no further feedback, so, it wouldn't have mattered much anyway... Anyways. Overall I appreciate it greatly, for sure, to meet you back as my helper once again, thanks so much already, for taking the time. :) Oh and by the way, I see you moved on your rank, congratulations to you on that, becoming part of BC's HJT coach team! :thumbsup:)

But so, down to biz, and to this new issue. At once, sorry I can't provide those fresh DSS logs just yet. As I was saying back in the "Haven't had a reply in five days" thread, I'm not having access to this laptop right now. Bro and girlfriend went on a week's vacation and laptop went along, thus I won't be able to get you those new logs untill a couple days or so, untill them returning, sorry again, and thank you for your understanding and patience. (Well let's hope at least they won't bring the laptop back with even more nasties to add to the "collection", ahah...)

And yet regarding the DSS logs:

We'll have to run it a bit different this time to get both logs.


Actually both logs too were there, the time before (extra ones were only attached to keep the post from getting even longer). :) As in fact as I was commenting in that other thread I'm on:

Just a note here, to say that never again, since the first time I had run DSS - which I had done back in last March, by then just for my own reference - never again the scanner produced the extra log, only the main one, as it also did not ever again performed all the steps it was supposed to, such as backing up the registry, creating a System Restore point and more. I have ever since always been intrigued by this "behaviour" of DSS?... Nonetheless, after some further searching now, I came across the command for displaying the scanner's settings, "%userprofile%\desktop\dss.exe" /config, as found on techsupportforum.com, and so I do now run DSS this way, then having all settings ticked, as opposed to only HijackThis + Files Created/Modified + Registry Dump + Whitelist Output + Check File Signatures which are the ones shown ticked "by default"; don't know if this the normal to be or?...


Then again, speaking of posts getting long...

Nice detailed explanations you gave.
You're good at this stuff.


Well, yes, as I was just saying above, everytime I try to detail it the most I can (I reckon some details may even be irrelevant in the end, don't know, but nonetheless), not only hoping it may come in handy for the helper who'll take on my case to fully evaluate the situation, as also hoping it may eventually come in handy too for anyone else searching for helpful hints in any similar cases... (How often I myself too, on my own searches, have wished for further detail... Guess in some way that makes me take my own posts-making from the searcher's perspective and pour in all details... :))

When we get cleaned up I will suggest you reset his firewall so there isn't any programs that should have not been let out in allow list any more.


In fact this was one of the precautions taken already. I did reset the firewall (btw just for reference for Sygate that's Tools > Applications and removing any unwanted program from the list) after getting me the logs needed. (Hmm, or shouldn't that step had been taken quite yet? I wonder now, as you say "When we get cleaned up"...)

Then you can help him set it up & give him tips and such what to be trusting.
I think they have little understanding what is OK and what is not OK.


And don't I just do just that every time... *sigh* If only they'd go by the simple rule that "if it ain't known or expected, then it ain't to be allowed untill confirm"... But they just seem to always go for the opposite and "allow first, and check later"... *sigh*

Anyway, so, I'll get back to you with updated DSS logs asap. And yes, certainly, then I'll also upload the malware files for you, yes, I "know the drill". (Here's yet something else I got to learn from that long ride of ours last time: keep samples, if needed later on. :spacer:)

Meanwhile, just wondering yet...

You have a flash drive infection on that machine too...


What would be the signs of this?... (Never too much to be enlightened, to get one's eye sharper, for any future occurrences... :spacer:) Hmm, would it be by some chance any of those \mountpoints2 keys referred in the "Registry Dump" section of DSS's main log?... (That one thing did sound kinda "odd" to me...)

All in all, again best greets to Canada, and thank you greatly already, for all help to come. :wink:

#4 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:05:45 PM

Posted 09 August 2008 - 07:02 PM

Hi :)

Yes. Last time was one long ride.
Learned alot on that one though. :thumbsup:

(Well let's hope at least they won't bring the laptop back with even more nasties to add to the "collection", ahah...)


LOL! Hope not for your & their sake. Hopefully you had things under control enough to keep those nasties at bay till they get back.

At once, sorry I can't provide those fresh DSS logs just yet.


That's fine. We can continue when you are able to access the system again.
If I fail to reply -- do PM me.

As in fact as I was commenting in that other thread I'm on:


Ahh that is how you figured out this config feature.
This is sometimes how I can get around it when it freezes (sometimes) when it scans "event logs" & crashes entire app.
I simply run it with the /config switch & uncheck "event logs" -- app can complete its scan then.
Several of the items are not scanned/reported twice by default because they rarely change.

Well, yes, as I was just saying above, everytime I try to detail it the most I can (I reckon some details may even be irrelevant in the end, don't know, but nonetheless), not only hoping it may come in handy for the helper who'll take on my case to fully evaluate the situation, as also hoping it may eventually come in handy too for anyone else searching for helpful hints in any similar cases... (How often I myself too, on my own searches, have wished for further detail... Guess in some way that makes me take my own posts-making from the searcher's perspective and pour in all details...


Yes indeed. Details often help not only helpers but other google travellers as well.

In fact this was one of the precautions taken already. I did reset the firewall (btw just for reference for Sygate that's Tools > Applications and removing any unwanted program from the list) after getting me the logs needed. (Hmm, or shouldn't that step had been taken quite yet? I wonder now, as you say "When we get cleaned up"...)


You did fine by doing that. No harm in it at all.
If needed you can always double check when you get the machine & reset again if needed.

Anyway, so, I'll get back to you with updated DSS logs asap. And yes, certainly, then I'll also upload the malware files for you, yes, I "know the drill". (Here's yet something else I got to learn from that long ride of ours last time: keep samples, if needed later on.


Kewl beans! I'll be sure to watch for you. :)

What would be the signs of this?... (Never too much to be enlightened, to get one's eye sharper, for any future occurrences... ) Hmm, would it be by some chance any of those \mountpoints2 keys referred in the "Registry Dump" section of DSS's main log?... (That one thing did sound kinda "odd" to me...)


yes indeedy it is.
In particular this one:
http://vil.nai.com/vil/content/v_139985.htm

If you open a command prompt then do:
cd c:\
dir a:/h


That will show you list of hidden files. (most legit)
If autorun.inf is present -- it shall show in list as well as ravmon.exe may or may not be present.

I don't see ravmon.exe file or autorun.inf in your logs -- at this point I just see the mountpoint2 entry.
Could very well be that the files themselves are gone & just those registry entries to clean up. We shall see.
However -- even if those files are gone from the hard drive -- it is possible someone has a flash drive that was used on that system that is still infected which should be located & cleaned up.

All in all, again best greets to Canada, and thank you greatly already, for all help to come.


Greets to you as well & you're welcome. :)

See you shortly :spacer:
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#5 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:05:45 PM

Posted 19 August 2008 - 08:15 AM

Doing OK DeLuk?
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#6 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:10:45 PM

Posted 19 August 2008 - 04:38 PM

Hi Blender. Yes yes, doing just fine, thanks for concern. As so I hope you do too. :spacer:

Just so very sorry, again, for delay, getting back to you. :-S (And yet funny, that you posted today, as I was just preparing my post as well. As you can see logs are from yesterday - I was just setting it all up for posting. :spacer:) Only now my bro had the chance to bring the laptop back here.

Fresh DSS logs follow below, for your review. As well, I have already uploaded the malware files as requested.

Still about DSS, you were saying:

Ahh that is how you figured out this config feature.
This is sometimes how I can get around it when it freezes (sometimes) when it scans "event logs" & crashes entire app.
I simply run it with the /config switch & uncheck "event logs" -- app can complete its scan then.
Several of the items are not scanned/reported twice by default because they rarely change.


You mean then that DSS makes the whole full scan only on first run? And on every subsequent scan, only those fewer settings are on, is that it? So this being in fact the way DSS "behaves" by "default" then, yes? I see...

Then again, and speaking of event logs, funny too that you mention these, as there's one extra doubt on this matter that I'd like to ask about... I wonder whether I may take the chance and share that doubt with you later on, when we're all done with the malware cleaning?... :)

Back to the laptop, meanwhile I have already again re-ran all scans done before, Avast + Malwarebytes' Anti-Malware + SUPERAntiSpyware + AVG Anti-Spyware + Spybot S&D + Ad-Aware SE + Kaspersky Online Scan, all of which reported nothing found at this point. (Except for, of course, those 3 items reported by MBAM, which I mentioned about before. One additional note, also, to say that the Kaspersky Online Scanner used was the new Java version. If by chance one with the previous ActiveX version is also needed, do let me know.)

I also did yet a new RegSearch for gbpdist + gbpservice + the BHO id d9ad1747-7b19-4dea-bc02-0ab12c4fc468 just to double check and result was the same as last time.

And regarding the USB flash drive infection, so it was that RavMon thingy in there. I did feel that smelt fishy... :thumbsup:

Well, I have by now scanned all USB devices that they use to use on this laptop (USB pen drive, digital camera, mobile phones, even their broadband internet USB drive), scanned with both Avast and MBAM, and reports came clean for all devices... Wonder if there's any other specific scanner I should also scan with?... All in all, I'd guess it's possibly some other device than theirs, possibly one from a colleague or something, that may eventually at some point have been connected to the laptop, then causing the infection, no?... I have called their attention to the fact, either way, so I hope they will be wise to warn any colleagues about it, so they can check their USB devices for infection as well...

If you open a command prompt then do:
cd c:\
dir a:/h

That will show you list of hidden files. (most legit)
If autorun.inf is present -- it shall show in list as well as ravmon.exe may or may not be present.



Hmm, I did try that at the command prompt, but all I seem to get is the message "invalid parameter - h"...? :spacer:

In any case, I did run a search for the file RavMon.exe on the laptop (obviously having hidden and system files showing), and no such file was found. Didn't find it in any of the USB devices I checked either. As for autorun.inf, only the broadband internet USB drive has it, but the one there is legit. So I'm guessing that, as you were guessing too, the infection-related files themselves must be gone by now, so it seems. (Probably removed in some casual scan, at some point, I suppose?...)

I also did a registry search for ravmon, and only entries found are those as reported by DSS:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3133a370-9d94-11db-ad9d-0018de978965}\Shell\Auto\command]
@="G:\\RavMon.exe e"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3133a370-9d94-11db-ad9d-0018de978965}\Shell\AutoRun\command]
@="C:\\WINDOWS\\system32\\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMon.exe e"


No trace of it is to be found in the HKLM key (as referred in McAfee's info page you linked to, above).

Then again, one doubt, if I may?... :) About that command, dir a:/h, the a: in there, what does it stand for?... (The drive?... Which then I wonder, why a:?...) And yet I also wonder, whether, for the same machine/system, whether a USB drive always gets assigned the same drive letter, each time it is connected? (Hmm, of those I checked here, I noticed there was an F:, also an H:, yet I don't recall whether there was a G:... Either way, bottom line question here is: is the drive letter a detail of relevance, actually? Cos that might then become an hint on eventually getting to the "culprit" of infection...)

Finally, last thing I do too wonder about, back to the DSS log, main log namely, it's why in the "File Associations" section now shows again "All associations ok." and why the heck on last scan there was:

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


What caused these changes after all, before, and now again?... I'm puzzled. :)

I stand-by for your further instructions on what steps follow next.

Thank you greatly, one time again, for your support, and patience most of all! :spacer: And one time again as well, my apologies, for delay in reply. :-S


----------


DSS main log


Deckard's System Scanner v20071014.68
Run by SONIA on 2008-08-18 21:41:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
27: 2008-08-18 20:41:19 UTC - RP100 - Deckard's System Scanner Restore Point
26: 2008-08-17 20:01:22 UTC - RP99 - Software Distribution Service 3.0
25: 2008-08-16 20:01:23 UTC - RP98 - Software Distribution Service 3.0
24: 2008-08-16 12:46:15 UTC - RP97 - Ponto de verificação do sistema
23: 2008-08-12 11:24:29 UTC - RP96 - Ponto de verificação do sistema


-- First Restore Point --
1: 2008-06-28 23:49:40 UTC - RP74 - Software Distribution Service 3.0


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as SONIA.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:42:18, on 18-08-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ATK0100\HControl.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\ATK0100\ATKOSD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\SONIA\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\SONIA.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sapo.pt/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by SAPO
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Programa Auxiliar de Início de Sessão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [HControl] C:\WINDOWS\ATK0100\HControl.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Wireless Console 2] C:\Program Files\Wireless Console 2\wcourier.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [ASUS Live Update] C:\Program Files\ASUS\ASUS Live Update\ALU.exe
O4 - HKLM\..\Run: [ABLKSR] C:\WINDOWS\ABLKSR\ABLKSR.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: ASUS ChkMail.lnk = C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.asus.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 9958 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080131-195310-755 O4 - HKLM\..\Run: [PelSetupRun] E:\setup.exe

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Teefer (Teefer for NT) - c:\windows\system32\drivers\teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
R1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.4.10.0) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.4.10.0>
R2 s24trans (Transporte WLAN) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>

S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
S3 wceusbsh (Windows CE USB Serial Host Driver) - c:\windows\system32\drivers\wceusbsh.sys <Not Verified; Microsoft Corporation; Windows CE USB Serial Host Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 RegSrvc (Intel® PROSet/Wireless Registry Service) - c:\program files\intel\wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel® PROSet/Wireless Registry Service>

S3 iPod Service - "c:\program files\ipod\bin\ipodservice.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E96D-E325-11CE-BFC1-08002BE10318}
Description: Motorola SM56 Data Fax Modem
Device ID: HDAUDIO\FUNC_02&VEN_1057&DEV_3055&SUBSYS_104310C6&REV_1007\4&22A96E28&0&0101
Manufacturer: Motorola Inc
Name: Motorola SM56 Data Fax Modem
PNP Device ID: HDAUDIO\FUNC_02&VEN_1057&DEV_3055&SUBSYS_104310C6&REV_1007\4&22A96E28&0&0101
Service: Modem


-- Process Modules -------------------------------------------------------------

C:\WINDOWS\system32\winlogon.exe (pid 912)
2007-04-19 12:41:36 294912 --a------ C:\Program Files\SUPERAntiSpyware\SASWINLO.dll <Not Verified; SUPERAntiSpyware.com; SUPERAntiSpyware WinLogon Processor>

C:\WINDOWS\explorer.exe (pid 548)
2001-12-05 05:00:00 68096 --a------ C:\Program Files\Internet Explorer\MUI\0816\BROWSELC.DLL <Not Verified; Microsoft Corporation; Sistema operativo Microsoft® Windows®>


-- Files created between 2008-07-18 and 2008-08-18 -----------------------------

2008-08-18 21:36:44 0 dr-h----- C:\Documents and Settings\SONIA\Recent
2008-07-20 19:59:28 0 d-------- C:\fsaua.data
2008-07-20 18:07:40 0 d-------- C:\WINDOWS\BDOSCAN8
2008-07-18 10:43:32 0 d-------- C:\RegSearch


-- Find3M Report ---------------------------------------------------------------

2008-07-25 13:25:06 106509 --a------ C:\Progresso.exe
2008-07-17 19:48:14 0 d-------- C:\Documents and Settings\SONIA\Application Data\Malwarebytes
2008-07-17 19:48:12 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-17 11:43:50 1959 --a------ C:\WINDOWS\contact
2008-07-14 10:28:16 0 --a------ C:\Wininet
2008-07-02 11:14:36 0 d-------- C:\Program Files\Atrativa Games


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="C:\WINDOWS\ATK0100\HControl.exe" [22-02-2006 21:40]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [21-11-2005 08:51]
"nwiz"="nwiz.exe" [21-11-2005 08:51 C:\WINDOWS\system32\nwiz.exe]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [05-08-2005 13:56]
"RemoteControl"="C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe" [02-11-2004 20:24]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09-07-2001 11:50]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [07-01-2005 17:07 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [06-09-2005 05:39 C:\WINDOWS\RTHDCPL.EXE]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [20-10-2005 23:26]
"Wireless Console 2"="C:\Program Files\Wireless Console 2\wcourier.exe" [17-10-2005 17:09]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [14-04-2006 11:51]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [14-04-2006 11:52]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [14-04-2006 11:56]
"Power_Gear"="C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe" [06-03-2006 17:13]
"ASUS Live Update"="C:\Program Files\ASUS\ASUS Live Update\ALU.exe" [21-02-2006 15:20]
"ABLKSR"="C:\WINDOWS\ABLKSR\ABLKSR.exe" [02-01-2006 19:14]
"SMSERIAL"="sm56hlpr.exe" [26-05-2005 16:12 C:\WINDOWS\sm56hlpr.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [19-07-2008 15:38]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [16-02-2007 10:54]
"lxcrmon.exe"="C:\Program Files\Lexmark 2400 Series\lxcrmon.exe" [22-01-2006 17:45]
"EzPrint"="C:\Program Files\Lexmark 2400 Series\ezprint.exe" [07-02-2006 05:10]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [02-02-2006 08:11]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25-09-2007 01:11]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11-01-2008 22:16]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [15-10-2004 19:40]
"LXCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [20-07-2005 17:47]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [16-03-2006 02:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [17-06-2007 15:06]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [13-11-2006 15:25]

C:\Documents and Settings\SONIA\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [29-08-2003 19:05:35]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ASUS ChkMail.lnk - C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe [14-11-2006 20:27:37]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13-02-2001 11:01:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [17-07-2008 19:09 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19-04-2007 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3133a370-9d94-11db-ad9d-0018de978965}]
Auto\command- G:\RavMon.exe e
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMon.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4539aca0-1879-11dd-aff9-0018de978965}]
AutoRun\command- F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4539aca1-1879-11dd-aff9-0018de978965}]
AutoRun\command- F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4ab0245e-1a8e-11dd-affd-0018de978965}]
AutoRun\command- F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7ca3d208-21eb-11dd-b003-0018de978965}]
AutoRun\command- F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5ccbecc-1877-11dd-aff8-0018de978965}]
AutoRun\command- F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d395ba76-1873-11dd-aff7-0018de978965}]
AutoRun\command- F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d395ba77-1873-11dd-aff7-0018de978965}]
AutoRun\command- F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fb5a23f4-314a-11dd-b01a-0018de978965}]
AutoRun\command- F:\AutoRun.exe




-- Hosts -----------------------------------------------------------------------

127.0.0.1 ad.a8.net
127.0.0.1 asy.a8ww.net
127.0.0.1 a9rhiwa.cn #[Google.Warning]
127.0.0.1 www.a9rhiwa.cn
127.0.0.1 acezip.net #[SiteAdvisor.acezip.net]
127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions]
127.0.0.1 phpadsnew.abac.com
127.0.0.1 a.abnad.net
127.0.0.1 b.abnad.net
127.0.0.1 c.abnad.net #[eTrust.Tracking.Cookie]

5695 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-08-18 21:43:07 ------------


----------


DSS extra log


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Genuine Intel® CPU T2250 @ 1.73GHz
CPU 1: Genuine Intel® CPU T2250 @ 1.73GHz
Percentage of Memory in Use: 25%
Physical Memory (total/avail): 2047.36 MiB / 1534.65 MiB
Pagefile Memory (total/avail): 3940.4 MiB / 3449.46 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1901.41 MiB

C: is Fixed (FAT32) - 53.56 GiB total, 26.19 GiB free.
D: is Fixed (FAT32) - 35.67 GiB total, 35.63 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - HTS541010G9AT00 - 93.16 GiB - 3 partitions
\PARTITION0 - Unknown - 3.91 GiB
\PARTITION1 (bootable) - Unknown - 53.57 GiB - C:
\PARTITION2 - Expandido com Int 13 expandido - 35.68 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

FW: Sygate Personal Firewall v4.6 (Sygate Technologies, Inc.)
AV: avast! antivirus 4.8.1229 [VPS 080818-0] v4.8.1229 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:*:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Enabled:Firefox"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\SONIA\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=TOITA
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\SONIA
LOGONSERVER=\\TOITA
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 14 Stepping 8, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0e08
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\SONIA\LOCALS~1\Temp
TMP=C:\DOCUME~1\SONIA\LOCALS~1\Temp
USERDOMAIN=TOITA
USERNAME=SONIA
USERPROFILE=C:\Documents and Settings\SONIA
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

SONIA (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DD4F051C-1A2B-4A91-B187-B093C597418C}\setup.exe" -l0x816 anything
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ABBYY FineReader 6.0 Sprint --> MsiExec.exe /I{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}
Ad-Aware SE Personal --> C:\PROGRA~1\LAVASOFT\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\LAVASOFT\AD-AWA~1\INSTALL.LOG
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\MACROMED\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\MACROMED\SHOCKW~1\Install.log
Agatha Christie: Murder on the Orient Express --> "C:\Program Files\Agatha Christie - Murder on the Orient Express\Uninstall.exe"
Aloha Solitaire --> "C:\Program Files\Atrativa Games\Aloha Solitaire\uninstall.exe"
Assistente de Início de Sessão do Windows Live --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Asus ChkMail --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Asus\Asus ChkMail\Uninst.isu"
ASUS Live Update --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E657B243-9AD4-4ECC-BE81-4CCF8D667FD0}\setup.exe" -l0x9
Asus_A_Series_ScreenSaver --> C:\WINDOWS\ASUS A Series ScreenSaver Uninstaller.exe
ASUSDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
ATK0100 ACPI UTILITY --> C:\WINDOWS\ATK0100\XPunin.exe
Atlantis (Free) (remove only) --> "C:\Program Files\Atlantis\Uninstall.exe"
avast! Antivirus --> C:\Program Files\Alwil Software\Avast4\aswRunDll.exe "C:\Program Files\Alwil Software\Avast4\Setup\setiface.dll",RunSetup
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
Big Fish Games Client --> C:\Program Files\bfgclient\Uninstall.exe
Cake Mania 2 --> "C:\Program Files\Cake Mania 2\Uninstall.exe"
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Checkers --> C:\PROGRA~1\EGAMES\CHECKERS\UNWISE.EXE C:\PROGRA~1\EGAMES\CHECKERS\INSTALL.LOG
Chess --> C:\PROGRA~1\EGAMES\CHESS\UNWISE.EXE C:\PROGRA~1\EGAMES\CHESS\INSTALL.LOG
CloneDVD2 --> "C:\Program Files\Elaborate Bytes\CloneDVD2\CloneDVD2-uninst.exe" /D="C:\Program Files\Elaborate Bytes\CloneDVD2"
Compressor WinRAR --> C:\Program Files\WinRAR\uninstall.exe
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DVD Decrypter (Remove Only) --> "C:\Program Files\DVD Decrypter\uninstall.exe"
ebgcInfra --> MsiExec.exe /X{39B1BD87-561E-4762-AED9-7C5213B06C24}
ebgcRes --> MsiExec.exe /X{56C7A7E4-9D6F-407C-B40F-9C1DF5ECBCDD}
ebgcRes --> MsiExec.exe /X{FDF47632-D912-49F0-A80F-46B0C898A9DC}
ebgcSDK --> MsiExec.exe /X{13AD768A-9E04-499D-AE80-967A65DCCBA5}
eMule --> "C:\Program Files\eMule\Uninstall.exe"
Excel em 60 minutos --> MsiExec.exe /X{2F5DDF86-6D58-46E5-AC59-E63AA0095830}
Forgotten Riddles - The Mayan Princess (remove only) --> "C:\Program Files\Forgotten Riddles - The Mayan Princess\Uninstall.exe"
GamesBar 1.0.0.9 --> C:\DOCUME~1\ALLUSE~1\APPLIC~1\TARMAI~1\{666A0~1\Setup.exe /remove /q0
Gonzo Heads --> C:\PROGRA~1\EGAMES\GONZOH~1\UNWISE.EXE C:\PROGRA~1\EGAMES\GONZOH~1\INSTALL.LOG
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar3.dll"
Hearts --> C:\PROGRA~1\EGAMES\HEARTS\UNWISE.EXE C:\PROGRA~1\EGAMES\HEARTS\INSTALL.LOG
Hidden Expedition: Titanic (remove only) --> "C:\Program Files\Hidden Expedition Titanic\Uninstall.exe"
High Definition Audio Driver Package - KB888111 -->
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hoyle Card Games 2005 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B44AA698-B221-4B3B-8CA5-E65EF6A5AF26}\setup.exe" -l0x9 -removeonly
Hoyle Enchanted Puzzles --> "C:\Program Files\Hoyle Enchanted Puzzles\Uninstall.exe"
Java 2 Runtime Environment, SE v1.4.2_04 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142040}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Jigs@w Puzzle 2 --> "C:\Program Files\Jigs@w Puzzle 2\Uninstall.exe"
Kanguru --> C:\PROGRA~1\KANGURU\UNWISE.EXE C:\PROGRA~1\KANGURU\INSTALL.LOG
Laptop Drop --> C:\PROGRA~1\EGAMES\LAPTOP~1\UNWISE.EXE C:\PROGRA~1\EGAMES\LAPTOP~1\INSTALL.LOG
Lexmark 2400 Series --> C:\Program Files\Lexmark 2400 Series\Install\x86\Uninst.exe
Lexmark 730 Series --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxcfUNST.EXE -NOLICENSE
Localization Pack for Microsoft Windows XP Media Center Edition --> MsiExec.exe /I{FCD71FFD-0825-42DD-8BEC-CE8F97823B36}
Luxor Mahjong --> "C:\Program Files\Oberon Media\Luxor Mahjong\Uninstall.exe" "C:\Program Files\Oberon Media\Luxor Mahjong\install.log"
Mah Jong Quest --> "C:\Program Files\Oberon Media\Mah Jong Quest\Uninstall.exe" "C:\Program Files\Oberon Media\Mah Jong Quest\install.log"
Mahjong Escape - Ancient Japan Deluxe --> "C:\Program Files\Zylom Games\Mahjong Escape - Ancient Japan Deluxe\GameInstlr.exe" --uninstall UnInstall.log
MahJong Medley --> "C:\Program Files\Atrativa Games\MahJong Medley\uninstall.exe"
Mahjongg Jr --> C:\PROGRA~1\EGAMES\MAHJON~1\UNWISE.EXE C:\PROGRA~1\EGAMES\MAHJON~1\INSTALL.LOG
Mahjongg Master 4 --> C:\PROGRA~1\EGAMES\MAHJON~4\UNWISE.EXE C:\PROGRA~1\EGAMES\MAHJON~4\INSTALL.LOG
Mahjongg Master Egyptian Edition --> C:\PROGRA~1\EGAMES\MAHJON~2\UNWISE.EXE C:\PROGRA~1\EGAMES\MAHJON~2\INSTALL.LOG
Mahjongg Patience --> C:\PROGRA~1\EGAMES\MAHJON~3\UNWISE.EXE C:\PROGRA~1\EGAMES\MAHJON~3\INSTALL.LOG
MahJongg Tiles of Time --> C:\PROGRA~1\EGAMES\MA8976~1\UNWISE.EXE C:\PROGRA~1\EGAMES\MA8976~1\INSTALL.LOG
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
mCore --> MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDriver --> MsiExec.exe /I{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}
mDrWiFi --> MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
mEoU --> MsiExec.exe /I{B502B428-3386-40A9-98DB-079AAB72E64F}
Messenger Plus! Live --> "C:\Program Files\Messenger Plus! Live\Uninstall.exe"
mHelp --> MsiExec.exe /I{8C6BB412-D3A8-4AAE-A01B-35B681789D68}
Microsoft ActiveSync --> MsiExec.exe /I{99052DB7-9592-4522-A558-5417BBAD48EE}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office XP Professional com FrontPage --> MsiExec.exe /I{90280816-6000-11D3-8CFE-0050048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
Modelo 3 --> "C:\Program Files\Declarações Electrónicas\Modelo 3\bin\Remover Modelo 3.exe"
Motorola SM56 Data Fax Modem --> C:\WINDOWS\Motorola\SMSERIAL\sm56unst.exe
Mozilla Firefox (2.0.0.16) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
MSN --> C:\Program Files\MSN\MsnInstaller\msninst.exe /Action:ARP
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
Need for Speedâ„¢ Carbon --> C:\Program Files\Electronic Arts\Need for Speed Carbon\EAUninstall.exe
Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
OpenOffice.org 2.3 --> MsiExec.exe /I{C743A09F-7FF8-4CDE-AF76-7957E30834A5}
Option GT HSDPA driver suite --> C:\WINDOWS\OptionPluss_PCCardInstallerUninstall.exe
Option PC Cards driver package --> C:\WINDOWS\OptionPCCardInstallerUninstall.exe
Paradise Pet Salon (remove only) --> "C:\Program Files\Paradise Pet Salon\Uninstall.exe"
Pirateville (remove only) --> "C:\Program Files\Pirateville\Uninstall.exe"
Poker Palace --> C:\PROGRA~1\EGAMES\POKERP~1\UNWISE.EXE C:\PROGRA~1\EGAMES\POKERP~1\INSTALL.LOG
PokerStars --> "C:\Program Files\PokerStars\PokerStarsUninstall.exe" /u:PokerStars
Power4 Gear --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4462AD13-F2AA-4CBD-9F95-293C38EED870}\setup.exe" -l0x9
Puzzle Master 3 --> C:\PROGRA~1\EGAMES\PUZZLE~1\UNWISE.EXE C:\PROGRA~1\EGAMES\PUZZLE~1\INSTALL.LOG
QuickTime --> MsiExec.exe /I{5E863175-E85D-44A6-8968-82507D34AE7F}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" -l0x816 -removeonly
REALTEK PCIE NIC Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{17E2F183-BAC4-4D01-BD7A-59F781E17EFA}\setup.exe" -l0x816 REMOVE
Recomendações de Actualização do Windows Vista --> MsiExec.exe /I{3BEF139A-A0B8-4729-964E-D7450B8DE57D}
Sandlot Games Client Services 1.2.2 --> "C:\Program Files\Common Files\Sandlot Shared\unins000.exe"
Sanitarium --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\ASC Games\Sanitarium\Uninst.isu"
Security Update for Step By Step Interactive Training (KB898458) -->
Security Update for Step By Step Interactive Training (KB923723) --> "C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Software do Intel® PROSet/Wireless --> C:\WINDOWS\Installer\iProInst.exe
Solitaire Master 3 --> C:\PROGRA~1\EGAMES\SOLITA~1\UNWISE.EXE C:\PROGRA~1\EGAMES\SOLITA~1\INSTALL.LOG
Soluções de Fax Lexmark --> C:\Program Files\Lexmark Fax Solutions\Install\x86\Uninst.exe /R:faxunst
Spades --> C:\PROGRA~1\EGAMES\SPADES\UNWISE.EXE C:\PROGRA~1\EGAMES\SPADES\INSTALL.LOG
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster 4.0 --> "C:\Program Files\SpywareBlaster\unins000.exe"
SpywareGuard v2.2 --> "C:\Program Files\SpywareGuard\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Sygate Personal Firewall --> MsiExec.exe /I{F34D9A5F-484A-4E31-A9D3-908CB265B289}
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Update Rollup 2 for Windows XP Media Center Edition 2005 --> C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe
ViaMichelin Navigation X-930 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{47FF921C-E834-47A6-8CE4-F0A99CDE347F}\setup.exe" -l0x9
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live installer --> MsiExec.exe /X{0C69F74B-DA6A-4C56-8017-988B7D63993A}
Windows Live Messenger --> MsiExec.exe /X{B98023FD-EC2A-404B-BFC3-49E7ECE4490E}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB888316 -->
Windows XP Media Center Edition 2005 KB890629 -->
Windows XP Media Center Edition 2005 KB890760 -->
Windows XP Media Center Edition 2005 KB895198 -->
Windows XP Media Center Edition 2005 KB895678 -->
Windows XP Media Center Edition 2005 KB911061 -->
Windows XP Media Center Edition 2005 KB925766 --> "C:\WINDOWS\$NtUninstallKB925766$\spuninst\spuninst.exe"
WinFlash --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DE10AB76-4756-4913-BE25-55D1C1051F9A}\setup.exe" -l0x9
Wireless Console 2 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{83F73CB1-7705-49D1-9852-84D839CA2A45}\setup.exe" -l0x9 -removeonly


-- Application Event Log -------------------------------------------------------

Event Record #/Type7783 / Error
Event Submitted/Written: 07/30/2008 02:04:02 PM
Event ID/Source: 1000 / Application Error
Event Description:
Aplicação em falha mahjong2.exe, versão 2.0.2.2, módulo em falha unknown, versão 0.0.0.0, endereço em falha 0x0118000f.
A processar o evento especifico de suporte de dados para [mahjong2.exe!ws!]



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type18654 / Error
Event Submitted/Written: 08/07/2008 10:24:13 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
O serviço NVIDIA Display Driver Service terminou inesperadamente. Isto aconteceu 1 vez(es).

Event Record #/Type18590 / Error
Event Submitted/Written: 08/06/2008 03:06:48 PM
Event ID/Source: 43 / Modem
Event Description:
A operação de inactividade do sistema falhou

Event Record #/Type18589 / Error
Event Submitted/Written: 08/06/2008 03:06:48 PM
Event ID/Source: 43 / hwdatacard
Event Description:


Event Record #/Type18563 / Error
Event Submitted/Written: 08/06/2008 01:09:04 PM
Event ID/Source: 7034 / Service Control Manager
Event Description:
O serviço NVIDIA Display Driver Service terminou inesperadamente. Isto aconteceu 1 vez(es).

Event Record #/Type18479 / Error
Event Submitted/Written: 07/31/2008 00:48:05 PM
Event ID/Source: 43 / hwdatacard
Event Description:




-- End of Deckard's System Scanner: finished at 2008-08-18 21:43:07 ------------


----------

Edited by DeLuk, 20 August 2008 - 06:13 AM.


#7 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:10:45 PM

Posted 22 August 2008 - 06:12 AM

Just an update note: I just had to change Windows Automatic Updates settings (it was set to automatic download and install and I just changed it to download and install on demand) to prevent SP3 getting installed now. It just downloaded automatically last time I got the laptop online, and as I didn't want to risk it being installed also automatically, not at this point anyway (to be honest I admit I'm not even sure about whether to apply SP3 at all or not?... :thumbsup:), so I had no choice but to change the settings for Windows Automatic Updates at once. And so SP3 is now lying in systray on stand-by for install. Just to let you know.

Edited by DeLuk, 22 August 2008 - 06:27 AM.


#8 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:05:45 PM

Posted 24 August 2008 - 10:21 PM

Hi there :)

Sorry for being so long. Leaky roof troubles at home. :thumbsup:

Since I had you donwload DSS.exe the developer has pulled it because there is a rootkit that affects how it runs and can cause damage to machine.
For safety';s sake I'd like you to delete that program and its folder C:\Deckard

We've got other tools we can use in place of.

You mean then that DSS makes the whole full scan only on first run? And on every subsequent scan, only those fewer settings are on, is that it? So this being in fact the way DSS "behaves" by "default" then, yes? I see...


Yep. Exactly.
Because those less common logged items are not apt to change often -- not normally any reason to output to log every time.
However if needed -- the config switch can be used to check/uncheck whatever needed.

Well, I have by now scanned all USB devices that they use to use on this laptop (USB pen drive, digital camera, mobile phones, even their broadband internet USB drive), scanned with both Avast and MBAM, and reports came clean for all devices... Wonder if there's any other specific scanner I should also scan with?... All in all, I'd guess it's possibly some other device than theirs, possibly one from a colleague or something, that may eventually at some point have been connected to the laptop, then causing the infection, no?... I have called their attention to the fact, either way, so I hope they will be wise to warn any colleagues about it, so they can check their USB devices for infection as well...


Most likely by now you have eliminated the infection itself & there is only a couple registry entries left to remove.
WE'll deal with that in a bit.

Hmm, I did try that at the command prompt, but all I seem to get is the message "invalid parameter - h"...?


If I would learn to type -- it might come out better... :|

Instead of:

cd c:\
dir a:/h

It is:

cd c:\
dir /a:h


That will show you hidden files in c:\
The /a awitch is for searching for files with a specific atribute (hidden, system, etc)
The :h -- I am searching for hidden.

You can see all the switches and so on for the dir command if you do dir /?
The /? switch gives you the 'help' list.

Yes -- there are normally some hidden files in c:\ but shouldnt be any "autorun.inf"

I also did a registry search for ravmon, and only entries found are those as reported by DSS:


Yep -- and we'll do up a reg fix to remove those bad pointers.

Finally, last thing I do too wonder about, back to the DSS log, main log namely, it's why in the "File Associations" section now shows again "All associations ok." and why the heck on last scan there was:

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*

What caused these changes after all, before, and now again?... I'm puzzled.


Not sure why DSS reports that on first scan. Mine has as well. Although there is not anything wrong with those entries.

Regarding Windows Update --
Yes. Hold off on SP3 for a bit please.
Not too sure how it will fare out with this banker trojan onboard.
I'd rather wait till we're clean before installing the service pack.

---------------------

Since you are getting those same search results with RegSearch -- lets tackle that.

download this file instead and save it to the desktop:
http://www.microsoft.com/downloads/details...0C-0A0205368124
Do nothing with it yet.

Once you have that file.....

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Drag the file you downloaded from Microsoft and drop it on top of ComboFix.
Let it run.
Follow prompts from Combofix.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt


--Do not mouseclick combofix's window while it's running. That may cause it to stall

--ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
--Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell me.
--Your internet connection will be terminated while ComboFix runs. Do Not attempt to re-enable it. Should ComboFix terminate prematurely, restart the computer to restore connectivity.


Let me know how the system is running please.

Thanks :)
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#9 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:10:45 PM

Posted 25 August 2008 - 02:51 PM

Hi Blender, and thanks for new reply. :spacer:

Sorry for being so long. Leaky roof troubles at home.


Sorry to hear that. :-S Hope it's nothing too serious, though, and that you can get that fixed pronto. :-S And hey c'mon please, no apologies needed, for no delays. I'm the one grateful here, for you taking the time to help. :spacer:

Since I had you donwload DSS.exe the developer has pulled it because there is a rootkit that affects how it runs and can cause damage to machine.
For safety';s sake I'd like you to delete that program and its folder C:\Deckard


I see, thanks for letting me know then. All removed now.

If I would learn to type -- it might come out better... :|


:)

Instead of:

cd c:\
dir a:/h

It is:

cd c:\
dir /a:h

That will show you hidden files in c:\
The /a awitch is for searching for files with a specific atribute (hidden, system, etc)
The :h -- I am searching for hidden.

You can see all the switches and so on for the dir command if you do dir /?
The /? switch gives you the 'help' list.

Yes -- there are normally some hidden files in c:\ but shouldnt be any "autorun.inf"


Ok makes sence now. And worked too! :) No, just kidding here, of course, do forgive. :spacer: Yes, I figured the h would be for listing the hidden files, I was really just missing to get that a in there. Thanks for additional explanation. Anyways, so, no autorun.inf hidden on C:\ (as I could also confirm previously, when having set hidden and system files to show). So, yes, seems like those registry entries are indeed the only remainders from that old RavMon-infection...

And regarding then the current banker trojan infection, ok, roger that to the instructions to run ComboFix. Just a little doubt, before proceeding, though. With regards to the installation of the Recovery Console: I'm a bit uncertain here, about what version of the Microsoft file to get, if the English one, or the Portuguese... :thumbsup: (I don't suppose this is an irrelevant detail, or?...) Doubt comes from the fact that I can't quite understand what version of XP exactly is on this laptop. I mean, sure, I know it's XP Pro SP2 (Media Center Edition), and then yes, I can see on DSS log that the language is identified as being English. But it turns out a bit confusing here, as there is also so much of it (most of it in fact) that is actually in Portuguese... (Funny too, if checking the system info with for example SIW - System Information for Windows, in this case then the language is actually identified as being Portuguese...) Well, for instance desktop items such as "My computer" or "My documents" or the "Recycle bin", or then all of the Start menu, all of these do actually have Portuguese designations... Or in the Control Pannel, too, all items do too have Portuguese designations... And if I open any item in there, say, "Add/Remove Programs" or "System" or the "Security Centre", etc etc, all of it is in Portuguese... And all bars and menus wherever in Windows Explorer etc, all are in Portuguese... But then, when entering for instance the "Documents and Settings" folder, then doubt does come up. Cos there, for instance, the "Administrator" folder is named in English, unlike in our home PC for example, in which it is named in Portuguese. Or within the "User" folder, there it gets even more confusing, cos, say, the "Application Data" and the "Start Menu" folders are named in Portuguese, but then the "Local Settings" and the "Desktop" ones are named in English, whereas in the home PC all of these are all named in Portuguese... Also, one other main folder which is named in English is the "Program Files" one, while in the home PC it is named in Portuguese... Or yet also, going Start > Programs > Accessories, while every other entry in there is in Portuguese, the one of "System Tools" is actually in English... And, say, if opening "System Information" there, while all else in that window is in Portuguese, the window title itself is actually in English... So in the end I'm just confused, of what should be the appropriate version to get of that Microsoft file, to use for this laptop? Should I just take the majority of evidences and go for the Portuguese file and rather nevermind about these English bits there seem to be in this XP installation? Or should this actually be something to concern about and consider, and how and what should I decide for, then?... I pretty much appreciate your advicing about this detail as I'm really found in doubt here... :) As soon as I get this cleared I'll run ComboFix then to get you the log.

Thanks once more. :spacer:

#10 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:10:45 PM

Posted 27 August 2008 - 10:03 AM

Me again... :thumbsup:

Say, one other "issue" yet, before proceeding with ComboFix, as I can see in other threads (for ex.: this one) that it does too delete Spybot recovery items. No idea whether this happens for every Spybot recovery item or certain ones only?... I'm asking cos there's actually a couple items in Spybot's recovery which I'd want to be kept as I'd want to restore those later on. (These two items, two reg keys, must be false-positives, I believe, as I believe they do actually relate to a Lexmark printer which is installed in this laptop. Recently my bro did complain that they weren't able to print with that printer anylonger, and I believe these two reg keys being removed by Spybot must certainly be what caused the printer to malfunction afterwards. Thus why I'd want to try and restore those Spybot backups, to see if that would solve the printer issue. I suppose they must not be aware of the possibilty of false-positives happening with anti-malware scanners, and when Spybot picked those two reg keys on some scan they did, naively they must have chosen to just "fix" them, ignoring the consequences and ignoring that that action would actually "break" the printer. Yet something else I need also to call their attention to, so I see, yea... *sigh*) I wonder then, what should be the best/safest way to go about this: maybe restore those items from Spybot's recovery at once, granting that eitherway they won't get deleted by ComboFix when it is run?... Or should I nevermind and just leave it, as hopefully those items are not among the ones which do get deleted by ComboFix anyway?... Do please advise.

And thank you again. :)

#11 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:05:45 PM

Posted 28 August 2008 - 01:33 AM

Hi :)

I understand your confusion. Now you have me confused. :)
Seems lately that is not hard to do. :thumbsup:

On a more serious note...
I think the English version of the Recovery Console installer will be OK. Just make sure it is the XP Pro SP2 installer you grab.
It does not make a whole lot of changes to the system other than modify the boot.ini file to allow choice of booting to recovery console and adding the cmd loader and a folder to c:\
Kinda like adding another OS. (which of course has limited functions but can very well get us out of almost any horrid bind if needed) without the need for seperate partition and such.

As for Spybot quarantined items -- It looks as though CF just targeted true malware that Spybot had quarantined on that other system log you were looking at.
If it does turn out that CF removes those items --- we can use CF to put them back in Spybot's quarantine folder so you can restore items if desired.
They should be fair easy to spot since Spybot uses the threat names to pin on each quarantine archive.

Thanks :)
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#12 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:10:45 PM

Posted 29 August 2008 - 11:17 AM

Hi Blender :spacer: and thanks for confirmations.

I understand your confusion. Now you have me confused. :)
Seems lately that is not hard to do. :thumbsup:


eheh :) No, but indeed, this is one kinda confusing laptop... Take again the Start Menu for instance: various are the programs that have their 'start menu' folders, not within Start > Programs, but within Start > Programs > Accessories, hmm; I do wonder whether that was all the user's choice during installation, or just how and why those got in there!!... :)

Anyway, so, I have done as instructed. Left Spybot's backups as were (eitherway in the end ComboFix did not remove any of those). And so I used the English version of the Microsoft file for installing the Recovery Console 'via' ComboFix. Recovery Console installed successfully. ComboFix scan as well completed successfully. Just a couple notes to add though: After completing all scan stages, ComboFix did auto-reboot Windows. (I assume this should be normal to happen?) Upon reboot, and while ComboFix was preparing the log report, the Wireless Net Config Wizard came up. I waited for ComboFix to display the log report and close, and then cancelled the wizard. Also note that, on this reboot, the systray icons for Avast, Sygate Firewall and SpywareGuard did not load. That from Windows Automatic Updates did not come up either (the one referring to SP3 being ready for install). Ok, I went for a new manual reboot, to see whether the Wireless Net Config Wizard would pop up again, as well as whether those 'missing' systray icons would now load. No wizard anymore. And yes, all systray icons, except Avast's, all loaded now. I then re-enabled the protection from SpywareGuard (prior to running ComboFix, along with exiting Sygate Firewall and disabling Avast's resident protection, not only had I exited SpywareGuard as well, as I had beforehand also actually disabled the protection from it, of course), which at once popped up a series of warnings about a bunch of IE pages having been changed (changed/reset by ComboFix, yes, I know). As all 'old pages' were legit anyways, so I chose to restore all of those.

Then again, and back again to Avast, and the fact that its systray icon still didn't load, well, I went to check in Windows Task Manager, and all other Avast related processes were/are actually there (ashServ.exe + ashWebSv.exe + ashMaiSv.exe + aswUpdSv.exe, i.e. all services), except indeed ashDisp.exe. I did boot another couple times, to see whether that might eventually end up loading, but, nope, still no ashDisp.exe loading, still no Avast systray icon. (The \Run entry in the registry for it just vanished! I even went to check on msconfig, whether it might eventually just have gotten disabled. But no, it's indeed gone.) No idea why that came up as a result from running ComboFix?... I mean, nothing that a re-install of Avast won't resolve, of course. But still, odd, no?... Should it be a sign for concern at all, or?... (I was even thinking about trying to manually load ashDisp.exe from C:\Program Files\Alwil Software\Avast4\, to see whether that would bring back the systray icon. But neither I'm sure whether this would be recommendable to do, as also I don't suppose either this alone would solve it for the missing \Run reg key, don't suppose just the fact of loading ashDisp.exe would re-create the entry in the registry for it to load on system startup, so... Maybe the easiest/best way to go is to simply re-install Avast from scratch anyway...)

Still on ComboFix, I see it deleted the banker trojan related file C:\Progresso.exe. (Meaning then that the only one (?) of this banker trojan infection related files which is now still left is that 0 bytes file C:\Wininet. I wonder whether I can/should manually delete this last one at once, or?...) Seems all those remainder infection related reg keys also got taken care of by ComboFix. I did a new RegSearch for gbpdist + gbpservice + the BHO id d9ad1747-7b19-4dea-bc02-0ab12c4fc468 to check, and log came empty now.

I also did a new registry search for ravmon, and strings referring to this do still remain (as also reported by ComboFix):

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3133a370-9d94-11db-ad9d-0018de978965}\Shell\Auto\command]
@="G:\\RavMon.exe e"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{3133a370-9d94-11db-ad9d-0018de978965}\Shell\AutoRun\command]
@="C:\\WINDOWS\\system32\\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMon.exe e"


On a side note, yet something else that also caught up my attention in ComboFix's report was this entry in the "Supplementary Scan" section:

FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.live.com/

I went to check Firefox's homepage, and indeed that is http://www.live.com/. (And yet I wonder why in ComboFix's report that shows as hxxp?!... Just a way to get hyperlink disabled or?...) Hmm, I wonder whether this was deliberately changed by the user (rather doubt it) or eventually maybe set by IE, when they upgraded from IE6 to IE7?... (Which in turn also leaves me wondering, whether then IE does actually 'hijack' Firefox's homepage, lol?!...)

All in all, I'm pasting next the log report from ComboFix, for your review. And so I'll stand-by for any further instructions to follow.

Thank you greatly, one time again, for your time and help. :spacer:


----------


ComboFix log report


ComboFix 08-08-27.06 - SONIA 2008-08-28 15:45:35.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1605 [GMT 1:00]
Running from: C:\Documents and Settings\SONIA\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\SONIA\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Progresso.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GBPDIST


((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-28 )))))))))))))))))))))))))))))))
.

2008-08-28 15:49 . 2003-07-29 03:18 3,839 --a------ C:\WINDOWS\system32\drivers\GETPADD.sys
2008-08-21 15:46 . 2008-08-21 15:46 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-08-16 11:15 . 2008-05-01 15:30 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-17 14:01 38,472 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-17 14:01 17,144 ----a-w C:\WINDOWS\system32\drivers\mbam.sys
2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
2008-07-18 21:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 21:10 36,552 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 21:09 563,912 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 21:09 325,832 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
2008-07-18 21:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 21:09 205,000 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
2008-07-18 21:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 21:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-07-17 18:48 --------- d-----w C:\Program Files\Malwarebytes' Anti-Malware
2008-07-17 18:48 --------- d-----w C:\Documents and Settings\SONIA\Application Data\Malwarebytes
2008-07-17 18:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:32 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-07-02 10:14 --------- d-----w C:\Program Files\Atrativa Games
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:23 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 09:57 3,592,192 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:41 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2008-03-16 16:31 0 ----a-w C:\Program Files\temp01
2008-01-31 17:42 25,792 ----a-w C:\Documents and Settings\SONIA\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-16 02:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-17 15:06 68856]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 15:25 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HControl"="C:\WINDOWS\ATK0100\HControl.exe" [2006-02-22 21:40 106496]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-11-21 08:51 7335936]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 13:56 64512]
"RemoteControl"="C:\Program Files\ASUSTeK\ASUSDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-10-20 23:26 761945]
"Wireless Console 2"="C:\Program Files\Wireless Console 2\wcourier.exe" [2005-10-17 17:09 987136]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-04-14 11:51 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-04-14 11:52 602182]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2006-04-14 11:56 569413]
"Power_Gear"="C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe" [2006-03-06 17:13 86016]
"ASUS Live Update"="C:\Program Files\ASUS\ASUS Live Update\ALU.exe" [2006-02-21 15:20 180224]
"ABLKSR"="C:\WINDOWS\ABLKSR\ABLKSR.exe" [2006-01-02 19:14 61440]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54 282624]
"lxcrmon.exe"="C:\Program Files\Lexmark 2400 Series\lxcrmon.exe" [2006-01-22 17:45 286720]
"EzPrint"="C:\Program Files\Lexmark 2400 Series\ezprint.exe" [2006-02-07 05:10 98304]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2006-02-02 08:11 290816]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-10-15 19:40 2577632]
"LXCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 17:47 73728]
"nwiz"="nwiz.exe" [2005-11-21 08:51 1519616 C:\WINDOWS\system32\nwiz.exe]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-06 05:39 14850560 C:\WINDOWS\RTHDCPL.EXE]
"SMSERIAL"="sm56hlpr.exe" [2005-05-26 16:12 544768 C:\WINDOWS\sm56hlpr.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-16 02:00 15360]

C:\Documents and Settings\SONIA\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ASUS ChkMail.lnk - C:\Program Files\ASUS\Asus ChkMail\ChkMail.exe [2006-11-14 20:27:37 32768]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 11:01:04 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-07-17 19:09 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-07-19 15:35]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-07-19 15:37]
S3 GTF32BUS;GT F32 BUS;C:\WINDOWS\system32\DRIVERS\gtf32bus.sys [2005-09-01 17:54]
S3 GTPTSER;GT PT SER;C:\WINDOWS\system32\DRIVERS\gtptser.sys [2005-09-01 17:54]
S3 GTSCSER;GT SC SER;C:\WINDOWS\system32\DRIVERS\gtscser.sys [2005-08-29 15:45]
S3 odysseyIM4;Odyssey Network Agent Miniport;C:\WINDOWS\system32\DRIVERS\odysseyIM4.sys [2004-09-03 16:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3133a370-9d94-11db-ad9d-0018de978965}]
\Shell\Auto\command - G:\RavMon.exe e
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMon.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4539aca0-1879-11dd-aff9-0018de978965}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4539aca1-1879-11dd-aff9-0018de978965}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4ab0245e-1a8e-11dd-affd-0018de978965}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7ca3d208-21eb-11dd-b003-0018de978965}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5ccbecc-1877-11dd-aff8-0018de978965}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d395ba76-1873-11dd-aff7-0018de978965}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d395ba77-1873-11dd-aff7-0018de978965}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fb5a23f4-314a-11dd-b01a-0018de978965}]
\Shell\AutoRun\command - F:\AutoRun.exe
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\SONIA\Application Data\Mozilla\Firefox\Profiles\mm5jyiy0.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.live.com/
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-28 15:49:14
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRAM FILES\INTEL\WIRELESS\BIN\EVTENG.EXE
C:\PROGRAM FILES\INTEL\WIRELESS\BIN\S24EVMON.EXE
C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASWUPDSV.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\PROGRAM FILES\GRISOFT\AVG ANTI-SPYWARE 7.5\GUARD.EXE
C:\WINDOWS\EHOME\EHRECVR.EXE
C:\WINDOWS\EHOME\EHSCHED.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
C:\WINDOWS\SYSTEM32\NVSVC32.EXE
C:\PROGRAM FILES\INTEL\WIRELESS\BIN\REGSRVC.EXE
C:\WINDOWS\EHOME\MCRDSVC.EXE
C:\WINDOWS\ATK0100\ATKOSD.EXE
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\WINDOWS\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2008-08-28 15:51:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-28 14:51:32

Pre-Run: 27,297,579,008 bytes free
Post-Run: 27,212,972,032 bytes livres

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

197 --- E O F --- 2008-08-17 20:02:57


----------

Edited by DeLuk, 29 August 2008 - 12:11 PM.


#13 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:05:45 PM

Posted 31 August 2008 - 04:21 PM

Hi and thanks for the logs. :thumbsup:

In regards to this:

FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.live.com/

Yes -- CF shows it as hxxp to make it safe for us --
Sometimes malicious URLs are in logs and since CF has no way to tell if safe link or not -- sUBs replaces the tt with xx so we don't accidently click on possible bad links & get infected.
In this case though that live.com link is OK.

Avast icon missing...
I'll try to fix it with CF .. if that don't work we can run a reg fix manually to fix it rather than having to re-install the whole app.
I've seen that entry dissapear with CF runs before. Not sure what is doing it but it is fairly easy to fix.

C:\Wininet
You can either delete that file or leave it -- if it is 0 bytes it won't do anything as it needs the rest of the infection to do anything.

File I would like you to check for me if possible please.

C:\WINDOWS\system32\drivers\GETPADD.sys

Upload here?:

http://www.virustotal.com/en/indexf.html

Let me know results.

Just not quite enough info about it and would like to find a bit more.
I'll also have CF try telling me what it is.

We can remove remnants now & I am having CF tell me what is in this funny looking folder and try to get me details on this new driver file I see.
I'll also clear out those mountpoints2 entries to remove remnants of flashdrive infection and all those instances of autorun.exe.
If autorun.exe is legit -- it will be recreated next time you plug in the usb device that has it so no issue removing it.

Copy the following text to a new notepad file.

dirlook::
C:\Program Files\temp01
filelook::
C:\WINDOWS\system32\drivers\GETPADD.sys

registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3133a370-9d94-11db-ad9d-0018de978965}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4539aca0-1879-11dd-aff9-0018de978965}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4539aca1-1879-11dd-aff9-0018de978965}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4ab0245e-1a8e-11dd-affd-0018de978965}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7ca3d208-21eb-11dd-b003-0018de978965}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5ccbecc-1877-11dd-aff8-0018de978965}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d395ba76-1873-11dd-aff7-0018de978965}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d395ba77-1873-11dd-aff7-0018de978965}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fb5a23f4-314a-11dd-b01a-0018de978965}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe"

Save it to desktop as cfscript.txt

Temporarily disable antimalware paas.
Drag CFScript on top of combofix.exe & let it do its thing.
It will produce a log when finished.

Please post the log.

Let me know if Avast icon returned please.

Thanks :)
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image

#14 DeLuk

DeLuk
  • Topic Starter

  • Members
  • 228 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Portugal
  • Local time:10:45 PM

Posted 01 September 2008 - 08:29 AM

Hi Blender and thanks for new reply. :spacer:

Couple notes/doubts here, before proceeding with applying CFScript.

Regarding: C:\WINDOWS\system32\drivers\GETPADD.sys

Yes, I was also curious about it, when checking ComboFix report. (I googled for info about it, but couldn't find much either. Mostly seems such file "getpadd.sys" relates to ASUS... It being located on C:\WINDOWS\system32\drivers\ makes it a bit more dubious though...) And I did went to drivers dir to check, as I meant to have file scanned, but it actually wasn't there, not anymore anyway. I see I should've mentioned this to you at once on previous post, my bad. Anyway, I did check for it now again, but no, no such file C:\WINDOWS\system32\drivers\GETPADD.sys appears to exist. (I did, of course, have hidden and system files showing.) Only "getpadd" files found on laptop are the following:

C:\WINDOWS\ABLKSR\GETPADD.SYS
C:\Program Files\ASUS\WinFlash\GETPADD.sys
C:\Program Files\ASUS\WinFlash\GETPADD.VXD


I had each of these scanned at VirusTotal in any case, just to double confirm. All three came clean. (If still you wish to check the scan reports, I'll leave you the temp report links: GETPADD.SYS, GETPADD.sys, GETPADD.VXD.)

Further properties info for each of the .sys files, if at all useful:

C:\WINDOWS\ABLKSR\GETPADD.SYS

Description: Allocate memory and get physical address.
Copyright: Copyright ©
Original file name: GETPADD.sys
Product name: Windows ® 2000 DDK driver
Internal name: GETPADD.sys
File version: 1.0.0.0
Product version: 5.00.2195.1620

C:\Program Files\ASUS\WinFlash\GETPADD.sys

Description: Allocate memory and get physical address.
Copyright: Copyright © AsusTek Computer. 1992-2001
Company: AsusTek Computer Inc.
Original file name: GETPADD.sys
Product name: getpadd.sys
Internal name: GETPADD.sys
File version: 1043.5.15.1
Product version: 1043.3.5.15

-----

Apart from this, there really seems to be no trace of file C:\WINDOWS\system32\drivers\GETPADD.sys whatsoever... Could it just have been created temporarily for some reason, by some of those other "getpadd" related legit files perhaps?...

Something else also. Regarding: C:\Program Files\temp01

Yes, was curious about this one too. But then, say, you mention this as being a folder?... Ok now you have me confused! :) Windows says this is a file (0 bytes, as also reported by ComboFix)?... :thumbsup: (Speaking of which, this actually would bring me to yet one more of my silly "extra" doubts, if I may?... :) Still regarding ComboFix logs: in the info it displays for files/folders, I do wonder what those letters in there stand for? I mean, such as this: ----a-w or this: d-----w. I'd guess that's the files/folders attributes, correct? And thus d would be for "directory", yes? And a for "archive"? Hmm, and the w, I'm missing to get what this would be?... Then again, again guessing that each of those - in there stands for an eventual letter, what then are the other letters that may appear in there, apart from the d, a, w, and I suppose obviously the h for "hidden" and the s for "system"; there are two more - left?...)

So, bottom line here, I wonder whether any of this, i.e. the fact that the file C:\WINDOWS\system32\drivers\GETPADD.sys doesn't actually exist, as well as the fact that C:\Program Files\temp01 seemingly is a file and not a folder (?), I wonder whether any of this would imply you having to get CFScript changed, or?... Please let me know, if any changes. I'll apply the script then, accordingly.

Thank you. :spacer:


P.S. BTW C:\Wininet deleted now. Being infection related, then certainly no reason for it to stay. :)

Edited by DeLuk, 01 September 2008 - 08:30 AM.


#15 Blender

Blender

    I will eat your Malware


  • Malware Response Team
  • 2,363 posts
  • OFFLINE
  •  
  • Location:Ontario
  • Local time:05:45 PM

Posted 01 September 2008 - 04:33 PM

Hi :)

Thanks for the info.
It does appear that file would be legit.
It likely gets created> loads> then is deleted from the drivers folder location.
There are a few drivers that do that -- only are loaded in memory.
Daemon tools is one such example.
Daemon tools create a semi random driver file > loads it> deltes file.
This causes alarms in rootkit detectors all the time. lol

the "w" you see in lines like this:

2008-08-17 14:01 38,472 ----a-w C:\WINDOWS\system32\drivers\mbamswissarmy.sys

means "writable"

The line above...
Date> time> file size> attributes are "archived & writable" > file location.

No need to adjust that CFScript ..
In fact we don't need it.
Since that driver file is legit & that "folder" is really a 0 byte file -- doing dirlook is completely pointless.
Guess I didnt have my glasses on when I looked at that one. :thumbsup:

That temp01 file is likely infection related so you can prolly delete it.

Scrap the CFScript you created (if you did) and we'll make a reg fix instead.

Copy the following text to a new notepad file.
Make sure "wordwrap" is off.

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3133a370-9d94-11db-ad9d-0018de978965}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4539aca0-1879-11dd-aff9-0018de978965}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4539aca1-1879-11dd-aff9-0018de978965}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4ab0245e-1a8e-11dd-affd-0018de978965}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7ca3d208-21eb-11dd-b003-0018de978965}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c5ccbecc-1877-11dd-aff8-0018de978965}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d395ba76-1873-11dd-aff7-0018de978965}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d395ba77-1873-11dd-aff7-0018de978965}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fb5a23f4-314a-11dd-b01a-0018de978965}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe"

Save it as file name fix.reg as file types: all files and save it to the desktop.

Disable antimalware programs temporarily.
Right click fix.reg you just created & click "merge"
OK it> should get success message.

That will clear out the funky mountpoints2 entries & should restore your Avast icon.

Reboot

Let me know if your Avast icon is back & post a fresh Hijackthis log please.

Let me know how the system is running.
Have all your icons still?

Thanks :)
I'll have an order of massive trojan attack please with a side order of rootkit and virus dip.
Pre-course order of fresh spyware salad please with a side order of polymorphic dressing.
And to drink...a nice tall glass of adware!

For dessert; can I have a bowl of the freshest worms you have please?.

Never Give Up!

If you are happy with the service I provided, please consider making a donation to help me continue the fight against Malware Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users