ChiolasPT
2009-09-06, 17:59
Greetings
My Spybot S&D detects Virtumonde on my computer, the strangest thing is that the trojan seems "inactive" at the moment (i.e: it doesn't open 200 pages of Firefox nor constantly and annoyingly refreshes IE) and it only "activates" after I play an online FPS game (I'm not sure I can say the name :lip: ), is it even possible that it only becomes active after I play? :confused:
Programs I've used:
Spybot S&D: Detects Virtumonde but doesn't fix it (even with reboot)
VundoFix: It doesn't detect Virtumonde (but I suspect it "temporarily fixes" it, that's why I'm writing this message on the infected computer lol)
AdAware: Detected several spywares and removed them all, but none named Virtumonde
SUPERAntispyware: Same as AdAware...
As I said, Spybot S&D still detects Virtumonde, however my internet connection is fine (I can even use Firefox again yay!)
So, is it a fake trojan? Is it "inactive"? How can I remove it?
The HijackThis scan log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:48:27, on 05-09-2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18294)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Steam\steam.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.spybot.info/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tsunami.pt
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1627580B-381F-4559-A366-DD7105901F59} - (no file)
O2 - BHO: (no name) - {187B9613-1CA1-4E9B-A607-C6A50CB6FCC4} - (no file)
O2 - BHO: (no name) - {26E8E5E7-B9ED-4ABB-B33A-35B4BBA9EAA9} - (no file)
O2 - BHO: (no name) - {2727BFF6-11EB-4D3B-A851-F469DA3776E1} - (no file)
O2 - BHO: (no name) - {29A7D4C0-6EB1-4B35-9D12-A48904947F23} - (no file)
O2 - BHO: (no name) - {2A098A87-801C-43AD-BC11-DFEE81600D10} - (no file)
O2 - BHO: (no name) - {329676CE-632E-45A9-B21A-70CA67569788} - (no file)
O2 - BHO: (no name) - {372B15D9-B139-4681-86B3-65C55805362F} - (no file)
O2 - BHO: (no name) - {37EF21A1-0241-4C9B-A5F7-FAE8264CAD81} - (no file)
O2 - BHO: (no name) - {3B50B0B7-07AA-4A14-8BE2-BF1DE1304855} - (no file)
O2 - BHO: (no name) - {3C749B6B-C8F5-40AC-BB12-657051C9EDB1} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {45B6BFFE-EB9F-4DAA-A8D2-B6CDCF6085DA} - (no file)
O2 - BHO: (no name) - {4E253DEF-C5C9-45BA-A365-F88187D219FF} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {568CE01B-19F5-422D-9007-C75AB3022B1A} - (no file)
O2 - BHO: (no name) - {58D13F1A-1412-4C2E-AE5D-99FDDC922826} - (no file)
O2 - BHO: (no name) - {631EB93B-E6A0-418B-9254-8A1D9EA7E1EF} - (no file)
O2 - BHO: (no name) - {68D6FC53-B4AC-4E82-A58C-F01B8B5F08C4} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {87EFFCA7-3328-414D-BED4-AB072D01662F} - (no file)
O2 - BHO: (no name) - {899E0B1B-23FB-47FA-80C1-B0A3F72C2607} - (no file)
O2 - BHO: Programa Auxiliar de Início de Sessão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9CEF3A52-9E84-417D-A53B-E296D48DC93B} - (no file)
O2 - BHO: (no name) - {9F7CB0E6-ADAE-4322-815B-A2522055B52A} - (no file)
O2 - BHO: (no name) - {9F8EFEA3-BE95-4282-BE8C-E417EAC3259E} - (no file)
O2 - BHO: (no name) - {AA9F9D0F-EBD7-4842-9306-44192AF3FA63} - (no file)
O2 - BHO: (no name) - {AC30EBC4-E521-4D9E-8D5B-742A61F95082} - (no file)
O2 - BHO: (no name) - {AC6F8B7E-E6E8-44F1-BC62-4066B369594E} - (no file)
O2 - BHO: (no name) - {B0A99475-30E8-4A6A-83A2-1E8D22E381F0} - (no file)
O2 - BHO: (no name) - {B210EB84-B7D2-493D-9BC5-17CF3BC3DB7A} - (no file)
O2 - BHO: (no name) - {B22B8BF9-108E-4BB7-93F3-882F65EF7CA4} - (no file)
O2 - BHO: (no name) - {B44C79F6-BDAC-4FAE-8074-E70396EB9B0E} - (no file)
O2 - BHO: (no name) - {B938621E-4324-4146-86E9-026D491C6DD9} - (no file)
O2 - BHO: (no name) - {C826356C-F360-4E9A-81E9-81CA817DEE77} - (no file)
O2 - BHO: (no name) - {D6491941-8C66-4651-9C59-5A108D11E75A} - (no file)
O2 - BHO: (no name) - {D941895F-9E2A-4150-9325-EEBC04EDFE37} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {E844CFEA-3520-498B-B73F-21C051D5225E} - (no file)
O2 - BHO: (no name) - {F400EEB0-9C7E-4597-8E08-EC4610D94D4F} - (no file)
O2 - BHO: (no name) - {F9A0FF48-AB74-4240-B2BF-2D526F96062F} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [snpstd] C:\Windows\vsnpstd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [0cda3ea9] rundll32.exe "C:\Users\RICARD~1\AppData\Local\Temp\xmsuafwy.dll",b
O4 - HKCU\..\Run: [BM0fe90d35] Rundll32.exe "C:\Users\RICARD~1\AppData\Local\Temp\kexjdesr.dll",s
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [RunSteam] C:\Program Files\Steam\Steamstart.exe
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'Serviço de rede')
O4 - Startup: GameSpot Download Manager.lnk = C:\Program Files\GameSpot\GameSpotDownloadManager_Win32.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Serviço iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
--
End of file - 10137 bytes
Please help me :sad:
My Spybot S&D detects Virtumonde on my computer, the strangest thing is that the trojan seems "inactive" at the moment (i.e: it doesn't open 200 pages of Firefox nor constantly and annoyingly refreshes IE) and it only "activates" after I play an online FPS game (I'm not sure I can say the name :lip: ), is it even possible that it only becomes active after I play? :confused:
Programs I've used:
Spybot S&D: Detects Virtumonde but doesn't fix it (even with reboot)
VundoFix: It doesn't detect Virtumonde (but I suspect it "temporarily fixes" it, that's why I'm writing this message on the infected computer lol)
AdAware: Detected several spywares and removed them all, but none named Virtumonde
SUPERAntispyware: Same as AdAware...
As I said, Spybot S&D still detects Virtumonde, however my internet connection is fine (I can even use Firefox again yay!)
So, is it a fake trojan? Is it "inactive"? How can I remove it?
The HijackThis scan log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:48:27, on 05-09-2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18294)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Steam\steam.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.spybot.info/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.tsunami.pt
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1627580B-381F-4559-A366-DD7105901F59} - (no file)
O2 - BHO: (no name) - {187B9613-1CA1-4E9B-A607-C6A50CB6FCC4} - (no file)
O2 - BHO: (no name) - {26E8E5E7-B9ED-4ABB-B33A-35B4BBA9EAA9} - (no file)
O2 - BHO: (no name) - {2727BFF6-11EB-4D3B-A851-F469DA3776E1} - (no file)
O2 - BHO: (no name) - {29A7D4C0-6EB1-4B35-9D12-A48904947F23} - (no file)
O2 - BHO: (no name) - {2A098A87-801C-43AD-BC11-DFEE81600D10} - (no file)
O2 - BHO: (no name) - {329676CE-632E-45A9-B21A-70CA67569788} - (no file)
O2 - BHO: (no name) - {372B15D9-B139-4681-86B3-65C55805362F} - (no file)
O2 - BHO: (no name) - {37EF21A1-0241-4C9B-A5F7-FAE8264CAD81} - (no file)
O2 - BHO: (no name) - {3B50B0B7-07AA-4A14-8BE2-BF1DE1304855} - (no file)
O2 - BHO: (no name) - {3C749B6B-C8F5-40AC-BB12-657051C9EDB1} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {45B6BFFE-EB9F-4DAA-A8D2-B6CDCF6085DA} - (no file)
O2 - BHO: (no name) - {4E253DEF-C5C9-45BA-A365-F88187D219FF} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {568CE01B-19F5-422D-9007-C75AB3022B1A} - (no file)
O2 - BHO: (no name) - {58D13F1A-1412-4C2E-AE5D-99FDDC922826} - (no file)
O2 - BHO: (no name) - {631EB93B-E6A0-418B-9254-8A1D9EA7E1EF} - (no file)
O2 - BHO: (no name) - {68D6FC53-B4AC-4E82-A58C-F01B8B5F08C4} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {87EFFCA7-3328-414D-BED4-AB072D01662F} - (no file)
O2 - BHO: (no name) - {899E0B1B-23FB-47FA-80C1-B0A3F72C2607} - (no file)
O2 - BHO: Programa Auxiliar de Início de Sessão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9CEF3A52-9E84-417D-A53B-E296D48DC93B} - (no file)
O2 - BHO: (no name) - {9F7CB0E6-ADAE-4322-815B-A2522055B52A} - (no file)
O2 - BHO: (no name) - {9F8EFEA3-BE95-4282-BE8C-E417EAC3259E} - (no file)
O2 - BHO: (no name) - {AA9F9D0F-EBD7-4842-9306-44192AF3FA63} - (no file)
O2 - BHO: (no name) - {AC30EBC4-E521-4D9E-8D5B-742A61F95082} - (no file)
O2 - BHO: (no name) - {AC6F8B7E-E6E8-44F1-BC62-4066B369594E} - (no file)
O2 - BHO: (no name) - {B0A99475-30E8-4A6A-83A2-1E8D22E381F0} - (no file)
O2 - BHO: (no name) - {B210EB84-B7D2-493D-9BC5-17CF3BC3DB7A} - (no file)
O2 - BHO: (no name) - {B22B8BF9-108E-4BB7-93F3-882F65EF7CA4} - (no file)
O2 - BHO: (no name) - {B44C79F6-BDAC-4FAE-8074-E70396EB9B0E} - (no file)
O2 - BHO: (no name) - {B938621E-4324-4146-86E9-026D491C6DD9} - (no file)
O2 - BHO: (no name) - {C826356C-F360-4E9A-81E9-81CA817DEE77} - (no file)
O2 - BHO: (no name) - {D6491941-8C66-4651-9C59-5A108D11E75A} - (no file)
O2 - BHO: (no name) - {D941895F-9E2A-4150-9325-EEBC04EDFE37} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {E844CFEA-3520-498B-B73F-21C051D5225E} - (no file)
O2 - BHO: (no name) - {F400EEB0-9C7E-4597-8E08-EC4610D94D4F} - (no file)
O2 - BHO: (no name) - {F9A0FF48-AB74-4240-B2BF-2D526F96062F} - (no file)
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [snpstd] C:\Windows\vsnpstd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [0cda3ea9] rundll32.exe "C:\Users\RICARD~1\AppData\Local\Temp\xmsuafwy.dll",b
O4 - HKCU\..\Run: [BM0fe90d35] Rundll32.exe "C:\Users\RICARD~1\AppData\Local\Temp\kexjdesr.dll",s
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [RunSteam] C:\Program Files\Steam\Steamstart.exe
O4 - HKCU\..\Run: [EA Core] "C:\Program Files\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'Serviço de rede')
O4 - Startup: GameSpot Download Manager.lnk = C:\Program Files\GameSpot\GameSpotDownloadManager_Win32.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Serviço iPod (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\Windows\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
--
End of file - 10137 bytes
Please help me :sad: