Hi,
I recently opened an attachment to a friends e-mail, and got surprised it was "empty" (it only displayed, when opened, the contents of the directory who contained it, changing contents if the directory was changed). After that, all shortcuts to Internet Explorer and Windows Media Player disappeared from my desktop. I tried to look after the executables in the system directories, but they disappeared too.
Can you help remove this threat?
Thanks a lot
Tecolote

Sorry, I forgot the log.:oops:
Here we go:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:41:57, on 26/10/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Arquivos de programas\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\notepad.exe
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Search Assistant - {F0626A63-410B-45E2-99A1-3F2475B2D695} - C:\Arquivos de programas\SGPSA\BHO.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Arquivos de programas\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SGPUpdater] C:\Arquivos de programas\Search Guard PlusU\sgpUpdaters.exe
O4 - HKLM\..\Run: [FBSearch] C:\Arquivos de programas\Search Guard Plus\SearchGuardPlus.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4598 bytes

hi Tecolote,

Your log is a few days old. If you still need help just reply to my post and we will begin.

Shell Life,
Thanks for employing your time helping us. I figure that even with some experience accumulated and taking most precautions, you are never 100% protected against those threats.
Shall we?
Thanks once more,
Tecolote

Thank you, shelf life!!!:rolleyes:

hi Tecolote,

"Shell Life," no problem, I have been called worse than that.
HJT log looks ok.

I don't recognize antivirus software in the log. Do you have updated AV installed? You have done a scan recently also?

Iam also not familiar with this:

Search Guard PlusU
Is this something you installed yourself?

We might get a better look for any malware using DDS. Link and directions:

Please download DDS (http://download.bleepingcomputer.com/sUBs/dds.scr) and save it to your desktop.
Disable any script blocking protection Double click dds.scr to run the tool. When done, DDS.txt will open.
Save both reports to your desktop.
Copy/paste both logs in your reply.

You can also download, install and run Malwarebytes as a check for malware and keep it as a anti-malware app. Link and directions:

Please download Malwarebytes (http://www.malwarebytes.org/mbam.php) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer most likely will be required to remove some items.If prompted select yes to restart.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.

I don't have any AV installed in the moment. Gonna try a free one later, maybe AVG.
That "Search Guard PlusU" is strange to me. It seems to be a Yahoo search tool. Is it a possible threat? I suspect a little form those relationship sites (orkut, meebo, e-buddy) my brother subscribed to; it could be part of their "subscription package". Not sure, tho (haven't read their eula, and that's probably also my brother's case).

Below, the DDS' logs.


DDS (Ver_09-10-26.01) - NTFSx86
Run by Pablo at 19:53:37,46 on qua 28/10/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.55.1046.18.511.279 [GMT -2:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\Arquivos de programas\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\Arquivos de programas\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.br/
uSearch Page =
uSearch Bar =
mSearchAssistant =
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\arquivos de programas\arquivos comuns\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\arquivos de programas\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: Search Assistant: {f0626a63-410b-45e2-99a1-3f2475b2d695} - c:\arquivos de programas\sgpsa\BHO.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\arquivos de programas\messenger\msmsgs.exe" /background
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [SpeedTouch USB Diagnostics] "c:\arquivos de programas\alcatel\speedtouch usb\Dragdiag.exe" /icon
mRun: [Adobe Reader Speed Launcher] "c:\arquivos de programas\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SGPUpdater] c:\arquivos de programas\search guard plusu\sgpUpdaters.exe
mRun: [FBSearch] c:\arquivos de programas\search guard plus\SearchGuardPlus.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\menuin~1\progra~1\inicia~1\adobeg~1.lnk - c:\arquivos de programas\arquivos comuns\adobe\calibration\Adobe Gamma Loader.exe
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\micros~3\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\arquivos de programas\messenger\msmsgs.exe
IE: {5067A26B-1337-4436-8AFE-EE169C2DA79F} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\arquivos de programas\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\arquivos de programas\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\arquiv~1\micros~3\office11\REFIEBAR.DLL
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\arquiv~1\arquiv~1\skype\SKYPE4~1.DLL

============= SERVICES / DRIVERS ===============

R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\drivers\RMSPPPOE.SYS [2002-6-10 31232]
S2 bajjcbom;skklpopo;c:\windows\system32\svchost.exe -k netsvcs [2006-3-2 14336]
S3 alcan5ln;Alcatel SpeedTouch(tm) USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\system32\drivers\alcan5ln.sys [2009-6-11 36048]

=============== Created Last 30 ================

2009-10-28 21:19:43 4045528 ----a-w- c:\arquivos de programas\mbam-setup.exe
2009-10-28 21:07:40 523776 ----a-w- c:\arquivos de programas\dds.scr
2009-10-26 22:41:29 0 d-----w- c:\arquivos de programas\Trend Micro
2009-10-26 22:36:30 812344 ----a-w- c:\arquivos de programas\HJTInstall.exe
2009-10-20 22:29:08 0 d-----w- c:\windows\system32\Adobe

==================== Find3M ====================

2009-08-25 02:35:53 17695920 ----a-w- c:\arquivos de programas\PDFCreator-0_9_8_setup.exe
2009-08-22 00:11:17 7658952 ----a-w- c:\arquivos de programas\daemon4304-lite.exe
2009-07-31 12:47:04 499712 ----a-w- c:\windows\system32\msvcp71.dll
2009-07-31 12:47:04 348160 ----a-w- c:\windows\system32\msvcr71.dll
2001-11-23 04:08:20 712704 ----a-r- c:\windows\inf\other\AUDIO3D.DLL
2006-03-02 12:00:00 2629632 --sha-r- c:\windows\system32\pmgkaj.dll

============= FINISH: 19:53:46,42 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-10-26.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 11/6/2009 12:23:22
System Uptime: 28/10/2009 19:01:56 (0 hours ago)

Motherboard: ECS | | M863
Processor: AMD Athlon(tm) XP 2700+ | CPU 1 | 2166/166mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 75 GiB total, 67,795 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Modem PCI
Device ID: PCI\VEN_1039&DEV_7013&SUBSYS_0C041019&REV_A0\3&267A616A&0&16
Manufacturer:
Name: Modem PCI
PNP Device ID: PCI\VEN_1039&DEV_7013&SUBSYS_0C041019&REV_A0\3&267A616A&0&16
Service:

==== System Restore Points ===================

RP1: 31/7/2009 09:56:01 - Ponto de verificação do sistema
RP2: 25/1/2005 02:12:44 - Ponto de verificação do sistema
RP3: 25/1/2005 01:40:42 - Ponto de verificação do sistema
RP4: 21/8/2009 11:20:49 - Ponto de verificação do sistema
RP5: 21/8/2009 22:54:41 - SPTD setup V1.58
RP6: 24/8/2009 23:49:57 - Ponto de verificação do sistema
RP7: 24/8/2009 23:59:17 - Driver de impressão PDFCreator instalado
RP8: 25/1/2005 04:23:28 - Ponto de verificação do sistema
RP9: 25/1/2005 00:28:48 - Ponto de verificação do sistema
RP10: 27/8/2009 14:10:51 - Ponto de verificação do sistema
RP11: 25/1/2005 01:09:16 - Ponto de verificação do sistema
RP12: 25/1/2005 00:17:03 - Ponto de verificação do sistema
RP13: 3/9/2009 13:00:41 - Instalado Microsoft Office Professional Edição 2003
RP14: 25/1/2005 00:19:45 - Ponto de verificação do sistema
RP15: 12/9/2009 11:45:00 - Ponto de verificação do sistema
RP16: 17/9/2009 20:00:26 - Ponto de verificação do sistema
RP17: 25/1/2005 00:54:18 - Ponto de verificação do sistema
RP18: 25/1/2005 00:38:57 - Ponto de verificação do sistema
RP19: 24/9/2009 13:34:43 - Ponto de verificação do sistema
RP20: 25/9/2009 15:42:22 - Ponto de verificação do sistema
RP21: 25/1/2005 01:43:47 - Ponto de verificação do sistema
RP22: 30/9/2009 11:55:26 - Ponto de verificação do sistema
RP23: 25/1/2005 01:57:28 - Ponto de verificação do sistema
RP24: 25/1/2005 00:57:17 - Ponto de verificação do sistema
RP25: 2/10/2009 09:10:13 - Ponto de verificação do sistema
RP26: 25/1/2005 01:55:46 - Ponto de verificação do sistema
RP27: 7/10/2009 14:05:26 - Ponto de verificação do sistema
RP28: 8/10/2009 19:50:15 - Ponto de verificação do sistema
RP29: 25/1/2005 01:50:27 - Ponto de verificação do sistema
RP30: 10/10/2009 15:15:40 - Ponto de verificação do sistema
RP31: 25/1/2005 02:56:03 - Ponto de verificação do sistema
RP32: 17/10/2009 12:39:30 - Ponto de verificação do sistema
RP33: 25/1/2005 00:24:01 - Ponto de verificação do sistema

==== Installed Programs ======================

7-Zip 4.42
Adobe Flash Player 10 ActiveX
Adobe Photoshop CS
Adobe Reader 9.1 - Português
Adobe Shockwave Player 11.5
Alcatel SpeedTouch USB Software
Atualização para Windows XP (KB911164)
C-Media 3D Audio
C-Media WDM Audio Driver
Counter-Strike: Source
DAEMON Tools Toolbar
HijackThis 2.0.2
HP PrecisionScan LTX
Microsoft Office Professional Edição 2003
Microsoft Silverlight
NVIDIA Drivers
PDFCreator
PPP over Ethernet Protocol 0.98
Search Guard Plus (My Tattoons)
Search Guard Plus Updater (My Tattoons)
Skype web features
Skype™ 4.1
SModem 1.0
TurboADSL 0.98
Tweak UI
WebFldrs XP
Windows Internet Explorer 8
WOW
Xvid 1.2.1 final uninstall

==== End Of File ===========================

Unfortunatelly, Malwarebytes refuses to update. The window that pops-up lists an error code to be informed to the support, but i can't acceess their website (malwarebytes.org). I have reasons to suspect something is blocking links to security expert sites. I had the same troble trying to download DDS (i googled then download it from cnet) and even HijackThis! I just can't follow these links. Take a look at the address full link:

http://fastbrowsersearch.com/results/gogetit.aspx?fbsa=1&fbsl=10&fbsu=http%3a%2f%2fwsclick.infospace.com%2fclickserver%2f_iceUrlFlag%3d1%3frawURL%3dhttp%253A%252F%252Fwww.malwarebytes.org%252F%260%3d%261%3d0%264%3d64.106.240.196%265%3d201.2.52.61%269%3def04229123c241ccadabf3439c57ca01%2610%3d1%2611%3dmtwb2.intl.amer.br%2613%3dsearch%2614%3d239138%2615%3dmain-title%2617%3d2%2618%3d1%2619%3d0%2620%3d0%2621%3d2%2622%3dzPNkZCx%252FJFI%253D%2640%3doUiFv81HOrmNt3gg4vBBDw%253D%253D%26_IceUrl%3dtrue&fbss=malwarebytes.org&fbsc=mtwb2intl_amer_br

What is this so-called "fastbrowsersearch.com" doing there? It's address always precedes whatever link my iexplorer can't open. I think my pc got hijacked, and this is the reason why the program doesn't update. I think we should attack this hijacker first...

Anyway, i scanned the hard disk with the outdated definitions. The log:

Malwarebytes' Anti-Malware 1.41
Versão do banco de dados: 2775
Windows 5.1.2600 Service Pack 2

28/10/2009 20:57:45
mbam-log-2009-10-28 (20-57-45).txt

Tipo de Verificação: Completa (C:\|)
Objetos verificados: 142406
Tempo decorrido: 18 minute(s), 46 second(s)

Processos da Memória infectados: 0
Módulos de Memória Infectados: 0
Chaves do Registro infectadas: 0
Valores do Registro infectados: 0
Ítens do Registro infectados: 1
Pastas infectadas: 0
Arquivos infectados: 0

Processos da Memória infectados:
(Nenhum ítem malicioso foi detectado)

Módulos de Memória Infectados:
(Nenhum ítem malicioso foi detectado)

Chaves do Registro infectadas:
(Nenhum ítem malicioso foi detectado)

Valores do Registro infectados:
(Nenhum ítem malicioso foi detectado)

Ítens do Registro infectados:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Pastas infectadas:
(Nenhum ítem malicioso foi detectado)

Arquivos infectados:
(Nenhum ítem malicioso foi detectado)

The log was created prior to the manual elimination of one detected hijacker. And the links still won't open.
That's it. I'll wait further instructions.

hi,

thanks for all the information. Lets start by getting rid of search guard plus, its garbage.

At the link below read whats under each of the tabs. Follow along to remove it and reset IE 8.0 search provider.
After all is done reboot and see if your browsing searches are ok now.

Link:

http://www.searchguardplus.com/default.aspx

This Searchguard really sucks. After uninstallation, and following all of their site instructions, it was still the default search provider. Can i wipe it out?
There was a single improvement: the download link to DDS now works. The others (malwarebytes.org, trendmicro's HJT) remain not opening. Seems like their sites are blacklisted... Is something crawling deeper in my pc?:ninja:

hi,

With IE open go to tools>internet options> click on the Programs Tab then on Manage add-ons. see if you can delete/remove the search provider that way.
Next under the advanced tab click on Re-set button, then click apply and ok. Close and restart IE. We will do a online scan then get another download to use.

You really should get a Antivirus installed as soon as possible.

You can do a online scan here;

ESET online scanner:

http://www.eset.com/onlinescan/

uses Internet Explorer only
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan unwanted applications"
click scan
when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt
please copy/paste that log in next reply.


We will get another download to use. Its called combofix. There is a guide to read first. Read the guide, download combofix to your desktop, double click the icon and follow the prompts. Post the log in your reply:

Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

I manually removed SafeGuardPlus via Tools option. But is it surely removed? If it didn't disappear the first time, via Control Panel, why should we believe it's gone now?

I also did reset IE configurations to all deafult settings, and erased all temporary files, forms and user names and passwords, but there are still web pages not opening, including ESET online scanner.

Will post the Combofix log in the next reply.

Phooey! I crossed my fingers when prompted to download the Windows Recovery Console, afraid to happen the same like MalwareBytes. Lucky it didn't.
Here's the log:

ComboFix 09-10-30.01 - Pablo 01/11/2009 16:22.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.55.1046.18.511.342 [GMT -2:00]
Executando de: c:\arquivos de programas\ComboFix.exe
* Criado um novo ponto de restauração
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\AUTOLNCH.REG

.
(((((((((((((((( Arquivos/Ficheiros criados de 2009-10-01 to 2009-11-01 ))))))))))))))))))))))))))))
.

2009-11-01 17:47 . 2009-11-01 17:47 3430299 ----a-r- c:\arquivos de programas\ComboFix.exe
2009-10-28 22:12 . 2009-10-28 22:12 -------- d-----w- c:\documents and settings\Pablo\Dados de aplicativos\Malwarebytes
2009-10-28 22:12 . 2009-09-10 16:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-28 22:12 . 2009-10-28 22:58 -------- d-----w- c:\arquivos de programas\Malwarebytes' Anti-Malware
2009-10-28 22:12 . 2009-10-28 22:12 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Malwarebytes
2009-10-28 22:12 . 2009-09-10 16:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-28 21:07 . 2009-10-28 21:07 523776 ----a-w- c:\arquivos de programas\dds.scr
2009-10-26 22:41 . 2009-10-26 22:41 -------- d-----w- c:\arquivos de programas\Trend Micro
2009-10-26 22:36 . 2009-10-26 22:36 812344 ----a-w- c:\arquivos de programas\HJTInstall.exe
2009-10-20 22:29 . 2009-10-20 22:38 -------- d-----w- c:\windows\system32\Adobe

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-28 22:09 . 2009-10-28 22:09 3637 ----a-w- c:\arquivos de programas\Attach 28-10-09.txt
2009-10-28 22:08 . 2009-10-28 22:08 4792 ----a-w- c:\arquivos de programas\DDS 28-10-09.txt
2009-08-25 02:35 . 2009-08-25 02:35 17695920 ----a-w- c:\arquivos de programas\PDFCreator-0_9_8_setup.exe
2009-08-22 01:54 . 2009-08-22 01:54 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-22 00:11 . 2009-08-22 00:11 7658952 ----a-w- c:\arquivos de programas\daemon4304-lite.exe
2006-03-02 12:00 . 2006-03-02 12:00 2629632 --sha-r- c:\windows\system32\pmgkaj.dll
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\arquivos de programas\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"SpeedTouch USB Diagnostics"="c:\arquivos de programas\Alcatel\SpeedTouch USB\Dragdiag.exe" [2002-11-12 860672]
"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Malwarebytes Anti-Malware (reboot)"="c:\arquivos de programas\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-03-02 15360]

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\
Adobe Gamma Loader.lnk - c:\arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe [2009-7-21 113664]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Arquivos de programas\\Counter-Strike Source\\hl2.exe"=
"c:\\Arquivos de programas\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7052:TCP"= 7052:TCP:bsghgv

R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\drivers\RMSPPPOE.SYS [10/6/2002 01:09 31232]
S2 bajjcbom;skklpopo;c:\windows\system32\svchost.exe -k netsvcs [2/3/2006 10:00 14336]
S3 alcan5ln;Alcatel SpeedTouch(tm) USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\system32\drivers\alcan5ln.sys [11/6/2009 13:58 36048]

--- =Outros Serviços/Drivers Na Memória ---

*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - MBR
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
bajjcbom
.
Conteúdo da pasta 'Tarefas Agendadas'

2009-11-01 c:\windows\Tasks\User_Feed_Synchronization-{D289D6EF-4B0A-4DFC-B9BF-F2CAC5492AA5}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 06:31]
.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.google.com.br/
.
- - - - ORFÃOS REMOVIDOS - - - -

Toolbar-Locked - (no file)
HKLM-Run-Cmaudio - cmicnfg.cpl
AddRemove-DAEMON Tools Toolbar - c:\arquivos de programas\DAEMON Tools Toolbar\uninst.exe
AddRemove-Xvid_is1 - c:\arquivos de programas\Xvid\unins000.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-01 16:24
Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bajjcbom]
"ServiceDll"="c:\windows\system32\pmgkaj.dll"
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(536)
c:\windows\system32\COMRes.dll
.
Tempo para conclusão: 2009-11-01 16:25
ComboFix-quarantined-files.txt 2009-11-01 18:25

Pré-execução: 6 pasta(s) 73.323.630.592 bytes disponíveis
Pós execução: 8 pasta(s) 73.427.718.144 bytes disponíveis

WindowsXP-KB310994-SP2-Home-BootDisk-PTB.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - F01964B5FC42ED5412FE6F9DB598A01A

thanks for the info. We will use combofix.

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:


File::
c:\windows\system32\pmgkaj.dll

NetSvcs::
bajjcbom
skklpopo

Driver::
bajjcbom
skklpopo


Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on your desktop
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log and a new hjt log.

One more download to get:

download Gmer to your desktop:

http://gmer.net/download.php

close any running programs.

doubleclick the gmer icon to start Gmer:
if you get a message box that says:

warning!!
Gmer has found system modification or Rootkit Activity.......

It will ask you:
Do you want to fully scan your system?

select NO

In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.

Now click the Scan button.

gmer will scan computer.
If you get a Rootkit warning window during the scan: click OK

When finished click "Save" to save log to your desktop

Copy/Paste the saved Gmer log in your reply.

After making updates, Combofix saved this log:

ComboFix 09-11-01.04 - Pablo 02/11/2009 15:27.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.55.1046.18.511.361 [GMT -2:00]
Executando de: c:\arquivos de programas\ComboFix.exe
Comandos utilizados :: c:\arquivos de programas\CFScript.txt

FILE ::
"c:\windows\system32\pmgkaj.dll"
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\pmgkaj.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BAJJCBOM
-------\Service_bajjcbom


(((((((((((((((( Arquivos/Ficheiros criados de 2009-10-02 to 2009-11-02 ))))))))))))))))))))))))))))
.

2009-11-02 13:26 . 2009-11-02 13:26 291328 ----a-w- c:\arquivos de programas\4gxjv5ul.exe
2009-11-01 17:47 . 2009-11-02 17:25 3533547 ----a-r- c:\arquivos de programas\ComboFix.exe
2009-10-28 22:12 . 2009-10-28 22:12 -------- d-----w- c:\documents and settings\Pablo\Dados de aplicativos\Malwarebytes
2009-10-28 22:12 . 2009-09-10 16:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-28 22:12 . 2009-10-28 22:58 -------- d-----w- c:\arquivos de programas\Malwarebytes' Anti-Malware
2009-10-28 22:12 . 2009-10-28 22:12 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Malwarebytes
2009-10-28 22:12 . 2009-09-10 16:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-28 21:07 . 2009-10-28 21:07 523776 ----a-w- c:\arquivos de programas\dds.scr
2009-10-26 22:41 . 2009-10-26 22:41 -------- d-----w- c:\arquivos de programas\Trend Micro
2009-10-26 22:36 . 2009-10-26 22:36 812344 ----a-w- c:\arquivos de programas\HJTInstall.exe
2009-10-20 22:29 . 2009-10-20 22:38 -------- d-----w- c:\windows\system32\Adobe

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-01 18:25 . 2009-11-01 18:25 6509 ----a-w- c:\arquivos de programas\ComboFix.txt
2009-11-01 18:25 . 2009-06-11 15:50 6509 ----a-w- c:\arquivos de programas\Log.txt
2009-10-28 22:09 . 2009-10-28 22:09 3637 ----a-w- c:\arquivos de programas\Attach 28-10-09.txt
2009-10-28 22:08 . 2009-10-28 22:08 4792 ----a-w- c:\arquivos de programas\DDS 28-10-09.txt
2009-08-25 02:35 . 2009-08-25 02:35 17695920 ----a-w- c:\arquivos de programas\PDFCreator-0_9_8_setup.exe
2009-08-22 01:54 . 2009-08-22 01:54 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-22 00:11 . 2009-08-22 00:11 7658952 ----a-w- c:\arquivos de programas\daemon4304-lite.exe
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\arquivos de programas\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"SpeedTouch USB Diagnostics"="c:\arquivos de programas\Alcatel\SpeedTouch USB\Dragdiag.exe" [2002-11-12 860672]
"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Malwarebytes Anti-Malware (reboot)"="c:\arquivos de programas\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-03-02 15360]

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\
Adobe Gamma Loader.lnk - c:\arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe [2009-7-21 113664]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Arquivos de programas\\Counter-Strike Source\\hl2.exe"=
"c:\\Arquivos de programas\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7052:TCP"= 7052:TCP:bsghgv

R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\drivers\RMSPPPOE.SYS [10/6/2002 01:09 31232]
S3 alcan5ln;Alcatel SpeedTouch(tm) USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\system32\drivers\alcan5ln.sys [11/6/2009 13:58 36048]

--- =Outros Serviços/Drivers Na Memória ---

*Deregistered* - mbr
.
Conteúdo da pasta 'Tarefas Agendadas'

2009-11-02 c:\windows\Tasks\User_Feed_Synchronization-{D289D6EF-4B0A-4DFC-B9BF-F2CAC5492AA5}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 06:31]
.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.google.com.br/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-02 15:32
Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x81FDF1F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x81fdf1f8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

**************************************************************************
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'explorer.exe'(1544)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Outros Processos em Execução ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Tempo para conclusão: 2009-11-02 15:34 - Máquina reiniciou
ComboFix-quarantined-files.txt 2009-11-02 17:34

Pré-execução: 6 pasta(s) 73.390.428.160 bytes disponíveis
Pós execução: 8 pasta(s) 73.367.154.688 bytes disponíveis

- - End Of File - - 01583892E2E9D571064B6964E92FDA82

The new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:35:15, on 2/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Arquivos de programas\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\msfeedssync.exe
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Arquivos de programas\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3960 bytes

And Gmer's log:

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-02 16:47:34
Windows 5.1.2600 Service Pack 2
Running: 4gxjv5ul.exe; Driver: C:\DOCUME~1\Pablo\CONFIG~1\Temp\pgryauoc.sys


---- System - GMER 1.0.15 ----

SSDT spcc.sys ZwCreateKey [0xF84150E0]
SSDT spcc.sys ZwEnumerateKey [0xF8433CA4]
SSDT spcc.sys ZwEnumerateValueKey [0xF8434032]
SSDT spcc.sys ZwOpenKey [0xF84150C0]
SSDT spcc.sys ZwQueryKey [0xF843410A]
SSDT spcc.sys ZwQueryValueKey [0xF8433F8A]
SSDT spcc.sys ZwSetValueKey [0xF843419C]

INT 0x62 ? 81FDFBF8
INT 0x63 ? 81D5DF00
INT 0x82 ? 81FDFBF8
INT 0x84 ? 81D5DF00
INT 0x94 ? 81D5DF00
INT 0xB4 ? 81D5DF00

---- Kernel code sections - GMER 1.0.15 ----

? spcc.sys O sistema não pode encontrar o arquivo especificado. !
? Combo-Fix.sys O sistema não pode encontrar o arquivo especificado. !
.text USBPORT.SYS!DllUnload F7CF662C 5 Bytes JMP 81D5D4E0
.text amxl75h7.SYS F7CA6386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text amxl75h7.SYS F7CA63AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text amxl75h7.SYS F7CA63C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text amxl75h7.SYS F7CA63C9 1 Byte [30]
.text amxl75h7.SYS F7CA63C9 11 Bytes [30, 00, 00, 00, 5C, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESP; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...
? C:\ComboFix\catchme.sys O sistema não pode encontrar o caminho especificado. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS O sistema não pode encontrar o arquivo especificado. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 81FE12D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F8446C4C] spcc.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F8446CA0] spcc.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F8416042] spcc.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F841613E] spcc.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F84160C0] spcc.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F8416800] spcc.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F84166D6] spcc.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F8425E9C] spcc.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 81D5D5E0
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!RtlInitUnicodeString] 00021083
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!swprintf] 01B05E00
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!KeSetEvent] 5DE58B5B
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoCreateSymbolicLink] 7E8366C3
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoGetConfigurationInformation] 0F740028
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoDeleteSymbolicLink] 89320C8D
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!MmFreeMappingAddress] 0002288B
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoFreeErrorLogEntry] 46B70F00
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoDisconnectInterrupt] 66D00328
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!MmUnmapIoSpace] 002A7E83
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!ObReferenceObjectByPointer] 0C8D1574
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IofCompleteRequest] 248B8932
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!RtlCompareUnicodeString] 0F000002
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IofCallDriver] 832A46B7
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!MmAllocateMappingAddress] E08303C0
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoAllocateErrorLogEntry] 66D003FC
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoConnectInterrupt] 002C7E83
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoDetachDevice] 0C8D1E74
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!KeWaitForSingleObject] 208B8932
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!KeInitializeEvent] 8A000002
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] 83880846
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!RtlInitAnsiString] 000001C0
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoBuildDeviceIoControlRequest] 2C4EB70F
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoQueueWorkItem] 8303C183
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!MmMapIoSpace] D103FCE1
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoInvalidateDeviceRelations] 2E7E8366
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoReportDetectedDevice] 8D1C7400
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoReportResourceForDetection] 83893204
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] 00000218
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!NlsMbCodePageTag] 2E4EB70F
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!PoRequestPowerIrp] 021C8B89
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!KeInsertByKeyDeviceQueue] B70F0000
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!PoRegisterDeviceForIdleDetection] E0C12E46
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!sprintf] 03D00304
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] 0CB389F2
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!ObfDereferenceObject] 80000002
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoGetAttachedDeviceReference] 0975013E
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoInvalidateDeviceState] 1B42E853
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!ZwClose] C4830000
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!ObReferenceObjectByHandle] B05E5F04
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!ZwCreateDirectoryObject] E58B5B01
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoBuildSynchronousFsdRequest] CCCCC35D
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!PoStartNextPowerIrp] CCCCCCCC
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!PoCallDriver] 53EC8B55
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoCreateDevice] 08758B56
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoAllocateDriverObjectExtension] 0214BE83
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!RtlQueryRegistryValues] 57000000
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!ZwOpenKey] 45C60674
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!RtlFreeUnicodeString] 1EEB010B
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoStartTimer] 020C868B
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!KeInitializeTimer] C0850000
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoInitializeTimer] 808A1074
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!KeInitializeDpc] 00000804
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!KeInitializeSpinLock] A03CF024
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoInitializeIrp] 0B45950F
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!ZwCreateKey] 45C604EB
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!RtlAppendUnicodeStringToString] 458A000B
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!RtlIntegerToUnicodeString] 88C0840B
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!ZwSetValueKey] 840F0946
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!KeInsertQueueDpc] 000000C1
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] 14B30E8B
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoStartPacket] 1C8286C6
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] 88010000
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoBuildAsynchronousFsdRequest] 001C859E
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoFreeMdl] A19E8800
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!MmUnlockPages] C600001C
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoWriteErrorLogEntry] 001C8686
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!KeRemoveByKeyDeviceQueue] 86C60100
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!MmMapLockedPagesWithReservedMapping] 00001CA2
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!MmUnmapReservedMapping] 70518B01
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!KeSynchronizeExecution] 8D52006A
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoStartNextPacket] 001C8886
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!KeBugCheckEx] 55E85000
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!KeRemoveDeviceQueue] 8B000023
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!KeSetTimer] 70518B0E
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!KeCancelTimer] 8D52016A
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!_allmul] 001CA486
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!MmProbeAndLockPages] 41E85000
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!_except_handler3] 8B000023
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!PoSetPowerState] 18C4830E
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] 1C8D9E88
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!RtlWriteRegistryValue] 9E880000
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!_aulldiv] 00001CA9
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!strstr] 0E798366
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!_strupr] 74AAB000
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!KeQuerySystemTime] 8186C636
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoWMIRegistrationControl] 1A00001C
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!KeTickCount] 1C8386C6
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack] C6020000
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoDeleteDevice] 001C8E86
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] 86C60200
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoAllocateWorkItem] 00001CAA
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoAllocateIrp] 959E8802
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoAllocateMdl] 8800001C
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] 001CB19E
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!MmLockPagableDataSection] 96868800
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoGetDriverObjectExtension] 8800001C
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!MmUnlockPagableImageSection] 001CB286
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!ExFreePoolWithTag] C61AEB00
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoFreeIrp] 001C8186
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoFreeWorkItem] 86C61200
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!InitSafeBootMode] 00001C83
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!RtlCompareMemory] 8E868801
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!RtlCopyUnicodeString] 8800001C
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!memmove] 001CAA86
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!MmHighestUserAddress] 80968B00
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[HAL.dll!KfAcquireSpinLock] 0C8D1C46
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[HAL.dll!READ_PORT_UCHAR] B08B8932
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[HAL.dll!KeGetCurrentIrql] 89000001
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[HAL.dll!KfRaiseIrql] 0001BC83
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[HAL.dll!KfLowerIrql] 24468B00
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[HAL.dll!HalGetInterruptVector] 89820C8D
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[HAL.dll!HalTranslateBusAddress] D18BF84D
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[HAL.dll!KeStallExecutionProcessor] 860F1639
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[HAL.dll!KfReleaseSpinLock] 000000BD
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 0208B389
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[HAL.dll!READ_PORT_USHORT] 83660000
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 7400067E
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[HAL.dll!WRITE_PORT_UCHAR] 89D60320
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[WMILIB.SYS!WmiSystemControl] 8D168B00
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[WMILIB.SYS!WmiCompleteRequest] F0003284

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 81FDE1F8
Device \Driver\usbohci \Device\USBPDO-0 81D5C500
Device \Driver\usbohci \Device\USBPDO-1 81D5C500
Device \Driver\usbohci \Device\USBPDO-2 81D5C500
Device \Driver\usbehci \Device\USBPDO-3 81D5A500
Device \Driver\Ftdisk \Device\HarddiskVolume1 81F741F8
Device \Driver\Cdrom \Device\CdRom0 81D5F500
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 81FDF1F8
Device \Driver\atapi \Device\Ide\IdePort0 81FDF1F8
Device \Driver\atapi \Device\Ide\IdePort1 81FDF1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-e 81FDF1F8
Device \Driver\sptd \Device\1364220540 spcc.sys
Device \Driver\PCI_PNP1790 \Device\0000003c spcc.sys
Device \Driver\NetBT \Device\NetBT_Tcpip_{393D5CA9-E03D-4DAD-84F4-6B1EC36EE3C7} 81D07500
Device \Driver\NetBT \Device\NetBt_Wins_Export 81D07500
Device \Driver\NetBT \Device\NetbiosSmb 81D07500
Device \Driver\usbohci \Device\USBFDO-0 81D5C500
Device \Driver\usbohci \Device\USBFDO-1 81D5C500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 81C6B500
Device \Driver\usbohci \Device\USBFDO-2 81D5C500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 81C6B500
Device \Driver\usbehci \Device\USBFDO-3 81D5A500
Device \Driver\Ftdisk \Device\FtControl 81F741F8
Device \Driver\amxl75h7 \Device\Scsi\amxl75h71 81C831F8
Device \FileSystem\Cdfs \Cdfs 81C65500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Arquivos de programas\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xEC 0xDE 0x83 0x39 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x5F 0x86 0x69 0xD3 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xAD 0x88 0x85 0x1C ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Arquivos de programas\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xEC 0xDE 0x83 0x39 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x5F 0x86 0x69 0xD3 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xAD 0x88 0x85 0x1C ...

---- EOF - GMER 1.0.15 ----

ok thanks for the info. How are things on your end now. Any better? Please run this Gmer tool:

Please download MBR.exe from here ->

http://www2.gmer.net/mbr/mbr.exe

Save the file to your desktop and double click it

A new text file will appear on your desktop, created by the tool. Copy and paste the text file in your reply.

Yes! The computer's better. Only the executables didn't return. I'm still opening IE via Start/Run way. But at least, all the websites "blacklisted" are opening now, and that's very good!

There's a very short (and also looking good) MBR log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

ok thanks for the info. you mean you still can't find the IE or media player.exe to make a short cut with?
You can try this to show all files, then look:

FOr XP: on the desktop double click my computer,at the top click on> tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok



You looked here for the IE.exe:

C:\Program Files\Internet Explorer
you should be able to right click and drag it to the desktop to make a shortcut

See if you can do the ESET online scan now also:

ESET online scanner:

http://www.eset.com/onlinescan/

uses Internet Explorer only
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan unwanted applications"
click scan
when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt
please copy/paste that log in next reply.

Great! The .exe files reappeared.
I will post the Eset log soon.

Tecolote this thread has been closed due to inactivity.

As it has been four days or more since your last post, it will not be re-opened.

If you still require help, please start a new topic and include a new HijackThis log with a link to your previous thread.

Please do not add any logs that might have been requested previously, you would be starting fresh.

Applies only to the original poster, anyone else with similar problems please start your own topic.

Thank you shelf life.