Infected attachments?

**Tecolote** · 2009-11-01, 19:41

Phooey! I crossed my fingers when prompted to download the Windows Recovery Console, afraid to happen the same like MalwareBytes. Lucky it didn't.
Here's the log:

ComboFix 09-10-30.01 - Pablo 01/11/2009 16:22.1.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.55.1046.18.511.342 [GMT -2:00]
Executando de: c:\arquivos de programas\ComboFix.exe
* Criado um novo ponto de restauração
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\AUTOLNCH.REG

.
(((((((((((((((( Arquivos/Ficheiros criados de 2009-10-01 to 2009-11-01 ))))))))))))))))))))))))))))
.

2009-11-01 17:47 . 2009-11-01 17:47 3430299 ----a-r- c:\arquivos de programas\ComboFix.exe
2009-10-28 22:12 . 2009-10-28 22:12 -------- d-----w- c:\documents and settings\Pablo\Dados de aplicativos\Malwarebytes
2009-10-28 22:12 . 2009-09-10 16:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-28 22:12 . 2009-10-28 22:58 -------- d-----w- c:\arquivos de programas\Malwarebytes' Anti-Malware
2009-10-28 22:12 . 2009-10-28 22:12 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Malwarebytes
2009-10-28 22:12 . 2009-09-10 16:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-28 21:07 . 2009-10-28 21:07 523776 ----a-w- c:\arquivos de programas\dds.scr
2009-10-26 22:41 . 2009-10-26 22:41 -------- d-----w- c:\arquivos de programas\Trend Micro
2009-10-26 22:36 . 2009-10-26 22:36 812344 ----a-w- c:\arquivos de programas\HJTInstall.exe
2009-10-20 22:29 . 2009-10-20 22:38 -------- d-----w- c:\windows\system32\Adobe

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-10-28 22:09 . 2009-10-28 22:09 3637 ----a-w- c:\arquivos de programas\Attach 28-10-09.txt
2009-10-28 22:08 . 2009-10-28 22:08 4792 ----a-w- c:\arquivos de programas\DDS 28-10-09.txt
2009-08-25 02:35 . 2009-08-25 02:35 17695920 ----a-w- c:\arquivos de programas\PDFCreator-0_9_8_setup.exe
2009-08-22 01:54 . 2009-08-22 01:54 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-22 00:11 . 2009-08-22 00:11 7658952 ----a-w- c:\arquivos de programas\daemon4304-lite.exe
2006-03-02 12:00 . 2006-03-02 12:00 2629632 --sha-r- c:\windows\system32\pmgkaj.dll
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\arquivos de programas\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"SpeedTouch USB Diagnostics"="c:\arquivos de programas\Alcatel\SpeedTouch USB\Dragdiag.exe" [2002-11-12 860672]
"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Malwarebytes Anti-Malware (reboot)"="c:\arquivos de programas\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-03-02 15360]

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\
Adobe Gamma Loader.lnk - c:\arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe [2009-7-21 113664]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Arquivos de programas\\Counter-Strike Source\\hl2.exe"=
"c:\\Arquivos de programas\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7052:TCP"= 7052:TCP:bsghgv

R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\drivers\RMSPPPOE.SYS [10/6/2002 01:09 31232]
S2 bajjcbom;skklpopo;c:\windows\system32\svchost.exe -k netsvcs [2/3/2006 10:00 14336]
S3 alcan5ln;Alcatel SpeedTouch(tm) USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\system32\drivers\alcan5ln.sys [11/6/2009 13:58 36048]

--- =Outros Serviços/Drivers Na Memória ---

*NewlyCreated* - CLASSPNP_2
*NewlyCreated* - MBR
*Deregistered* - CLASSPNP_2
*Deregistered* - mbr

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
bajjcbom
.
Conteúdo da pasta 'Tarefas Agendadas'

2009-11-01 c:\windows\Tasks\User_Feed_Synchronization-{D289D6EF-4B0A-4DFC-B9BF-F2CAC5492AA5}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 06:31]
.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.google.com.br/
.
- - - - ORFÃOS REMOVIDOS - - - -

Toolbar-Locked - (no file)
HKLM-Run-Cmaudio - cmicnfg.cpl
AddRemove-DAEMON Tools Toolbar - c:\arquivos de programas\DAEMON Tools Toolbar\uninst.exe
AddRemove-Xvid_is1 - c:\arquivos de programas\Xvid\unins000.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-01 16:24
Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\bajjcbom]
"ServiceDll"="c:\windows\system32\pmgkaj.dll"
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(536)
c:\windows\system32\COMRes.dll
.
Tempo para conclusão: 2009-11-01 16:25
ComboFix-quarantined-files.txt 2009-11-01 18:25

Pré-execução: 6 pasta(s) 73.323.630.592 bytes disponíveis
Pós execução: 8 pasta(s) 73.427.718.144 bytes disponíveis

WindowsXP-KB310994-SP2-Home-BootDisk-PTB.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - F01964B5FC42ED5412FE6F9DB598A01A

**shelf life** · 2009-11-02, 00:10

thanks for the info. We will use combofix.

Click Start, then Run and type Notepad and click OK.
Copy/paste the text in the code box below into notepad:

Code:

File::
c:\windows\system32\pmgkaj.dll

NetSvcs::
bajjcbom
skklpopo

Driver::
bajjcbom
skklpopo

Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on your desktop
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log
please post the new combofix log and a new hjt log.

One more download to get:

download Gmer to your desktop:

http://gmer.net/download.php

close any running programs.

doubleclick the gmer icon to start Gmer:
if you get a message box that says:

warning!!
Gmer has found system modification or Rootkit Activity.......

It will ask you:
Do you want to fully scan your system?

select NO

In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.

Now click the Scan button.

gmer will scan computer.
If you get a Rootkit warning window during the scan: click OK

When finished click "Save" to save log to your desktop

Copy/Paste the saved Gmer log in your reply.

**Tecolote** · 2009-11-02, 19:54

After making updates, Combofix saved this log:

ComboFix 09-11-01.04 - Pablo 02/11/2009 15:27.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.55.1046.18.511.361 [GMT -2:00]
Executando de: c:\arquivos de programas\ComboFix.exe
Comandos utilizados :: c:\arquivos de programas\CFScript.txt

FILE ::
"c:\windows\system32\pmgkaj.dll"
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\pmgkaj.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BAJJCBOM
-------\Service_bajjcbom

(((((((((((((((( Arquivos/Ficheiros criados de 2009-10-02 to 2009-11-02 ))))))))))))))))))))))))))))
.

2009-11-02 13:26 . 2009-11-02 13:26 291328 ----a-w- c:\arquivos de programas\4gxjv5ul.exe
2009-11-01 17:47 . 2009-11-02 17:25 3533547 ----a-r- c:\arquivos de programas\ComboFix.exe
2009-10-28 22:12 . 2009-10-28 22:12 -------- d-----w- c:\documents and settings\Pablo\Dados de aplicativos\Malwarebytes
2009-10-28 22:12 . 2009-09-10 16:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-28 22:12 . 2009-10-28 22:58 -------- d-----w- c:\arquivos de programas\Malwarebytes' Anti-Malware
2009-10-28 22:12 . 2009-10-28 22:12 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Malwarebytes
2009-10-28 22:12 . 2009-09-10 16:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-28 21:07 . 2009-10-28 21:07 523776 ----a-w- c:\arquivos de programas\dds.scr
2009-10-26 22:41 . 2009-10-26 22:41 -------- d-----w- c:\arquivos de programas\Trend Micro
2009-10-26 22:36 . 2009-10-26 22:36 812344 ----a-w- c:\arquivos de programas\HJTInstall.exe
2009-10-20 22:29 . 2009-10-20 22:38 -------- d-----w- c:\windows\system32\Adobe

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-01 18:25 . 2009-11-01 18:25 6509 ----a-w- c:\arquivos de programas\ComboFix.txt
2009-11-01 18:25 . 2009-06-11 15:50 6509 ----a-w- c:\arquivos de programas\Log.txt
2009-10-28 22:09 . 2009-10-28 22:09 3637 ----a-w- c:\arquivos de programas\Attach 28-10-09.txt
2009-10-28 22:08 . 2009-10-28 22:08 4792 ----a-w- c:\arquivos de programas\DDS 28-10-09.txt
2009-08-25 02:35 . 2009-08-25 02:35 17695920 ----a-w- c:\arquivos de programas\PDFCreator-0_9_8_setup.exe
2009-08-22 01:54 . 2009-08-22 01:54 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-08-22 00:11 . 2009-08-22 00:11 7658952 ----a-w- c:\arquivos de programas\daemon4304-lite.exe
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\arquivos de programas\Messenger\msmsgs.exe" [2004-08-04 1667584]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"SpeedTouch USB Diagnostics"="c:\arquivos de programas\Alcatel\SpeedTouch USB\Dragdiag.exe" [2002-11-12 860672]
"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Malwarebytes Anti-Malware (reboot)"="c:\arquivos de programas\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2006-10-22 1622016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2006-03-02 15360]

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\
Adobe Gamma Loader.lnk - c:\arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe [2009-7-21 113664]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Arquivos de programas\\Counter-Strike Source\\hl2.exe"=
"c:\\Arquivos de programas\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Arquivos de programas\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7052:TCP"= 7052:TCP:bsghgv

R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\drivers\RMSPPPOE.SYS [10/6/2002 01:09 31232]
S3 alcan5ln;Alcatel SpeedTouch(tm) USB ADSL RFC1483 Networking Driver (NDIS);c:\windows\system32\drivers\alcan5ln.sys [11/6/2009 13:58 36048]

--- =Outros Serviços/Drivers Na Memória ---

*Deregistered* - mbr
.
Conteúdo da pasta 'Tarefas Agendadas'

2009-11-02 c:\windows\Tasks\User_Feed_Synchronization-{D289D6EF-4B0A-4DFC-B9BF-F2CAC5492AA5}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 06:31]
.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.google.com.br/
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-02 15:32
Windows 5.1.2600 Service Pack 2 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x81FDF1F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x81fdf1f8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

**************************************************************************
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'explorer.exe'(1544)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Outros Processos em Execução ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\imapi.exe
.
**************************************************************************
.
Tempo para conclusão: 2009-11-02 15:34 - Máquina reiniciou
ComboFix-quarantined-files.txt 2009-11-02 17:34

Pré-execução: 6 pasta(s) 73.390.428.160 bytes disponíveis
Pós execução: 8 pasta(s) 73.367.154.688 bytes disponíveis

- - End Of File - - 01583892E2E9D571064B6964E92FDA82

The new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:35:15, on 2/11/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Arquivos de programas\Alcatel\SpeedTouch USB\Dragdiag.exe
C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\msfeedssync.exe
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Arquivos de programas\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Arquivos de programas\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w3/resources/MSNPUpld.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARQUIV~1\ARQUIV~1\Skype\SKYPE4~1.DLL
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3960 bytes

And Gmer's log:

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-11-02 16:47:34
Windows 5.1.2600 Service Pack 2
Running: 4gxjv5ul.exe; Driver: C:\DOCUME~1\Pablo\CONFIG~1\Temp\pgryauoc.sys

---- System - GMER 1.0.15 ----

SSDT spcc.sys ZwCreateKey [0xF84150E0]
SSDT spcc.sys ZwEnumerateKey [0xF8433CA4]
SSDT spcc.sys ZwEnumerateValueKey [0xF8434032]
SSDT spcc.sys ZwOpenKey [0xF84150C0]
SSDT spcc.sys ZwQueryKey [0xF843410A]
SSDT spcc.sys ZwQueryValueKey [0xF8433F8A]
SSDT spcc.sys ZwSetValueKey [0xF843419C]

INT 0x62 ? 81FDFBF8
INT 0x63 ? 81D5DF00
INT 0x82 ? 81FDFBF8
INT 0x84 ? 81D5DF00
INT 0x94 ? 81D5DF00
INT 0xB4 ? 81D5DF00

---- Kernel code sections - GMER 1.0.15 ----

? spcc.sys O sistema não pode encontrar o arquivo especificado. !
? Combo-Fix.sys O sistema não pode encontrar o arquivo especificado. !
.text USBPORT.SYS!DllUnload F7CF662C 5 Bytes JMP 81D5D4E0
.text amxl75h7.SYS F7CA6386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text amxl75h7.SYS F7CA63AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text amxl75h7.SYS F7CA63C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH}
.text amxl75h7.SYS F7CA63C9 1 Byte [30]
.text amxl75h7.SYS F7CA63C9 11 Bytes [30, 00, 00, 00, 5C, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESP; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...
? C:\ComboFix\catchme.sys O sistema não pode encontrar o caminho especificado. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS O sistema não pode encontrar o arquivo especificado. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 81FE12D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F8446C4C] spcc.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F8446CA0] spcc.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F8416042] spcc.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F841613E] spcc.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F84160C0] spcc.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F8416800] spcc.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F84166D6] spcc.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F8425E9C] spcc.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 81D5D5E0
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!RtlInitUnicodeString] 00021083
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!swprintf] 01B05E00
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!KeSetEvent] 5DE58B5B
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoCreateSymbolicLink] 7E8366C3
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoGetConfigurationInformation] 0F740028
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoDeleteSymbolicLink] 89320C8D
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!MmFreeMappingAddress] 0002288B
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoFreeErrorLogEntry] 46B70F00
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoDisconnectInterrupt] 66D00328
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!MmUnmapIoSpace] 002A7E83
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!ObReferenceObjectByPointer] 0C8D1574
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IofCompleteRequest] 248B8932
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!RtlCompareUnicodeString] 0F000002
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IofCallDriver] 832A46B7
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!MmAllocateMappingAddress] E08303C0
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoAllocateErrorLogEntry] 66D003FC
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoConnectInterrupt] 002C7E83
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoDetachDevice] 0C8D1E74
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!KeWaitForSingleObject] 208B8932
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!KeInitializeEvent] 8A000002
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] 83880846
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!RtlInitAnsiString] 000001C0
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoBuildDeviceIoControlRequest] 2C4EB70F
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoQueueWorkItem] 8303C183
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!MmMapIoSpace] D103FCE1
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoInvalidateDeviceRelations] 2E7E8366
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoReportDetectedDevice] 8D1C7400
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoReportResourceForDetection] 83893204
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] 00000218
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!NlsMbCodePageTag] 2E4EB70F
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!PoRequestPowerIrp] 021C8B89
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!KeInsertByKeyDeviceQueue] B70F0000
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!PoRegisterDeviceForIdleDetection] E0C12E46
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!sprintf] 03D00304
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] 0CB389F2
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!ObfDereferenceObject] 80000002
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoGetAttachedDeviceReference] 0975013E
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoInvalidateDeviceState] 1B42E853
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!ZwClose] C4830000
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!ObReferenceObjectByHandle] B05E5F04
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!ZwCreateDirectoryObject] E58B5B01
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoBuildSynchronousFsdRequest] CCCCC35D
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!PoStartNextPowerIrp] CCCCCCCC
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!PoCallDriver] 53EC8B55
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoCreateDevice] 08758B56
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoAllocateDriverObjectExtension] 0214BE83
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!RtlQueryRegistryValues] 57000000
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!ZwOpenKey] 45C60674
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!RtlFreeUnicodeString] 1EEB010B
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoStartTimer] 020C868B
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!KeInitializeTimer] C0850000
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoInitializeTimer] 808A1074
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!KeInitializeDpc] 00000804
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!KeInitializeSpinLock] A03CF024
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoInitializeIrp] 0B45950F
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!ZwCreateKey] 45C604EB
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!RtlAppendUnicodeStringToString] 458A000B
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!RtlIntegerToUnicodeString] 88C0840B
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!ZwSetValueKey] 840F0946
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!KeInsertQueueDpc] 000000C1
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] 14B30E8B
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoStartPacket] 1C8286C6
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] 88010000
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoBuildAsynchronousFsdRequest] 001C859E
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoFreeMdl] A19E8800
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!MmUnlockPages] C600001C
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoWriteErrorLogEntry] 001C8686
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!KeRemoveByKeyDeviceQueue] 86C60100
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!MmMapLockedPagesWithReservedMapping] 00001CA2
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!MmUnmapReservedMapping] 70518B01
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!KeSynchronizeExecution] 8D52006A
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoStartNextPacket] 001C8886
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!KeBugCheckEx] 55E85000
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!KeRemoveDeviceQueue] 8B000023
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!KeSetTimer] 70518B0E
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!KeCancelTimer] 8D52016A
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!_allmul] 001CA486
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!MmProbeAndLockPages] 41E85000
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!_except_handler3] 8B000023
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!PoSetPowerState] 18C4830E
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] 1C8D9E88
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!RtlWriteRegistryValue] 9E880000
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!_aulldiv] 00001CA9
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!strstr] 0E798366
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!_strupr] 74AAB000
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!KeQuerySystemTime] 8186C636
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoWMIRegistrationControl] 1A00001C
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!KeTickCount] 1C8386C6
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack] C6020000
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoDeleteDevice] 001C8E86
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] 86C60200
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoAllocateWorkItem] 00001CAA
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoAllocateIrp] 959E8802
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoAllocateMdl] 8800001C
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] 001CB19E
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!MmLockPagableDataSection] 96868800
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoGetDriverObjectExtension] 8800001C
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!MmUnlockPagableImageSection] 001CB286
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!ExFreePoolWithTag] C61AEB00
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoFreeIrp] 001C8186
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!IoFreeWorkItem] 86C61200
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!InitSafeBootMode] 00001C83
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!RtlCompareMemory] 8E868801
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!RtlCopyUnicodeString] 8800001C
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!memmove] 001CAA86
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[ntoskrnl.exe!MmHighestUserAddress] 80968B00
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[HAL.dll!KfAcquireSpinLock] 0C8D1C46
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[HAL.dll!READ_PORT_UCHAR] B08B8932
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[HAL.dll!KeGetCurrentIrql] 89000001
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[HAL.dll!KfRaiseIrql] 0001BC83
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[HAL.dll!KfLowerIrql] 24468B00
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[HAL.dll!HalGetInterruptVector] 89820C8D
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[HAL.dll!HalTranslateBusAddress] D18BF84D
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[HAL.dll!KeStallExecutionProcessor] 860F1639
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[HAL.dll!KfReleaseSpinLock] 000000BD
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 0208B389
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[HAL.dll!READ_PORT_USHORT] 83660000
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 7400067E
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[HAL.dll!WRITE_PORT_UCHAR] 89D60320
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[WMILIB.SYS!WmiSystemControl] 8D168B00
IAT \SystemRoot\System32\Drivers\amxl75h7.SYS[WMILIB.SYS!WmiCompleteRequest] F0003284

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 81FDE1F8
Device \Driver\usbohci \Device\USBPDO-0 81D5C500
Device \Driver\usbohci \Device\USBPDO-1 81D5C500
Device \Driver\usbohci \Device\USBPDO-2 81D5C500
Device \Driver\usbehci \Device\USBPDO-3 81D5A500
Device \Driver\Ftdisk \Device\HarddiskVolume1 81F741F8
Device \Driver\Cdrom \Device\CdRom0 81D5F500
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 81FDF1F8
Device \Driver\atapi \Device\Ide\IdePort0 81FDF1F8
Device \Driver\atapi \Device\Ide\IdePort1 81FDF1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-e 81FDF1F8
Device \Driver\sptd \Device\1364220540 spcc.sys
Device \Driver\PCI_PNP1790 \Device\0000003c spcc.sys
Device \Driver\NetBT \Device\NetBT_Tcpip_{393D5CA9-E03D-4DAD-84F4-6B1EC36EE3C7} 81D07500
Device \Driver\NetBT \Device\NetBt_Wins_Export 81D07500
Device \Driver\NetBT \Device\NetbiosSmb 81D07500
Device \Driver\usbohci \Device\USBFDO-0 81D5C500
Device \Driver\usbohci \Device\USBFDO-1 81D5C500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 81C6B500
Device \Driver\usbohci \Device\USBFDO-2 81D5C500
Device \FileSystem\MRxSmb \Device\LanmanRedirector 81C6B500
Device \Driver\usbehci \Device\USBFDO-3 81D5A500
Device \Driver\Ftdisk \Device\FtControl 81F741F8
Device \Driver\amxl75h7 \Device\Scsi\amxl75h71 81C831F8
Device \FileSystem\Cdfs \Cdfs 81C65500

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Arquivos de programas\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xEC 0xDE 0x83 0x39 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x5F 0x86 0x69 0xD3 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xAD 0x88 0x85 0x1C ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Arquivos de programas\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xEC 0xDE 0x83 0x39 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x5F 0x86 0x69 0xD3 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xAD 0x88 0x85 0x1C ...

---- EOF - GMER 1.0.15 ----

**shelf life** · 2009-11-03, 00:23

ok thanks for the info. How are things on your end now. Any better? Please run this Gmer tool:

Please download MBR.exe from here ->

http://www2.gmer.net/mbr/mbr.exe

Save the file to your desktop and double click it

A new text file will appear on your desktop, created by the tool. Copy and paste the text file in your reply.

**Tecolote** · 2009-11-04, 01:31

Yes! The computer's better. Only the executables didn't return. I'm still opening IE via Start/Run way. But at least, all the websites "blacklisted" are opening now, and that's very good!

There's a very short (and also looking good) MBR log:

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

**shelf life** · 2009-11-04, 23:00

ok thanks for the info. you mean you still can't find the IE or media player.exe to make a short cut with?
You can try this to show all files, then look:

FOr XP: on the desktop double click my computer,at the top click on> tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok

You looked here for the IE.exe:

C:\Program Files\Internet Explorer
you should be able to right click and drag it to the desktop to make a shortcut

See if you can do the ESET online scan now also:

ESET online scanner:

http://www.eset.com/onlinescan/

uses Internet Explorer only
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan unwanted applications"
click scan
when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt
please copy/paste that log in next reply.

**Tecolote** · 2009-11-10, 09:48

Great! The .exe files reappeared.
I will post the Eset log soon.

**tashi** · 2009-11-29, 08:12

Tecolote this thread has been closed due to inactivity.

As it has been four days or more since your last post, it will not be re-opened.

If you still require help, please start a new topic and include a new HijackThis log with a link to your previous thread.

Please do not add any logs that might have been requested previously, you would be starting fresh.

Applies only to the original poster, anyone else with similar problems please start your own topic.

Thank you shelf life.

Thread: Infected attachments?

Thread Tools

Display

Posting Permissions