Challenging Malware Removal

B

Bombaycat

New member
Hi! Before anything else, I have major in system of telecomunications, so I have some knowledge about malwares and similar things. So no problems in jargons or extremly specific information.

I know that I would proceed to provide logs of my pc right now, but this malware has done something quite nasty: It corrupted the system registry, so the computer no longer boots. So yes this is gonna be quite a challenge.

I'm using a live ubuntu cd for booting, and with the help of Digital Forensic Framework I got quite far within the possibilities of the malware I got.

The lines of defense:
In Windows I use Avast anti-virus, but today it's currently off because license expired (It was ok when I got problems, I know it expired because it's expires based on date). I use Spybot Search&Destroy and Superantispyware, but the later without real-time scanning, to prevent conflicts. (It's good for removing tracking cookies, that's only why I use it)

The symptoms:
I did not accessed any dangerous site, nor read any spam/virus e-mail or anything suspect. In one day the computer started to behave slower. The other day, a software took way more than usual to load. Few hours later, the system crashed. Not even the mouse pointer moved. After that the system was incredibly slow to boot, and kept crashing before/after/while boot process. After some attempts, it no longer booted, returning a message that a file from the system was corrupted:
C:\Windows\System32\Config\System
Windows Registry is gone. =\

However I still can access pretty much any file thru Linux. No other file showed any sign of being corrupted.

Diagnosis:
My initial suspect was a hardware failure, something between the sata controller of the motherboard and the harddrive. But after EXTENSIVE tests, no hardware problem was found with the pc. Motherboard, cable, harddrive. Everything is fine.

I checked RAM integrity, it's working perfectly. Could a RAM malware remain after a full test of RAM? I mean, the test includes checking every single bit of it, it would detect a malware as a RAM defect.

I tried Avast antivirus for Linux, and after a throught scan, nothing relevant was found. (It found a Adware:gen from screensavers.com, but I don't think it is a problem in anyway.)

With the help of DFF module winreg I analyzed the registry (somehow it opens with no problems) and did not find any malware sign at startup locations in the registry files. I found an entry with wrong name and another entry apparently misplaced (corrupted maybe?), but no obvious sign of malware for now.

Treatment:
If I find the sign of a malware, I can hexedit the damages and revert the system back to functional. I did not tried system restoration thru the windows CD because it basicly puts an "empty" registry over the damaged one. It's pretty much formatting the HD, with the nuissance of all programs with uninstallers that doesn't work anymore. It would be better formatting, but I don't want to because I couldn't install some programs anymore. I have backup of almost everything needed in case I have to format, but I would hate myself if I forget something. Also, having to install, download and copy everything back could take days.

Other possibilities:
Could it not be a malware?
Yes. This will sound extremly stupid, but does makes sense:
Damage caused by an Coronal Mass Ejection.
http://www.nasa.gov/mission_pages/sunearth/news/News080411-dblpunch.html
http://en.wikipedia.org/wiki/Solar_cycle_24#August_2011
Well, my pc started to behave slower in the 1st wave of the ejection, and ultimately crashed in the 2nd. Nothing else strange happened in my city that day, no blackouts, and I would expect something like a severe damage to the harddrive data if that the case, but the coincidence is big enough to consider. This still is a remote possibility, no matter how stupid it is. XD

Next Step:
So, how I deal with an apparent malware that I don't know which one is? The malware seems to affect the boot and corrupted the registry somehow, enough to not boot, but not much since almost all data was preserved. Where I should be looking to check if I was infected by malware? Determining what malware caused the damage is essential for removing any kind of damages it made, but I have no clue of where I should look to determinate a malware infection, aside from the places I already looked for.

http://forums.spybot.info/showthread.php?t=50668
 
Last edited by a moderator:
Uhm... I don't know why my topic from 2009 was referred, it isn't related, but anyway...

I found one more clue for finding out which malware is. Upon further analysis I discovered that this malware hides older points for system restore. I remember that while I could browse thru the windows, I found only 2 points, but by checking the System Volume Information I found more restoration points. Which means it could be a virus which inserts itself onto other softwares, a .dll or a script, so it hides the other restoration points in that way.

Seems to be a tough one. Well, the stronger are your defenses, the stronger is the one who knocks you out!
 
What does the file ProcCache.sbc at Spybot directory at Documents and Settings/All users?

I checked all Run registry keys, nothing found. Nothing suspect at Programs>Startup shortcuts. I did another updated Avast scan, nothing found.

Where else a malware that affects booting can hide?
 
After a manual system recovery I managed to boot. And I confirmed the infection. Avast antivirus seems up to date (after 1 month without updating) and when updating, after sharking I found out Avast is updating in non-avast websites.

I'm now scanning with Spybot, but I wonder if I truly updated... I'll post the reports soon.

Any help please? There's a lot of clues now.
 
I forgot to mention, boot is still slow, comodo firewall is no longer working. After going to desktop, initially Avast appears with a tray icon symbol which means it's turned off, and the task bar is not responsive. Later, I get a Daemon tool error and comodo error. But after that the system seems fine.

Here it goes:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:46:08, on 10/9/2011
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\WTouch\WTouchService.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\Arquivos de programas\WTouch\WTouchUser.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe
C:\Arquivos de programas\QuickTime\qttask.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\Arquivos de programas\Comodo\Firewall\CPF.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe
C:\Arquivos de programas\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\Arquivos de programas\Arquivos comuns\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
C:\Arquivos de programas\Spybot - Search & Destroy\SpybotSD.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\Mozilla Firefox\plugin-container.exe
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.terra.com.br/
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Arquivos de programas\Orbitdownloader\orbitcth.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Arquivos de programas\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Arquivos de programas\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Arquivos de programas\Arquivos comuns\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
O4 - HKLM\..\Run: [SwitchBoard] C:\Arquivos de programas\Arquivos comuns\Adobe\SwitchBoard\SwitchBoard.exe
O4 - HKLM\..\Run: [AdobeCS5ServiceManager] "C:\Arquivos de programas\Arquivos comuns\Adobe\CS5ServiceManager\CS5ServiceManager.exe" -launchedbylogin
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Arquivos de programas\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Arquivos de programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Arquivos de programas\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: Download with GetRight - C:\Arquivos de programas\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: mail to a friend... - http://client.alexa.com/holiday/script/actions/mailto.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Arquivos de programas\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O17 - HKLM\System\CCS\Services\Tcpip\..\{AEE4D900-3A20-4FAD-95B9-8A81A65F5898}: NameServer = 200.175.5.139,200.175.89.139
O20 - AppInit_DLLs: ,C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\
O20 - Winlogon Notify: !SASWinLogon - C:\Arquivos de programas\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Arquivos de programas\COMODO\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Arquivos de programas\iPod\bin\iPodService.exe (file missing)
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Arquivos de programas\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Arquivos de programas\WinPcap\rpcapd.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Arquivos de programas\Arquivos comuns\Steam\SteamService.exe
O23 - Service: SwitchBoard - Adobe Systems Incorporated - C:\Arquivos de programas\Arquivos comuns\Adobe\SwitchBoard\SwitchBoard.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\WINDOWS\system32\Pen_Tablet.exe
O23 - Service: WTouch Service (WTouchService) - Wacom Technology, Corp. - C:\Arquivos de programas\WTouch\WTouchService.exe

--
End of file - 8981 bytes

DDS and GMER reports comming soon, as spybot scan results.

PS: Does the up to date spybot database scans for 809029 total of malwares and similars? I need to know if my spybot is truly updated.
 
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_07
Run by Administrador at 4:01:08 on 2011-09-10
Microsoft Windows XP Professional 5.1.2600.2.1252.55.1046.18.2047.1379 [GMT -3:00]
.
AV: avast! antivirus 4.8.1368 [VPS 110910-2] *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall Pro *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Arquivos de programas\WTouch\WTouchService.exe
svchost.exe
svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\Arquivos de programas\WTouch\WTouchUser.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe
C:\Arquivos de programas\QuickTime\qttask.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\Arquivos de programas\Comodo\Firewall\CPF.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Arquivos de programas\Arquivos comuns\Autodesk Shared\Service\AdskScSrv.exe
C:\Arquivos de programas\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe
C:\WINDOWS\system32\Pen_Tablet.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wscntfy.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\Arquivos de programas\Arquivos comuns\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.terra.com.br/
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\arquivos de programas\orbitdownloader\orbitcth.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\arquivos de programas\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\arquiv~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\arquivos de programas\java\jre1.6.0_07\bin\ssv.dll
BHO: Auxiliar de Conexão do Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\arquivos de programas\arquivos comuns\microsoft shared\windows live\WindowsLiveLogin.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\arquivos de programas\orbitdownloader\GrabPro.dll
TB: {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No File
uRun: [DAEMON Tools] "c:\arquivos de programas\daemon tools\daemon.exe" -lang 1033
uRun: [SpybotSD TeaTimer] c:\arquivos de programas\spybot - search & destroy\TeaTimer.exe
mRun: [CARPService] carpserv.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [RemoteControl] "c:\arquivos de programas\cyberlink\powerdvd\PDVDServ.exe"
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\arquivos de programas\quicktime\qttask.exe" -atboottime
mRun: [avast!] c:\arquiv~1\alwils~1\avast4\ashDisp.exe
mRun: [COMODO Firewall Pro] "c:\arquivos de programas\comodo\firewall\CPF.exe" /background
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [AdobeAAMUpdater-1.0] "c:\arquivos de programas\arquivos comuns\adobe\oobe\pdapp\uwa\UpdaterStartupUtility.exe"
mRun: [SwitchBoard] c:\arquivos de programas\arquivos comuns\adobe\switchboard\SwitchBoard.exe
mRun: [AdobeCS5ServiceManager] "c:\arquivos de programas\arquivos comuns\adobe\cs5servicemanager\CS5ServiceManager.exe" -launchedbylogin
StartupFolder: c:\docume~1\alluse~1\menuin~1\progra~1\inicia~1\adobeg~1.lnk - c:\arquivos de programas\arquivos comuns\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\menuin~1\progra~1\inicia~1\micros~1.lnk - c:\arquivos de programas\microsoft office\office10\OSA.EXE
IE: &Download by Orbit - c:\arquivos de programas\orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\arquivos de programas\orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\arquivos de programas\orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\arquivos de programas\orbitdownloader\orbitmxt.dll/202
IE: Download with GetRight - c:\arquivos de programas\getright\GRdownload.htm
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\micros~2\office10\EXCEL.EXE/3000
IE: mail to a friend... - http://client.alexa.com/holiday/script/actions/mailto.htm
IE: Open with GetRight Browser - c:\arquivos de programas\getright\GRbrowse.htm
IE: {c95fe080-8f5d-11d2-a20b-00aa003c157a} - c:\windows\web\related.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\arquivos de programas\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\arquivos de programas\java\jre1.6.0_07\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\arquiv~1\spybot~1\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 10.1.1.1
TCP: Interfaces\{8DF63FFC-DAF1-4C44-B16F-3F418FF92C33} : DhcpNameServer = 201.10.120.3 201.10.1.2
TCP: Interfaces\{AEE4D900-3A20-4FAD-95B9-8A81A65F5898} : NameServer = 200.175.5.139,200.175.89.139
TCP: Interfaces\{AEE4D900-3A20-4FAD-95B9-8A81A65F5898} : DhcpNameServer = 10.1.1.1
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\arquivos de programas\arquivos comuns\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\arquivos de programas\superantispyware\SASWINLO.dll
AppInit_DLLs: ,c:\docume~1\admini~1\config~1\temp\
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\arquivos de programas\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrador\dados de aplicativos\mozilla\firefox\profiles\71kqd8gf.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.terra.com.br/
FF - plugin: c:\arquivos de programas\tabletplugins\npwacom.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\arquivos de programas\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\arquivos de programas\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\arquivos de programas\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\arquivos de programas\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\arquivos de programas\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\arquivos de programas\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: ShowIP: {3e9bb2a7-62ca-4efa-a4e6-f6f6168a652d} - %profile%\extensions\{3e9bb2a7-62ca-4efa-a4e6-f6f6168a652d}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2008-4-22 114768]
R1 SASDIFSV;SASDIFSV;c:\arquivos de programas\superantispyware\sasdifsv.sys [2009-9-1 9968]
R1 SASKUTIL;SASKUTIL;c:\arquivos de programas\superantispyware\SASKUTIL.SYS [2009-9-1 74480]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-22 20560]
R2 avast! Antivirus;avast! Antivirus;c:\arquivos de programas\alwil software\avast4\ashServ.exe [2008-4-22 138680]
R2 CmdAgent;Comodo Application Agent;c:\arquivos de programas\comodo\firewall\cmdagent.exe [2008-4-22 361040]
R2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x32.sys [2011-7-6 21992]
R2 npf;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-1-26 50704]
R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2010-12-20 4497704]
R2 WTouchService;WTouch Service;c:\arquivos de programas\wtouch\WTouchService.exe [2010-12-20 113448]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\arquivos de programas\alwil software\avast4\ashMaiSv.exe [2008-4-22 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\arquivos de programas\alwil software\avast4\ashWebSv.exe [2008-4-22 352920]
R3 RMSPPPOE;WAN Miniport (PPP over Ethernet Protocol);c:\windows\system32\drivers\RMSPPPOE.SYS [2002-6-9 31232]
R3 SCREAMINGBDRIVER;Screaming Bee Audio;c:\windows\system32\drivers\ScreamingBAudio.sys [2006-9-26 21920]
S3 ATP;Comodo EasyVPN Miniport Driver;c:\windows\system32\drivers\cmdatp.sys --> c:\windows\system32\drivers\cmdatp.sys [?]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 SASENUM;SASENUM;c:\arquivos de programas\superantispyware\SASENUM.SYS [2009-9-1 7408]
S3 SwitchBoard;SwitchBoard;c:\arquivos de programas\arquivos comuns\adobe\switchboard\SwitchBoard.exe [2010-2-19 517096]
.
=============== File Associations ===============
.
regfile="regedit.exe" "%1"
.
=============== Created Last 30 ================
.
.
==================== Find3M ====================
.
2011-07-16 05:18:38 10022 --sha-w- c:\windows\system32\KGyGaAvL.sys
2011-07-04 20:17:20 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2010-01-26 14:11:08 444283 ----a-w- c:\arquivos de programas\arquivos comuns\WinPcapNmap.exe
.
============= FINISH: 4:02:24,09 ===============

GMER report comming soon
 
GMER is different from what I thoght. It had a file scan, which I stopped because it was taking too long. I provided a glossary in the end for parts of the log that are in portuguese.

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-10 07:59:03
Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-10 SAMSUNG_HD161HJ rev.GF100-07
Running: gdjs4pqh.exe; Driver: C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\uxtdipog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB74AA6B8]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwConnectPort [0xB761E0D2]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwCreateFile [0xB7620302]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB74AA574]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwCreatePort [0xB761E02C]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwCreateSection [0xB761EAAE]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwCreateThread [0xB761DD12]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwDeleteFile [0xB761FCB0]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwDeleteKey [0xB761EEC0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB74AAA52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB74AA14C]
SSDT sptd.sys ZwEnumerateKey [0xB9EC5E2C]
SSDT sptd.sys ZwEnumerateValueKey [0xB9EC61BA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB74AA64E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB74AA08C]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwOpenSection [0xB761E9E0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB74AA0F0]
SSDT sptd.sys ZwQueryKey [0xB9EC6292]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB74AA76E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB74AA72E]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwSetContextThread [0xB761DBB4]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwSetInformationFile [0xB761FDE0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB74AA8AE]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwShutdownSystem [0xB761EFA0]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwTerminateProcess [0xB761DF66]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwWriteFile [0xB762014A]
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.) ZwWriteFileGather [0xB761FFB4]

Code 2C23921C KeSetProfileIrql

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C60 80503A34 4 Bytes [AE, EA, 61, B7]
.text ntkrnlpa.exe!ZwCallbackReturn + 2D8C 80503B60 4 Bytes JMP B076F2C6
.text ntkrnlpa.exe!ZwCallbackReturn + 2F7C 80503D50 2 Bytes [A0, EF]
? C:\WINDOWS\system32\drivers\sptd.sys O arquivo já está sendo usado por outro processo.
.text USBPORT.SYS!DllUnload B8C3662C 5 Bytes JMP 89B781C8
? System32\Drivers\ax3i1pzd.SYS O sistema não pode encontrar o caminho especificado. !
? C:\DOCUME~1\ADMINI~1\CONFIG~1\Temp\mbr.sys O sistema não pode encontrar o arquivo especificado. !

---- User code sections - GMER 1.0.15 ----

.text C:\Arquivos de programas\Comodo\Firewall\CPF.exe[2040] ntdll.dll!LdrLoadDll 7C915CBB 3 Bytes [FF, 25, 1E]
.text C:\Arquivos de programas\Comodo\Firewall\CPF.exe[2040] ntdll.dll!LdrLoadDll + 4 7C915CBF 2 Bytes [05, 5F]
.text C:\Arquivos de programas\Comodo\Firewall\CPF.exe[2040] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A
.text C:\Arquivos de programas\Mozilla Firefox\firefox.exe[3676] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 004013F0 C:\Arquivos de programas\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Arquivos de programas\Mozilla Firefox\plugin-container.exe[3856] USER32.dll!TrackPopupMenu 77D74ED6 5 Bytes JMP 104089D7 C:\Arquivos de programas\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EC0AD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EC0C1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EC0B9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EC1748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EC161E] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9ED5ACA] sptd.sys
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [BA0FB6D0] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [BA0FB730] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [BA0FB950] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [BA0FB910] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [BA0FB910] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [BA0FB730] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [BA0FB6D0] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [BA0FB950] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [BA0FB950] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [BA0FB910] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [BA0FB730] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [BA0FB6D0] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [BA0FB910] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [BA0FB6D0] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [BA0FB730] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [BA0FB950] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [BA0FB6D0] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [BA0FB730] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [BA0FB910] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [BA0FB950] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [BA0FB910] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [BA0FB730] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [BA0FB6D0] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisDeregisterProtocol] [BA0FB950] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisCloseAdapter] [BA0FB6D0] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisOpenAdapter] [BA0FB730] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisRegisterProtocol] [BA0FB910] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [BA0FB910] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [BA0FB950] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [BA0FB6D0] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [BA0FB730] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\NMnt.sys[NDIS.SYS!NdisRegisterProtocol] [BA0FB910] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\NMnt.sys[NDIS.SYS!NdisCloseAdapter] [BA0FB6D0] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\NMnt.sys[NDIS.SYS!NdisDeregisterProtocol] [BA0FB950] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)
IAT \SystemRoot\system32\DRIVERS\NMnt.sys[NDIS.SYS!NdisOpenAdapter] [BA0FB730] inspect.sys (Comodo Personal Firewall Stateful Inspection Engine/COMODO)

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[768] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00370002
IAT C:\WINDOWS\system32\services.exe[768] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00370000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 89E4C1E8

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\usbohci \Device\USBPDO-0 89AB81E8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 89DDD1E8
Device \Driver\dmio \Device\DmControl\DmConfig 89DDD1E8
Device \Driver\dmio \Device\DmControl\DmPnP 89DDD1E8
Device \Driver\dmio \Device\DmControl\DmInfo 89DDD1E8
Device \Driver\usbohci \Device\USBPDO-1 89AB81E8
Device \Driver\usbohci \Device\USBPDO-2 89AB81E8
Device \Driver\usbehci \Device\USBPDO-3 89AA41E8

AttachedDevice \Driver\Tcpip \Device\Tcp cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\Ftdisk \Device\HarddiskVolume1 89E4E1E8
Device \Driver\Cdrom \Device\CdRom0 89BBB1E8
Device \Driver\atapi \Device\Ide\IdePort0 89E4D1E8
Device \Driver\atapi \Device\Ide\IdePort1 89E4D1E8
Device \Driver\atapi \Device\Ide\IdePort2 89E4D1E8
Device \Driver\atapi \Device\Ide\IdePort3 89E4D1E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 89E4D1E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b 89E4D1E8
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-10 89E4D1E8
Device \Driver\Cdrom \Device\CdRom1 89BBB1E8
Device \Driver\Cdrom \Device\CdRom2 89BBB1E8
Device \Driver\NetBT \Device\NetBt_Wins_Export 89908448
Device \Driver\NetBT \Device\NetBT_Tcpip_{AEE4D900-3A20-4FAD-95B9-8A81A65F5898} 89908448
Device \Driver\NetBT \Device\NetbiosSmb 89908448
Device \Driver\PCI_NTPNP0274 \Device\0000005b sptd.sys

AttachedDevice \Driver\Tcpip \Device\Udp cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp cmdmon.sys (Comodo Application Engine driver/Comodo Research Lab., Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\usbohci \Device\USBFDO-0 89AB81E8
Device \Driver\usbohci \Device\USBFDO-1 89AB81E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89A4E7A0
Device \Driver\usbohci \Device\USBFDO-2 89AB81E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 89A4E7A0
Device \Driver\usbehci \Device\USBFDO-3 89AA41E8
Device \Driver\Ftdisk \Device\FtControl 89E4E1E8
Device \Driver\ax3i1pzd \Device\Scsi\ax3i1pzd1Port4Path0Target0Lun0 89A8A6F8
Device \Driver\ax3i1pzd \Device\Scsi\ax3i1pzd1 89A8A6F8
Device \FileSystem\Cdfs \Cdfs 89951360

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 1883006660
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -1095330525
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x83 0x19 0x76 0x6F ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Arquivos de programas\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x51 0x2B 0x39 0x62 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xDB 0x0E 0x2C 0xA0 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x4A 0x85 0x91 0x9A ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x83 0x19 0x76 0x6F ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Arquivos de programas\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x51 0x2B 0x39 0x62 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xDB 0x0E 0x2C 0xA0 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x4A 0x85 0x91 0x9A ...

---- EOF - GMER 1.0.15 ----

"C:\Arquivos de programas\" C:\Program Files\
"O arquivo já está sendo usado por outro processo." The file is already being used by other process.
"O sistema não pode encontrar o caminho especificado." The system couldn't find the specific path.
"O sistema não pode encontrar o arquivo especificado." The system couldn't find the specific archive.


Seriously, it is a malware infection, but I still can't find any signs. Any ideas? Sugestion for other programs to scan/generate logs? I do need help.

Edit
"BEFORE You POST"(Please read this Procedure Before Requesting Assistance)
 
Last edited by a moderator:
You must log in or register to reply here.
Back
Top