Trojans mdelk.exe & wintems.exe, please need help!

Kankiz · Jan 18, 2008

HI,

I downloaded a program via Emule and before I execute it I scanned it by AVG and it said it was safe. For my surprise I saw the AVG icon disappear from the desktop. Right away I realized something was wrong as I saw a flash (like a program was executing), but nothing prompted me to install. Opening Windows Task Manager, I saw new processes (wintems.exe, 52531.exe, etc.).

My first instinct was to disable my internet, end the processes and do System Restore. I was unable to end wintems.exe (Error message of "The operation could not be completed. Access is denied.").

I enabled internet and found that what I have is Trj/Mitglieder.RV, W32/Bagle.RC.worm and W32/Bagle.QW.worm. It constantly downloads or creates files with names like 45000.exe, 52531.exe, 61671.exe, 66828.exe, 69546.exe, 126093.exe, 183390.exe, 189906.exe, 234125.exe, 238828.exe, to C:\WINDOWS\system32\drivers\down.

I tried re-installing AVG (failed) and Spybot (installed but program self deleted), and even ATF Cleaner doesn't execute.

I tried a lot of anti-virus online (since mine was unninstalled) and I guess I run out 'wintems.exe' from my PC, but the file
'mdelk.exe' still remains (in the folder 'WINDOWS\system32').

Please, HELP!

Thanks,

Kankiz.

HijackThis log is as follows...

Logfile of HijackThis v1.99.1
Scan saved at 17:08:08, on 18/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\GbPlugin\GbpSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Arquivos de programas\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Arquivos de programas\Wireless Combo\MulMouse.exe
C:\Arquivos de programas\Wireless Combo\MagicKey.exe
C:\Arquivos de programas\Wireless Combo\MagicWl.exe
C:\Arquivos de programas\Arquivos comuns\Acronis\Schedule2\schedul2.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Wireless Combo\OSD.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
D:\Meus Documentos\Programas\Diversos\Antivírus\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://br.yahoo.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GbPlugin\gbieh.dll
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\Arquivos de programas\GbPlugin\gbiehabn.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Pinnacle WebUpdater] "C:\Arquivos de programas\Pinnacle\Shared Files\Programs\WebUpdater\WebUpdater.exe" -s -f=UpdateVersion.xml -url=http://cdn.pinnaclesys.com/SupportFiles
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Arquivos de programas\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"
O4 - Global Startup: Activar programa de Leading Scroll.lnk = C:\Arquivos de programas\Wireless Combo\MulMouse.exe
O4 - Global Startup: Media Key.lnk = C:\Arquivos de programas\Wireless Combo\MagicKey.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginABN.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1DA91069-F0A3-45D2-9120-5039B282F347}: NameServer = 200.165.132.147,200.165.132.154
O20 - Winlogon Notify: GbPluginBb - C:\ARQUIV~1\GbPlugin\gbieh.dll
O20 - Winlogon Notify: __GbPluginBb - C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Arquivos de programas\Arquivos comuns\Acronis\Schedule2\schedul2.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: MSSQL$PINNACLESYS - Unknown owner - C:\Arquivos de programas\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - C:\Arquivos de programas\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SQLAgent$PINNACLESYS - Unknown owner - C:\Arquivos de programas\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent.EXE" -i PINNACLESYS (file missing)

Rorschach112 · Jan 19, 2008

Hello

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Please download and unzip Icesword to its own folder on your desktop

If you get a lot of "red entries" in an IceSword log, don't panic.

Step 1 : Close all windows and run IceSword. Click the Processes tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Write down the PathName of any processes in red color. Then click on LOG at the top left. It will prompt you to save the log, call this Processes and save it to your desktop.

Step 2 : Click the Win32 Services tab and look out for red colored entries in the services list. Write down the Module name of any services in red color, you will need to expand out the Module tab to see the full name. Then click on LOG. It will prompt you to save the log, call this Services and save it to your desktop.

Step 3 : Now, click the SSDT tab and check for red colored entries. If there are any, write down the KModule name.

Now post all of the data collected under the headings for :

Processes
Win32 Services
SSDT

Kankiz · Jan 19, 2008

Hi,

Here we go:

Deckard's System Scanner v20071014.68
Run by ROBERIO on 2008-01-19 14:28:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

-- Last 2 Restore Point(s) --
2: 2008-01-19 12:04:59 UTC - RP161 - Deckard's System Scanner Restore Point
1: 2008-01-18 12:57:14 UTC - RP160 - Ponto de verificação do sistema

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as ROBERIO.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:33:04, on 19/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\GbPlugin\GbpSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Arquivos de programas\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Arquivos de programas\Wireless Combo\MulMouse.exe
C:\Arquivos de programas\Wireless Combo\MagicKey.exe
C:\Arquivos de programas\Wireless Combo\OSD.EXE
C:\Arquivos de programas\Wireless Combo\MagicWl.exe
C:\Arquivos de programas\Arquivos comuns\Acronis\Schedule2\schedul2.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\ROBERIO\Desktop\dss.exe
C:\ARQUIV~1\TRENDM~1\HIJACK~1\ROBERIO.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://br.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GbPlugin\gbieh.dll
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\Arquivos de programas\GbPlugin\gbiehabn.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Pinnacle WebUpdater] "C:\Arquivos de programas\Pinnacle\Shared Files\Programs\WebUpdater\WebUpdater.exe" -s -f=UpdateVersion.xml -url=http://cdn.pinnaclesys.com/SupportFiles
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Arquivos de programas\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Activar programa de Leading Scroll.lnk = C:\Arquivos de programas\Wireless Combo\MulMouse.exe
O4 - Global Startup: Media Key.lnk = C:\Arquivos de programas\Wireless Combo\MagicKey.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginABN.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1DA91069-F0A3-45D2-9120-5039B282F347}: NameServer = 200.165.132.147,200.165.132.154
O20 - Winlogon Notify: GbPluginBb - C:\ARQUIV~1\GbPlugin\gbieh.dll
O20 - Winlogon Notify: __GbPluginBb - C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Arquivos de programas\Arquivos comuns\Acronis\Schedule2\schedul2.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - C:\Arquivos de programas\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6317 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 AFS2K - c:\windows\system32\drivers\afs2k.sys <Not Verified; Oak Technology Inc.; AFS>
R1 kbfilter (Keyboard Filter Driver) - c:\windows\system32\drivers\kbfilter.sys <Not Verified; WayTech Development, Inc.; Keyboard filter driver>
R1 mapledxp - c:\windows\system32\drivers\mapledxp.sys <Not Verified; Jeff Hurchalla and Marble Sound; MarbleSound Maple Midi XP Driver SYS>
R1 moufiltr (Mouse Filter Driver) - c:\windows\system32\drivers\moufiltr.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R1 srosa (Megadrv3) - c:\windows\system32\drivers\srosa.sys
R1 UsbFltr (WayTechMUSBFilterDriver) - c:\windows\system32\drivers\usbfltr.sys <Not Verified; Waytech Development, Inc.; Ortek USB Keypad>
R2 ElbyCDIO (ElbyCDIO Driver) - c:\windows\system32\drivers\elbycdio.sys <Not Verified; Elaborate Bytes AG; CDRTools>
R3 ASAPIW2k - c:\windows\system32\drivers\asapiw2k.sys <Not Verified; VOB Computersysteme GmbH; asapi>
R3 DELTA (Service for Delta Driver (WDM)) - c:\windows\system32\drivers\delta.sys <Not Verified; Midiman/M-Audio; M-Audio Delta WDM Driver>
R3 ElbyDelay - c:\windows\system32\drivers\elbydelay.sys <Not Verified; Elaborate Bytes; CDRTools>
R3 mohfilt - c:\windows\system32\drivers\mohfilt.sys <Not Verified; Intel Corporation; Creatix V.9X data fax modem>
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>

S3 catchme - c:\docume~1\roberio\config~1\temp\catchme.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S3 PinnacleSys.MediaServer (Pinnacle Systems Media Service) - "c:\arquivos de programas\pinnacle\shared files\programs\mediaserver\pmshost.exe" <Not Verified; Pinnacle Systems; Media Server>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Files created between 2007-12-19 and 2008-01-19 -----------------------------

2008-01-18 17:46:48 0 d-------- C:\Arquivos de programas\Trend Micro
2008-01-18 17:13:56 0 dr-h----- C:\Documents and Settings\ROBERIO\Recent
2008-01-18 10:41:22 8576 --a------ C:\WINDOWS\system32\drivers\vfhfvquoiswm.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-01-18 09:50:21 8576 --a------ C:\WINDOWS\system32\drivers\oemjiubaxbrj.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-01-17 19:22:01 8576 --a------ C:\WINDOWS\system32\drivers\jocnmljhbhvi.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-01-16 18:14:43 70660 --a------ C:\WINDOWS\system32\mdelk.exe
2008-01-09 20:01:00 0 d-------- C:\WINDOWS\system32\drivers\down

-- Find3M Report ---------------------------------------------------------------

2008-01-18 02:29:18 0 d-------- C:\Arquivos de programas\Wireless Combo
2008-01-18 02:09:28 0 d-------- C:\Arquivos de programas\MFR6
2008-01-18 01:43:42 0 d-------- C:\Arquivos de programas\GbPlugin
2008-01-18 01:27:59 0 d-------- C:\Arquivos de programas\DAEMON Tools
2008-01-16 18:20:20 0 d-------- C:\Arquivos de programas\SpywareBlaster
2008-01-09 20:08:52 0 d-------- C:\Arquivos de programas\eMule
2008-01-09 16:58:40 0 d-------- C:\Documents and Settings\ROBERIO\Dados de aplicativos\BSplayer PRO
2008-01-09 16:58:29 0 d-------- C:\Arquivos de programas\Webteh
2007-12-20 14:35:19 5018 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-12-12 11:54:59 240 --a------ C:\WINDOWS\system32\RfmDat2.dat
2007-12-01 10:36:24 0 d-------- C:\Documents and Settings\ROBERIO\Dados de aplicativos\Adobe
2007-12-01 10:29:04 0 d-------- C:\Arquivos de programas\Arquivos comuns
2007-12-01 09:04:56 0 d-------- C:\Arquivos de programas\Sibelius Software
2007-11-29 22:32:20 0 d-------- C:\Documents and Settings\ROBERIO\Dados de aplicativos\uTorrent
2007-11-22 09:39:59 451670 --a------ C:\WINDOWS\system32\perfh016.dat
2007-11-22 09:39:59 78596 --a------ C:\WINDOWS\system32\perfc016.dat

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ptipbmf"="ptipbmf.dll" [20/06/2003 13:06 C:\WINDOWS\system32\ptipbmf.dll]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [22/10/2006 12:22]
"nwiz"="nwiz.exe" [22/10/2006 12:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [22/10/2006 12:22]
"SoundMan"="SOUNDMAN.EXE" [26/02/2004 06:53 C:\WINDOWS\SOUNDMAN.EXE]
"Pinnacle WebUpdater"="C:\Arquivos de programas\Pinnacle\Shared Files\Programs\WebUpdater\WebUpdater.exe" [26/03/2006 12:10]
"DAEMON Tools"="C:\Arquivos de programas\DAEMON Tools\daemon.exe" [10/12/2005 12:57]
"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 02:11]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\
Activar programa de Leading Scroll.lnk - C:\Arquivos de programas\Wireless Combo\MulMouse.exe [27/1/2007 14:33:31]
Media Key.lnk - C:\Arquivos de programas\Wireless Combo\MagicKey.exe [27/1/2007 14:33:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\ARQUIV~1\GbPlugin\gbieh.dll [03/12/2007 16:30 347976]
"{E37CB5F0-51F5-4395-A808-5FA49E399007}"= C:\Arquivos de programas\GbPlugin\gbiehabn.dll [15/08/2007 19:14 207280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]
C:\ARQUIV~1\GbPlugin\gbieh.dll 03/12/2007 16:30 347976 C:\ARQUIV~1\GbPlugin\gbieh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__GbPluginBb]
C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll 03/12/2007 16:30 347976 C:\Arquivos de programas\GbPlugin\gbieh.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
"C:\Arquivos de programas\Arquivos comuns\Acronis\Schedule2\schedhlp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
C:\Arquivos de programas\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdVantage]
"C:\Arquivos de programas\AdVantage\AdVantage.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
C:\Arquivos de programas\SyncroSoft\Pos\H2O\cledx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
C:\WINDOWS\system32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
C:\Arquivos de programas\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I downloaded pirated Software from P2P ]
C:\WINDOWS\system32\Sims 2 Pets.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"c:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Arquivos de programas\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Arquivos de programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Arquivos de programas\Java\jre1.5.0_11\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
rundll32.exe "C:\WINDOWS\khiiff.dll",forkonce

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tomar Agua]
D:\Meus Documentos\E-mail\Slides\Tomar_Agua.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
C:\Arquivos de programas\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Arquivos de programas\Winamp\Winampa.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ebad148-5a83-11dc-90e0-0013d42eb01f}]
AutoRun\command- E:\LaunchU3.exe -a

-- End of Deckard's System Scanner: finished at 2008-01-19 14:33:56 ------------

The next replies I'll post the 'extra' of Deckard's System Scanner and the other logs (too long!!).

Kankiz · Jan 19, 2008

Continue...

The first part (1/2) of "Extra":

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: Portuguese

CPU 0: Intel(R) Pentium(R) 4 CPU 3.00GHz
CPU 1: Intel(R) Pentium(R) 4 CPU 3.00GHz
Percentage of Memory in Use: 19%
Physical Memory (total/avail): 2047.22 MiB / 1649.23 MiB
Pagefile Memory (total/avail): 3432.51 MiB / 3203.94 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1935.83 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.5 GiB total, 14.64 GiB free.
D: is Fixed (NTFS) - 335.11 GiB total, 29.77 GiB free.
G: is CDROM (No Media)
H: is CDROM (No Media)
I: is Removable (No Media)
J: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Promise 2+0 Stripe/RAID0 SCSI Disk Device - 372.62 GiB - 2 partitions
\PARTITION0 (bootable) - Sistema de arquivos instalável - 37.5 GiB - C:
\PARTITION1 - Estendido c/Int. estendida 13 - 335.11 GiB - D:

\\.\PHYSICALDRIVE1 - HP photosmart 7200 USB Device

-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
UpdatesDisableNotify is set.
FirewallOverride is set.

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Arquivos de programas\\eMule\\emule.exe"="C:\\Arquivos de programas\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\Arquivos de programas\\uTorrent\\uTorrent.exe"="C:\\Arquivos de programas\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\ROBERIO\Dados de aplicativos
CLIENTNAME=Console
CommonProgramFiles=C:\Arquivos de programas\Arquivos comuns
COMPUTERNAME=ROBERIO
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\ROBERIO
LOGONSERVER=\\ROBERIO
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Arquivos de programas\Microsoft SQL Server\80\Tools\Binn\;C:\Arquivos de programas\Java\jre1.5.0_10\bin\client\;
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Arquivos de programas
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ROBERIO\CONFIG~1\Temp
TMP=C:\DOCUME~1\ROBERIO\CONFIG~1\Temp
USERDOMAIN=ROBERIO
USERNAME=ROBERIO
USERPROFILE=C:\Documents and Settings\ROBERIO
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

ROBERIO (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\Arquivos de programas\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\NuNInst.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acronis*True*Image*Home --> MsiExec.exe /X{419CF344-3D94-4DAD-99C8-EA7B00E5EA8B}
Adobe AIR 1.0 Beta 1 --> MsiExec.exe /X{BB8B979E-E336-47E7-96BC-1031C1B94561}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 7.0.7 - Português --> MsiExec.exe /I{AC76BA86-7AD7-1046-7B44-A70700000002}
Antares Auto-Tune v4.39 --> C:\ARQUIV~1\ANTARE~1\AUTO-T~1\AIRLOG~1\AT4\UNWISE.EXE C:\ARQUIV~1\ANTARE~1\AUTO-T~1\AIRLOG~1\AT4\INSTALL.LOG
Antares Tube 1.02 DirectX --> C:\ARQUIV~1\Antares\TubeDX\UNWISE.EXE C:\ARQUIV~1\Antares\TubeDX\INSTALL.LOG
AoA MP4 Converter --> "C:\Arquivos de programas\AoA MP4 Converter\unins000.exe"
AsusUpdate --> RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{587178E7-B1DF-494E-9838-FA4DD36E873C}\Setup.exe" -l0x9
µTorrent --> "C:\Arquivos de programas\uTorrent\uTorrent.exe" /UNINSTALL
Atualização de Segurança para Windows XP (KB890046) --> "C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB893756) --> "C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB896358) --> "C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB896423) --> "C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB896428) --> "C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB899587) --> "C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB899591) --> "C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB900725) --> "C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB901017) --> "C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB901214) --> "C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB902400) --> "C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB904706) --> "C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB905414) --> "C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB905749) --> "C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB908519) --> "C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB911562) --> "C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB911927) --> "C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB913580) --> "C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB914388) --> "C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB914389) --> "C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB917344) --> "C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB917953) --> "C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB918118) --> "C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB918439) --> "C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB919007) --> "C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB920213) --> "C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB920670) --> "C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB920683) --> "C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB920685) --> "C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB921503) --> "C:\WINDOWS\$NtUninstallKB921503$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB922819) --> "C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB923191) --> "C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB923414) --> "C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB923689) --> "C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB923980) --> "C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB924191) --> "C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB924270) --> "C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB924496) --> "C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB924667) --> "C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB925902) --> "C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB926255) --> "C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB926436) --> "C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB927779) --> "C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB927802) --> "C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB928255) --> "C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB928843) --> "C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB929123) --> "C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB929969) --> "C:\WINDOWS\$NtUninstallKB929969$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB930178) --> "C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB931261) --> "C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB931784) --> "C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB932168) --> "C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB933566) --> "C:\WINDOWS\$NtUninstallKB933566$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB933729) --> "C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB935839) --> "C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB935840) --> "C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB936021) --> "C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB937143) --> "C:\WINDOWS\$NtUninstallKB937143$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB937894) --> "C:\WINDOWS\$NtUninstallKB937894$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB938127) --> "C:\WINDOWS\$NtUninstallKB938127$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB938829) --> "C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB939653) --> "C:\WINDOWS\$NtUninstallKB939653$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB941202) --> "C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB941568) --> "C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB941569) --> "C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB942615) --> "C:\WINDOWS\$NtUninstallKB942615$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB943460) --> "C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB944653) --> "C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Atualização para Windows XP (KB894391) --> "C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Atualização para Windows XP (KB898461) --> "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Atualização para Windows XP (KB900485) --> "C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Atualização para Windows XP (KB908531) --> "C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Atualização para Windows XP (KB910437) --> "C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Atualização para Windows XP (KB911280) --> "C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Atualização para Windows XP (KB916595) --> "C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Atualização para Windows XP (KB920872) --> "C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Atualização para Windows XP (KB922582) --> "C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Atualização para Windows XP (KB927891) --> "C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Atualização para Windows XP (KB930916) --> "C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Atualização para Windows XP (KB931836) --> "C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
Atualização para Windows XP (KB933360) --> "C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe"
Atualização para Windows XP (KB936357) --> "C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
Atualização para Windows XP (KB938828) --> "C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
Atualização para Windows XP (KB942763) --> "C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Atualização para Windows XP (KB942840) --> "C:\WINDOWS\$NtUninstallKB942840$\spuninst\spuninst.exe"
Atualização para Windows XP (KB946627) --> "C:\WINDOWS\$NtUninstallKB946627$\spuninst\spuninst.exe"

Kankiz · Jan 19, 2008

Continue...

Now the second part (2/2) of Extra:

AVS Disc Creator version 2.1 --> "C:\Arquivos de programas\AVSMedia\DiscCreator\unins000.exe"
AVS Video Editor 3.1.1.93 --> "C:\Arquivos de programas\AVSMedia\AVSVideoEditor\unins000.exe"
AVS Video Tools 5.1 --> "C:\Arquivos de programas\AVSMedia\VideoTools\unins000.exe"
Best Service Galaxy Steinway 5.1 --> C:\ARQUIV~1\BESTSE~1\GALAXY~1.1\UNWISE.EXE C:\ARQUIV~1\BESTSE~1\GALAXY~1.1\INSTALL.LOG
Blaze MediaConvert --> C:\ARQUIV~1\MYSTIK~1\BLAZEM~1\UNWISE.EXE C:\ARQUIV~1\MYSTIK~1\BLAZEM~1\INSTALL.LOG
BS.Player PRO --> "C:\Arquivos de programas\Webteh\BSplayerPro\uninstall.exe"
Celestia 1.4.1 --> "C:\Arquivos de programas\Celestia\unins000.exe"
Chessmaster 10th Edition --> C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\8\Intel 32\IDriver.exe /M{E9AE9A91-AB45-4321-87BD-AD34855D944F}
CloneDVD --> "C:\Arquivos de programas\Elaborate Bytes\CloneDVD\CloneDVD-uninst.exe" /D="C:\Arquivos de programas\Elaborate Bytes\CloneDVD"
CorelDRAW Graphics Suite X3 --> MsiExec.exe /I{63218538-4A69-497F-8455-904261B0E9E4}
CUE Splitter --> MsiExec.exe /I{DFB9FD6D-08A7-4B26-AAC8-3163D6EEF739}
dBPowerAMP AIFF codec r3 --> "C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBPowerAMP AIFF codec r3.dat
dBPowerAMP Dalet codec R1 --> "C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBPowerAMP Dalet codec R1.dat
dBpowerAMP FLAC Codec --> "C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP FLAC Codec.dat
dBpowerAMP Monkeys Audio Codec --> "C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Monkeys Audio Codec.dat
dBpowerAMP Musepack Codec --> "C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Musepack Codec.dat
dBpowerAMP Music Converter --> "C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
dBpowerAMP Ogg Vorbis Codec --> "C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Ogg Vorbis Codec.dat
dBpowerAMP Real Audio Codec --> "C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Real Audio Codec.dat
dBPowerAMP Real Audio Encoder R3 --> "C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBPowerAMP Real Audio Encoder R3.dat
dBpowerAMP WMA V9 Codec --> "C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP WMA V9 Codec.dat
Delta --> RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{A4810699-E859-43A6-8F40-1743873E72AB}\setup.exe" -l0x9 -removeonly
Disco de recordações HP --> MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}
DivX --> C:\Arquivos de programas\DivX\DivXCodecUninstall.exe /CODEC
Dolet Light for Finale 2006 --> MsiExec.exe /X{1C3C0464-5944-4520-96B5-705541C3BB3E}
DreamStation DXi2 --> C:\WINDOWS\DSDXIRMV.EXE C:\ARQUIVOS DE PROGRAMAS\CAKEWALK\SHARED DXI\AUDIO SIMULATION\DREAMSTATION DXI2
DVD Decrypter (Remove Only) --> "C:\Arquivos de programas\DVD Decrypter\uninstall.exe"
DVD Shrink 3.2 --> "C:\Arquivos de programas\DVD Shrink\unins000.exe"
EarMaster Pro 4 --> "C:\Arquivos de programas\EarMaster\unins000.exe"
East West Boesendorfer 290 --> C:\ARQUIV~1\EASTWE~1\BOESEN~1\UNWISE.EXE C:\ARQUIV~1\EASTWE~1\BOESEN~1\INSTALL.LOG
East West Colossus --> C:\ARQUIV~1\EASTWE~1\Colossus\UNWISE.EXE C:\ARQUIV~1\EASTWE~1\Colossus\INSTALL.LOG
East West EWQLSO Gold Edition --> C:\ARQUIV~1\EASTWE~1\EWQLSO~2\UNWISE.EXE C:\ARQUIV~1\EASTWE~1\EWQLSO~2\INSTALL.LOG
East West EWQLSO PRO XP Gold --> C:\ARQUIV~1\EASTWE~1\EWQLSO~3\UNWISE.EXE C:\ARQUIV~1\EASTWE~1\EWQLSO~3\INSTALL.LOG
East West EWQLSO Silver Edition --> C:\ARQUIV~1\EASTWE~1\EWQLSO~1\UNWISE.EXE C:\ARQUIV~1\EASTWE~1\EWQLSO~1\INSTALL.LOG
East West Ra --> C:\ARQUIV~1\EASTWE~1\Ra\UNWISE.EXE C:\ARQUIV~1\EASTWE~1\Ra\INSTALL.LOG
East West Symphonic Choirs --> C:\ARQUIV~1\EASTWE~1\SYMPHO~1\UNWISE.EXE C:\ARQUIV~1\EASTWE~1\SYMPHO~1\INSTALL.LOG
Edirol HQ Orchestral VSTi v1.03 --> C:\ARQUIV~1\EDIROL\ORCHES~1.03\UNWISE.EXE C:\ARQUIV~1\EDIROL\ORCHES~1.03\INSTALL.LOG
Edirol Hyper Canvas DXi v1.52 --> C:\ARQUIV~1\EDIROL\HYPERC~1\UNWISE.EXE C:\ARQUIV~1\EDIROL\HYPERC~1\INSTALL.LOG
Edirol Super Quartet v1.52 TALiO --> C:\ARQUIV~1\EDIROL\SUPERQ~1.52\UNWISE.EXE C:\ARQUIV~1\EDIROL\SUPERQ~1.52\INSTALL.LOG
Emagic EVP73 VSTi v1.0 --> C:\ARQUIV~1\STEINB~1\VSTPLU~1\emagic\UNWISE.EXE C:\ARQUIV~1\STEINB~1\VSTPLU~1\emagic\INSTALL.LOG
eMule --> "C:\Arquivos de programas\eMule\Uninstall.exe"
EN --> MsiExec.exe /I{32A72502-BC2C-4C39-ACEA-BC3D463F0697}
FairStars Audio Converter 1.46 --> "C:\Arquivos de programas\FairStars Audio Converter\unins000.exe"
FileZilla versão 2.2.28 --> "C:\Arquivos de programas\FileZilla\unins000.exe"
Finale 2006 --> C:\WINDOWS\unvise32.exe C:\Arquivos de programas\Finale 2006\uninstal.log
Finale Performance Assessment --> C:\WINDOWS\unvise32.exe C:\Arquivos de programas\Finale Performance Assessment\uninstal.log
FL Studio 5 --> C:\Arquivos de programas\Image-Line\FLStudio5\uninstall.exe
FLAC Installer 1.1.2a (remove only) --> C:\Arquivos de programas\FLAC\uninstall.exe
Focusrite Saffire Bundle VST v1.0 --> C:\ARQUIV~1\STEINB~1\VSTPLU~1\FOCUSR~1\SAFFIR~1\UNINST~1\UNWISE.EXE C:\ARQUIV~1\STEINB~1\VSTPLU~1\FOCUSR~1\SAFFIR~1\UNINST~1\INSTALL.LOG
FontNav --> MsiExec.exe /I{4E98F23B-1328-4322-A6EC-2EDC8FC3A4FE}
Google Earth --> RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
GVOX Encore 32 v4.5 --> C:\ARQUIV~1\GVOX\Encore\UNWISE.EXE C:\ARQUIV~1\GVOX\Encore\INSTALL.LOG
HijackThis 2.0.2 --> "C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Photo and Imaging 2.1 - Scanjet 2400 Series --> MsiExec.exe /I{6F7ECD56-E224-4263-9B7E-158E5CECC43B}
HP Software Update --> MsiExec.exe /X{6FA269F8-38CB-4DF7-AA0D-36E3CE789485}
Hurchalla Maple VMidi Cable v3.56 --> "C:\WINDOWS\unins000.exe"
Innovative Music Systems IntelliScore Polyphonic Edition v6.0 --> C:\ARQUIV~1\INTELL~1\UNWISE.EXE C:\ARQUIV~1\INTELL~1\INSTALL.LOG
Intel(R) 537EP Modem --> rundll32 IntelCci.dll,iSMUninstallation "Intel(R) 537EP Modem"
InterVideo WinDVD Creator 2 --> "C:\Arquivos de programas\InstallShield Installation Information\{2FCE4FC5-6930-40E7-A4F1-F862207424EF}\setup.exe" REMOVEALL
Java DB 10.2.2.0 --> MsiExec.exe /X{0ECB59D5-A3FC-4D61-AD3B-6CE679B3F852}
Java(TM) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java(TM) SE Development Kit 6 Update 2 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0160020}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
KORG Legacy Collection v1.1.3 --> C:\ARQUIV~1\KORG\KORGLE~1\UNWISE.EXE C:\ARQUIV~1\KORG\KORGLE~1\INSTALL.LOG
Magic File Renamer 6.12 Professional Edition --> MsiExec.exe /I{2F09F8D0-797D-4F98-9638-4BE6B83A8E26}
Marvell Miniport Driver --> MsiExec.exe /X{C950420B-4182-49EA-850A-A6A2ABF06C6B}
Matroska Pack --> C:\Arquivos de programas\Matroska Pack\uninstall.exe
Microsoft Age of Empires II --> "D:\Arquivos de programas\Jogos\Age of Empires II - The Ages Of Kings\UNINSTAL.EXE" /runtemp /uninstall
Microsoft Office Professional Edição 2003 --> MsiExec.exe /I{90110416-6000-11D3-8CFE-0150048383C9}
Microsoft SQL Server Desktop Engine (PINNACLESYS) --> MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Monkey's Audio --> "C:\Arquivos de programas\Monkey's Audio\unins000.exe"
MusicLab RealGuitar v1.5 --> C:\ARQUIV~1\MusicLab\REALGU~1\UNWISE.EXE C:\ARQUIV~1\MusicLab\REALGU~1\INSTALL.LOG
Naevius YouTube Converter 1.6 --> "C:\Arquivos de programas\Naevius YouTube Converter\unins000.exe"
Native Instruments B4 v1.11 w/ DXi --> C:\ARQUIV~1\NATIVE~1\B4\UNWISE.EXE C:\ARQUIV~1\NATIVE~1\B4\INSTALL.LOG
Native Instruments Finale GPO --> C:\ARQUIV~1\NATIVE~1\FINALE~1\UNWISE.EXE C:\ARQUIV~1\NATIVE~1\FINALE~1\INSTALL.LOG
Native Instruments FM7 --> C:\ARQUIV~1\NATIVE~1\Fm7\UNWISE.EXE C:\ARQUIV~1\NATIVE~1\Fm7\INSTALL.LOG
Native Instruments GuitarRig2 RTAS VSTi DXi --> C:\ARQUIV~1\NATIVE~1\GUITAR~1\UNWISE.EXE C:\ARQUIV~1\NATIVE~1\GUITAR~1\INSTALL.LOG
Need for Speed™ Most Wanted --> D:\Arquivos de programas\Jogos\EA GAMES\Need for Speed Most Wanted\EAUninstall.exe
Nero 7 Premium --> MsiExec.exe /I{F14B8ECC-BDA0-4987-9201-D7B7DBE11046}
Neuratron PhotoScore Demo --> C:\ARQUIV~1\NEURAT~2\UNWISE.EXE C:\ARQUIV~1\NEURAT~2\INSTALL.LOG
Neuratron PhotoScore Lite --> C:\ARQUIV~1\NEURAT~1\UNWISE.EXE C:\ARQUIV~1\NEURAT~1\INSTALL.LOG
NomadFactory Essential Studio Suite VST v1.0 --> C:\ARQUIV~1\STEINB~1\VSTPLU~1\ESSv1.0\UNWISE.EXE C:\ARQUIV~1\STEINB~1\VSTPLU~1\ESSv1.0\INSTALL.LOG
NomadFactory Rock Amp Legends VST v1.01 --> C:\ARQUIV~1\STEINB~1\VSTPLU~1\RALv101\UNWISE.EXE C:\ARQUIV~1\STEINB~1\VSTPLU~1\RALv101\INSTALL.LOG
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
oggcodecs 0.71.0946 --> C:\Arquivos de programas\illiminable\oggcodecs\uninst.exe
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
PC DUAL SHOCK --> RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{42DC7D64-F389-4E37-B545-E7D674A97D66}\setup.exe" -l0x9 -removeonly
PDFCreator --> MsiExec.exe /I{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}
Photosmart 140,240,7200,7600,7700,7900 Series --> C:\Arquivos de programas\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\setup\hpzscr01.exe -datfile hphscr01.dat
Pinnacle MediaCenter --> "C:\Documents and Settings\ROBERIO\Dados de aplicativos\InstallShield Installation Information\{F38ADCA4-AF7C-4C73-9021-6F1EA15D15EA}\Setup.exe"UNINSTALL /l0x0416
Pinnacle MediaServer --> RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{460CE8B9-6EC2-458A-90D4-691631ECE9D9}\setup.exe" -l0x416 UNINSTALL
PowerDVD --> RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
Realtek AC'97 Audio --> RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Remove DivX Pro Codec --> C:\WINDOWS\unvise32.exe C:\Arquivos de programas\DivX\DivX Pro Codec\UninstalDivXProCodec.log
Sibelius 5 --> MsiExec.exe /X{C23B8C30-E05E-4CB5-8188-F27CC3B2DD3E}
Sibelius Scorch --> MsiExec.exe /I{80F6A672-C39B-41CE-8AF5-A9C2FA8C2B72}
Sibelius Sounds Essentials --> D:\ARQUIV~1\SIBELI~1\SIBELI~1\ESSENT~1\UNWISE.EXE D:\ARQUIV~1\SIBELI~1\SIBELI~1\ESSENT~1\INSTALL.LOG
SONAR 6 Producer Edition --> "C:\Arquivos de programas\Cakewalk\SONAR 6 Producer Edition\unins000.exe"
Sony Sound Forge 8.0d --> MsiExec.exe /X{5636E517-8100-4E2A-B69E-2B16AFFA2360}
Sound Set Editor --> MsiExec.exe /I{D5E93779-98F8-A262-A338-8DED5907312D}
SpywareBlaster v3.5.1 --> "C:\Arquivos de programas\SpywareBlaster\unins000.exe"
Steinberg Hypersonic 2 --> "C:\Arquivos de programas\Steinberg\VSTPlugins\Hypersonic\Hypersonic Content\unins000.exe"
Subtitle Workshop 2.51 --> "C:\Arquivos de programas\URUSoft\Subtitle Workshop\uninstall.exe"
The Sims 2 --> D:\Arquivos de programas\Jogos\EA GAMES\The Sims 2\EAUninstall.exe
The Sims 2 - Aberto Para Negócios --> C:\Arquivos de programas\EA GAMES\The Sims 2 - Aberto Para Negócios\EAUninstall.exe
The Sims 2 Diversão em Família Coleção de Objetos --> C:\Arquivos de programas\EA GAMES\The Sims 2 Diversão em Família Coleção de Objetos\EAUninstall.exe
The Sims 2 University --> C:\Arquivos de programas\EA GAMES\The Sims 2 University\EAUninstall.exe
The Sims 2: Vida Noturna --> C:\Arquivos de programas\EA GAMES\The Sims 2 Vida Noturna\EAUninstall.exe
The Sims™ 2 Bichos de Estimação --> C:\Arquivos de programas\EA GAMES\The Sims 2 Bichos de Estimação\EAUninstall.exe
The Sims™ 2 Glamour Coleção de Objetos --> C:\Arquivos de programas\EA GAMES\The Sims 2 Glamour Coleção de Objetos\EAUninstall.exe
Timeworks Millenium Pack --> C:\Audio\TIMEWO~1\UNWISE.EXE C:\Audio\TIMEWO~1\INSTALL.LOG
Total Video Converter 3.10 --> "C:\Arquivos de programas\Total Video Converter\unins000.exe"
Ultra Tag Editor --> C:\Arquivos de programas\Ultra Tag Editor\uninst.exe
Update Manager --> MsiExec.exe /I{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}
URS Everything EQ Bundle v4.0 --> C:\ARQUIV~1\STEINB~1\VSTPLU~1\URSINS~1\UNWISE.EXE C:\ARQUIV~1\STEINB~1\VSTPLU~1\URSINS~1\INSTALL.LOG
VBA --> MsiExec.exe /I{C94E45B0-6AA6-4FB9-9AAE-22085F631880}
Waves Diamond Bundle v5.2 --> C:\ARQUIV~1\Waves\DIAMON~1\UNWISE.EXE C:\ARQUIV~1\Waves\DIAMON~1\INSTALL.LOG
Waves L3 v5.2 --> C:\ARQUIV~1\Waves\UNINST~1\UNWISE.EXE C:\ARQUIV~1\Waves\UNINST~1\INSTALL.LOG
Waves Q-Clone v1.0 --> C:\ARQUIV~1\Waves\Q-Clone\UNWISE.EXE C:\ARQUIV~1\Waves\Q-Clone\INSTALL.LOG
Waves SSL Collection v1.2 --> C:\ARQUIV~1\Waves\AIRLOG~1\WAVESS~1.2\UNWISE.EXE C:\ARQUIV~1\Waves\AIRLOG~1\WAVESS~1.2\INSTALL.LOG
Winamp (remove only) --> "C:\Arquivos de programas\Winamp\UninstWA.exe"
WinRAR archiver --> C:\Arquivos de programas\WinRAR\uninstall.exe
Wireless Combo --> C:\WINDOWS\ISUN0816.EXE -f"C:\Arquivos de programas\Wireless Combo\Uninst.isu" -c"C:\Arquivos de programas\Wireless Combo\UnInst.dll"
WordBuilder --> MsiExec.exe /I{91C36BDB-B77C-4C2D-B278-3CF1D1005C8F}
Xvid 1.1.2 final uninstall --> "C:\Arquivos de programas\XviD\unins001.exe"

-- Application Event Log -------------------------------------------------------

Event Record #/Type3939 / Error
Event Submitted/Written: 01/18/2008 01:19:13 PM
Event ID/Source: 1001 / Application Error
Event Description:
Falha no compartimento de memória 296617473.
O intercâmbio de chave Wep não resultou em uma configuração de conexão segura após a autenticação 802.1x. A configuração atual foi marcada como tendo falhado e a conexão sem fio será desconectada.

Event Record #/Type3938 / Error
Event Submitted/Written: 01/18/2008 01:19:08 PM
Event ID/Source: 1000 / Application Error
Event Description:
Aplicativo com falha iexplore.exe, versão 6.0.2900.2180, módulo com falha oscan8.ocx, versão 1.0.0.1, endereço com falha 0x00029291.
Processando evento específico de mídia para [iexplore.exe!ws!]

Event Record #/Type3935 / Error
Event Submitted/Written: 01/17/2008 03:42:50 AM
Event ID/Source: 1 / nview_info
Event Description:
NVIEW : MulMouse: WAIT_TIMEOUT, while waiting for a read to clear - resetting read event

Event Record #/Type3933 / Error
Event Submitted/Written: 01/16/2008 08:23:12 PM
Event ID/Source: 1001 / Application Error
Event Description:
Falha no compartimento de memória 347130002.
O intercâmbio de chave Wep não resultou em uma configuração de conexão segura após a autenticação 802.1x. A configuração atual foi marcada como tendo falhado e a conexão sem fio será desconectada.

Event Record #/Type3932 / Error
Event Submitted/Written: 01/16/2008 08:23:08 PM
Event ID/Source: 1000 / Application Error
Event Description:
Aplicativo com falha iexplore.exe, versão 6.0.2900.2180, módulo com falha flash9b.ocx, versão 9.0.28.0, endereço com falha 0x00099589.
Processando evento específico de mídia para [iexplore.exe!ws!]

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type2557 / Error
Event Submitted/Written: 01/19/2008 02:32:32 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
O serviço Localizador de computadores terminou com o erro:
%%1460

Event Record #/Type2538 / Error
Event Submitted/Written: 01/19/2008 02:28:08 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
O serviço Configuração zero sem fio depende do serviço Protocolo de modo de usuário E/S em dispositivos NDIS, mas não foi possível iniciá-lo devido ao seguinte erro:
%%1058

Event Record #/Type2534 / Error
Event Submitted/Written: 01/19/2008 09:37:53 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
O serviço Localizador de computadores terminou com o erro:
%%1460

Event Record #/Type2515 / Error
Event Submitted/Written: 01/19/2008 09:34:06 AM
Event ID/Source: 7001 / Service Control Manager
Event Description:
O serviço Configuração zero sem fio depende do serviço Protocolo de modo de usuário E/S em dispositivos NDIS, mas não foi possível iniciá-lo devido ao seguinte erro:
%%1058

Event Record #/Type2510 / Warning
Event Submitted/Written: 01/18/2008 05:05:30 PM
Event ID/Source: 57 / Ftdisk
Event Description:
O sistema não pôde mover dados para o log de transações. Corrupção possível.

-- End of Deckard's System Scanner: finished at 2008-01-19 14:33:56 ------------

Kankiz · Jan 19, 2008

Continue...

The other stuff:

STEP 1: the pathnames in red:

C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\wintems.exe

and the Process:

System Idle Process
System
C:\Arquivos de programas\Wireless Combo\MulMouse.exe
C:\Arquivos de programas\Wireless Combo\MagicKey.exe
C:\Arquivos de programas\Wireless Combo\OSD.exe
C:\Arquivos de programas\Wireless Combo\MagicWl.exe
C:\WINDOWS\system32\smss.exe
C:\Arquivos de programas\Arquivos comuns\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Arquivos de programas\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\Documents and Settings\ROBERIO\Desktop\IceSword122en\IceSword.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wintems.exe

STEP 2: the Win32 Services (no red entries):

Started Service:

Service Name:AcrSch2Svc Display Name:Acronis Scheduler2 Service
Service Name:AudioSrv Display Name:Áudio do Windows
Service Name:BITS Display Name:Serviço de transferência inteligente de plano de fundo
Service Name:CryptSvc Display Name:Serviços de criptografia
Service Name

comLaunch Display Name:Inicializador de Processo de Servidor DCOM
Service Name

hcp Display Name:Cliente DHCP
Service Name:dmserver Display Name:Gerenciador de discos lógicos
Service Name

nscache Display Name:Cliente DNS
Service Name:ERSvc Display Name:Error Reporting Service
Service Name:Eventlog Display Name:Log de eventos
Service Name:EventSystem Display Name:Sistema de eventos COM+
Service Name:FastUserSwitchingCompatibility Display Name:Compatibilidade com 'Troca rápida de usuário'
Service Name:GbpSv Display Name:Gbp Service
Service Name:helpsvc Display Name:Ajuda e suporte
Service Name:HTTPFilter Display Name:HTTP SSL
Service Name:InCDsrv Display Name:InCD Helper
Service Name:lanmanserver Display Name:Servidor
Service Name:lanmanworkstation Display Name:Estação de trabalho
Service Name:LmHosts Display Name:Auxiliar NetBIOS TCP/IP
Service Name:Netman Display Name:Conexões de rede
Service Name:Nla Display Name:Reconhecimento de local da rede (NLA)
Service Name:NVSvc Display Name:NVIDIA Display Driver Service
Service Name

lugPlay Display Name

lug and Play
Service Name

olicyAgent Display Name:Serviços IPSEC
Service Name

rotectedStorage Display Name:Armazenamento protegido
Service Name:RasMan Display Name:Gerenciador de conexão de acesso remoto
Service Name:RemoteRegistry Display Name:Registro remoto
Service Name:RpcSs Display Name:Chamada de procedimento remoto (RPC)
Service Name:SamSs Display Name:Gerenciador de contas de segurança
Service Name:Schedule Display Name:Schedule
Service Name:seclogon Display Name:Logon secundário
Service Name:SENS Display Name:Notificação de eventos de sistema
Service Name:ShellHWDetection Display Name

etecção do hardware do shell
Service Name:Spooler Display Name:Spooler de impressão
Service Name:srservice Display Name:Serviço de restauração do sistema
Service Name:SSDPSRV Display Name:Serviço de descoberta SSDP
Service Name:stisvc Display Name:Assistente de aquisição de imagens do Windows (WIA)
Service Name:TapiSrv Display Name:Telefonia
Service Name:TermService Display Name:Serviços de terminal
Service Name:Themes Display Name:Temas
Service Name:TrkWks Display Name:Cliente de rastreamento de link distribuído
Service Name:UMWdf Display Name:Windows User Mode Driver Framework
Service Name:W32Time Display Name:Horário do Windows
Service Name:WebClient Display Name:Cliente da Web
Service Name:winmgmt Display Name:Testador de instrumentação de gerenciam. do Windows

STEP 3: the SSDT KModule name:

\??\C:\WINDOWS\system32\drivers\srosa.sys (12 times listed in red)

sptd.sys (3 times listed in red)

That's it. UAU! Sorry, but rapidshare was offline.
Thanks.

Rorschach112 · Jan 19, 2008

Hello

Now for the fix. Close all windows and run IceSword.exe. Do not restart your until the very end to ensure the fix works

Step 1 : Click the Processes tab and right-click on the following red colored processes one by one and choose "Terminate Process". This will kill the rooted processes.

C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\wintems.exe

Step 2 : Now, we have to delete the rooted files. Click the File button. This will display a Windows Explorer type interface. Navigate to the following file(s) and folder in bold and delete them.

C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\drivers\down << folder

Step 4 : Now, we have to delete the rooted registry keys. Click the Registry button. This will display a regedit type interface. Navigate to the following registry keys in bold and delete them.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa <<< Let me know if this key is present, delete it if it is

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer

Then reboot your PC and run IceSword again. Save new logs from the "Processes" and "Win32 Services" tabs, taking note of any red entries from them and from the SSDT tab.

Kankiz · Jan 19, 2008

Hi,

Navigate to the following file(s) and folder in bold and delete them.

C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\drivers\down << folder

Did you meant to delete all the files in the folder or the folder itself? Anyway, the folder's gone. I've deleted it. And...

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa <<< Let me know if this key is present, delete it if it is

Well, the key was there and I've deleted it too.

There are no red entries in 'Processes' nor in 'Win32 Services', but in SSDT there are now 7 entries in red with the same kmodule name: 'sptd.sys'. :sad:

Also, I could note that in 'start up' (icesword) there are 2 registry keys for the 'hldrrr.exe' and 'wintems.exe'. Should I delete them too? :devil:

The logs:

Process:

System Idle Process
System
C:\Arquivos de programas\Wireless Combo\OSD.exe
C:\Arquivos de programas\Wireless Combo\MagicWl.exe
C:\Arquivos de programas\Arquivos comuns\Acronis\Schedule2\schedul2.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\GbPlugin\GbpSv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Arquivos de programas\DAEMON Tools\daemon.exe
C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe
C:\Arquivos de programas\Wireless Combo\MulMouse.exe
C:\Arquivos de programas\Wireless Combo\MagicKey.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\ROBERIO\Desktop\IceSword122en\IceSword.exe

Started Service:

Service Name:AcrSch2Svc Display Name:Acronis Scheduler2 Service
Service Name:AudioSrv Display Name:Áudio do Windows
Service Name:BITS Display Name:Serviço de transferência inteligente de plano de fundo
Service Name:Browser Display Name:Localizador de computadores
Service Name:CryptSvc Display Name:Serviços de criptografia
Service Name

comLaunch Display Name:Inicializador de Processo de Servidor DCOM
Service Name

hcp Display Name:Cliente DHCP
Service Name:dmserver Display Name:Gerenciador de discos lógicos
Service Name

nscache Display Name:Cliente DNS
Service Name:ERSvc Display Name:Error Reporting Service
Service Name:Eventlog Display Name:Log de eventos
Service Name:EventSystem Display Name:Sistema de eventos COM+
Service Name:FastUserSwitchingCompatibility Display Name:Compatibilidade com 'Troca rápida de usuário'
Service Name:GbpSv Display Name:Gbp Service
Service Name:helpsvc Display Name:Ajuda e suporte
Service Name:HTTPFilter Display Name:HTTP SSL
Service Name:InCDsrv Display Name:InCD Helper
Service Name:lanmanserver Display Name:Servidor
Service Name:lanmanworkstation Display Name:Estação de trabalho
Service Name:LmHosts Display Name:Auxiliar NetBIOS TCP/IP
Service Name:Netman Display Name:Conexões de rede
Service Name:Nla Display Name:Reconhecimento de local da rede (NLA)
Service Name:NVSvc Display Name:NVIDIA Display Driver Service
Service Name

lugPlay Display Name

lug and Play
Service Name

olicyAgent Display Name:Serviços IPSEC
Service Name

rotectedStorage Display Name:Armazenamento protegido
Service Name:RasMan Display Name:Gerenciador de conexão de acesso remoto
Service Name:RemoteRegistry Display Name:Registro remoto
Service Name:RpcSs Display Name:Chamada de procedimento remoto (RPC)
Service Name:SamSs Display Name:Gerenciador de contas de segurança
Service Name:Schedule Display Name:Schedule
Service Name:seclogon Display Name:Logon secundário
Service Name:SENS Display Name:Notificação de eventos de sistema
Service Name:ShellHWDetection Display Name

etecção do hardware do shell
Service Name:Spooler Display Name:Spooler de impressão
Service Name:srservice Display Name:Serviço de restauração do sistema
Service Name:SSDPSRV Display Name:Serviço de descoberta SSDP
Service Name:stisvc Display Name:Assistente de aquisição de imagens do Windows (WIA)
Service Name:TapiSrv Display Name:Telefonia
Service Name:TermService Display Name:Serviços de terminal
Service Name:Themes Display Name:Temas
Service Name:TrkWks Display Name:Cliente de rastreamento de link distribuído
Service Name:UMWdf Display Name:Windows User Mode Driver Framework
Service Name:W32Time Display Name:Horário do Windows
Service Name:WebClient Display Name:Cliente da Web
Service Name:winmgmt Display Name:Testador de instrumentação de gerenciam. do Windows

Rorschach112 · Jan 19, 2008

Hello

Also, I could note that in 'start up' (icesword) there are 2 registry keys for the 'hldrrr.exe' and 'wintems.exe'. Should I delete them too?

Yes delete those too.

Once you have done that, restart your PC and post me new logs from all the areas including Startup

Rorschach112 · Jan 19, 2008

Actually it won't allow you to delete them from there

Do this instead

Backup Your Registry with ERUNT

Please use the following link and scroll down to ERUNT and download it.
http://aumha.org/freeware/freeware.php
For version with the Installer:
Use the setup program to install ERUNT on your computer
For the zipped version:
Unzip all the files into a folder of your choice.

Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Then navigate to the following registry keys in bold and delete them

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hldrrr.exe"="C:\\WINDOWS\\System32\\igfxtray.exe"
"wintems.exe"="C:\\WINDOWS\\System32\\igfxtray.exe"

Reboot and post the logs

Kankiz · Jan 20, 2008

Hi,

Then navigate to the following registry keys in bold and delete them

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hldrrr.exe"="C:\\WINDOWS\\System32\\igfxtray.exe"
"wintems.exe"="C:\\WINDOWS\\System32\\igfxtray.exe"

You've meant: "HKEY_CURRENT_USER\..." and not "HKEY_LOCAL_MACHINE\...", haven't you? Because the keys were not there. Anyway, I've deleted the keys where I found them: in "HKEY_CURRENT_USER\...", and also the keys are not the same you've said: there wasn't the word 'igfxtray.exe', for example.

Well, here the logs go:

Process:

System Idle Process
System
C:\Arquivos de programas\Wireless Combo\OSD.exe
C:\Arquivos de programas\Wireless Combo\MagicWl.exe
C:\Arquivos de programas\Arquivos comuns\Acronis\Schedule2\schedul2.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\GbPlugin\GbpSv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Arquivos de programas\DAEMON Tools\daemon.exe
C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Arquivos de programas\Wireless Combo\MulMouse.exe
C:\Arquivos de programas\Wireless Combo\MagicKey.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\ROBERIO\Desktop\IceSword122en\IceSword.exe

Started Service:

Service Name:AcrSch2Svc Display Name:Acronis Scheduler2 Service
Service Name:AudioSrv Display Name:Áudio do Windows
Service Name:BITS Display Name:Serviço de transferência inteligente de plano de fundo
Service Name:Browser Display Name:Localizador de computadores
Service Name:CryptSvc Display Name:Serviços de criptografia
Service Name

comLaunch Display Name:Inicializador de Processo de Servidor DCOM
Service Name

hcp Display Name:Cliente DHCP
Service Name:dmserver Display Name:Gerenciador de discos lógicos
Service Name

nscache Display Name:Cliente DNS
Service Name:ERSvc Display Name:Error Reporting Service
Service Name:Eventlog Display Name:Log de eventos
Service Name:EventSystem Display Name:Sistema de eventos COM+
Service Name:FastUserSwitchingCompatibility Display Name:Compatibilidade com 'Troca rápida de usuário'
Service Name:GbpSv Display Name:Gbp Service
Service Name:helpsvc Display Name:Ajuda e suporte
Service Name:HTTPFilter Display Name:HTTP SSL
Service Name:InCDsrv Display Name:InCD Helper
Service Name:lanmanserver Display Name:Servidor
Service Name:lanmanworkstation Display Name:Estação de trabalho
Service Name:LmHosts Display Name:Auxiliar NetBIOS TCP/IP
Service Name:Netman Display Name:Conexões de rede
Service Name:Nla Display Name:Reconhecimento de local da rede (NLA)
Service Name:NVSvc Display Name:NVIDIA Display Driver Service
Service Name

lugPlay Display Name

lug and Play
Service Name

olicyAgent Display Name:Serviços IPSEC
Service Name

rotectedStorage Display Name:Armazenamento protegido
Service Name:RasMan Display Name:Gerenciador de conexão de acesso remoto
Service Name:RemoteRegistry Display Name:Registro remoto
Service Name:RpcSs Display Name:Chamada de procedimento remoto (RPC)
Service Name:SamSs Display Name:Gerenciador de contas de segurança
Service Name:Schedule Display Name:Schedule
Service Name:seclogon Display Name:Logon secundário
Service Name:SENS Display Name:Notificação de eventos de sistema
Service Name:ShellHWDetection Display Name

etecção do hardware do shell
Service Name:Spooler Display Name:Spooler de impressão
Service Name:srservice Display Name:Serviço de restauração do sistema
Service Name:SSDPSRV Display Name:Serviço de descoberta SSDP
Service Name:stisvc Display Name:Assistente de aquisição de imagens do Windows (WIA)
Service Name:TapiSrv Display Name:Telefonia
Service Name:TermService Display Name:Serviços de terminal
Service Name:Themes Display Name:Temas
Service Name:TrkWks Display Name:Cliente de rastreamento de link distribuído
Service Name:UMWdf Display Name:Windows User Mode Driver Framework
Service Name:W32Time Display Name:Horário do Windows
Service Name:WebClient Display Name:Cliente da Web
Service Name:winmgmt Display Name:Testador de instrumentação de gerenciam. do Windows

Startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Ptipbmf
rundll32.exe ptipbmf.dll,SetWriteCacheMode

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
nwiz
nwiz.exe /install

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvMediaCenter
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SoundMan
SOUNDMAN.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Pinnacle WebUpdater
"C:\Arquivos de programas\Pinnacle\Shared Files\Programs\WebUpdater\WebUpdater.exe" -s -f=UpdateVersion.xml -url=http://cdn.pinnaclesys.com/SupportFiles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
DAEMON Tools
"C:\Arquivos de programas\DAEMON Tools\daemon.exe" -lang 1033

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SunJavaUpdateSched
"C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar
Activar programa de Leading Scroll.lnk
C:\Arquivos de programas\Wireless Combo\MulMouse.exe (Remark£º)

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar
desktop.ini

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar
Media Key.lnk
C:\Arquivos de programas\Wireless Combo\MagicKey.exe (Remark£º)

C:\Documents and Settings\ROBERIO\Menu Iniciar\Programas\Inicializar
desktop.ini

Again, there are no red entries in 'Processes' nor in 'Win32 Services', but in SSDT there still are 7 entries in red with the same kmodule name: 'sptd.sys'. What are these?

I've restored the registries too. Was it necessary?

Thanks again, I feel the PC is becoming like before.

Rorschach112 · Jan 20, 2008

Hello

Good work

Sptd.sys is a legitimate file so don't touch that

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Extended (if available otherwise Standard)
- Scan Options:
- Scan Archives
  Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Drivers and click Scan

Kankiz · Jan 20, 2008

Hi,

Here we go:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, January 20, 2008 3:33:46 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/01/2008
Kaspersky Anti-Virus database records: 524225
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 143969
Number of viruses found: 4
Number of infected objects: 15
Number of suspicious objects: 0
Duration of the scan process: 02:13:21

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\20080120011756\backup\WINDOWS\temp\ASHeuristic\wintems.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\ROBERIO\.housecall6.6\Quarantine\mdelk.exe.bac_a01456 Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\ROBERIO\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\ROBERIO\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\ROBERIO\Configurações locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ROBERIO\Configurações locais\Histórico\History.IE5\MSHist012008012020080121\index.dat Object is locked skipped
C:\Documents and Settings\ROBERIO\Configurações locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ROBERIO\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\ROBERIO\ntuser.dat Object is locked skipped
C:\Documents and Settings\ROBERIO\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{1112CD02-B90E-4226-8E24-9C9D042B5813}\RP160\A0020810.sys Infected: Trojan-Downloader.Win32.Bagle.hw skipped
C:\System Volume Information\_restore{1112CD02-B90E-4226-8E24-9C9D042B5813}\RP160\A0020812.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{1112CD02-B90E-4226-8E24-9C9D042B5813}\RP160\A0020834.sys Infected: Trojan-Downloader.Win32.Bagle.hw skipped
C:\System Volume Information\_restore{1112CD02-B90E-4226-8E24-9C9D042B5813}\RP160\A0020835.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{1112CD02-B90E-4226-8E24-9C9D042B5813}\RP160\A0020836.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{1112CD02-B90E-4226-8E24-9C9D042B5813}\RP160\A0020838.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{1112CD02-B90E-4226-8E24-9C9D042B5813}\RP160\A0020839.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{1112CD02-B90E-4226-8E24-9C9D042B5813}\RP161\A0021834.sys Infected: Trojan-Downloader.Win32.Bagle.hw skipped
C:\System Volume Information\_restore{1112CD02-B90E-4226-8E24-9C9D042B5813}\RP161\A0021835.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{1112CD02-B90E-4226-8E24-9C9D042B5813}\RP161\A0021836.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{1112CD02-B90E-4226-8E24-9C9D042B5813}\RP161\A0021844.exe Infected: Trojan-Downloader.Win32.Bagle.ht skipped
C:\System Volume Information\_restore{1112CD02-B90E-4226-8E24-9C9D042B5813}\RP161\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd8925.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
D:\Meus Documentos\Programas\Pessoais\Jogos\Cracks\The Sims 2\Packs de Expansão\The Sims 2 EP4-1 Pets - Bichos de Estimação\install.exe/irsetup.dat Infected: P2P-Worm.Win32.Padonak.b skipped
D:\Meus Documentos\Programas\Pessoais\Jogos\Cracks\The Sims 2\Packs de Expansão\The Sims 2 EP4-1 Pets - Bichos de Estimação\install.exe SetupFactory: infected - 1 skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{1112CD02-B90E-4226-8E24-9C9D042B5813}\RP161\change.log Object is locked skipped

Scan process completed.

Continue...

Kankiz · Jan 20, 2008

Continue...

Deckard's System Scanner v20071014.68
Run by ROBERIO on 2008-01-20 03:47:05
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as ROBERIO.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:47:12, on 20/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\GbPlugin\GbpSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Arquivos de programas\DAEMON Tools\daemon.exe
C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe
C:\Arquivos de programas\Wireless Combo\MulMouse.exe
C:\Arquivos de programas\Wireless Combo\MagicKey.exe
C:\Arquivos de programas\Wireless Combo\OSD.EXE
C:\Arquivos de programas\Wireless Combo\MagicWl.exe
C:\Arquivos de programas\Arquivos comuns\Acronis\Schedule2\schedul2.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\ROBERIO\desktop\dss.exe
C:\ARQUIV~1\TRENDM~1\HIJACK~1\ROBERIO.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://br.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GbPlugin\gbieh.dll
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\Arquivos de programas\GbPlugin\gbiehabn.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Pinnacle WebUpdater] "C:\Arquivos de programas\Pinnacle\Shared Files\Programs\WebUpdater\WebUpdater.exe" -s -f=UpdateVersion.xml -url=http://cdn.pinnaclesys.com/SupportFiles
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Arquivos de programas\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Activar programa de Leading Scroll.lnk = C:\Arquivos de programas\Wireless Combo\MulMouse.exe
O4 - Global Startup: Media Key.lnk = C:\Arquivos de programas\Wireless Combo\MagicKey.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginABN.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1DA91069-F0A3-45D2-9120-5039B282F347}: NameServer = 200.165.132.147,200.165.132.154
O20 - Winlogon Notify: GbPluginBb - C:\ARQUIV~1\GbPlugin\gbieh.dll
O20 - Winlogon Notify: __GbPluginBb - C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Arquivos de programas\Arquivos comuns\Acronis\Schedule2\schedul2.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - C:\Arquivos de programas\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6433 bytes

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 AFS2K - c:\windows\system32\drivers\afs2k.sys <Not Verified; Oak Technology Inc.; AFS>
R1 kbfilter (Keyboard Filter Driver) - c:\windows\system32\drivers\kbfilter.sys <Not Verified; WayTech Development, Inc.; Keyboard filter driver>
R1 mapledxp - c:\windows\system32\drivers\mapledxp.sys <Not Verified; Jeff Hurchalla and Marble Sound; MarbleSound Maple Midi XP Driver SYS>
R1 moufiltr (Mouse Filter Driver) - c:\windows\system32\drivers\moufiltr.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R1 UsbFltr (WayTechMUSBFilterDriver) - c:\windows\system32\drivers\usbfltr.sys <Not Verified; Waytech Development, Inc.; Ortek USB Keypad>
R2 ElbyCDIO (ElbyCDIO Driver) - c:\windows\system32\drivers\elbycdio.sys <Not Verified; Elaborate Bytes AG; CDRTools>
R3 ASAPIW2k - c:\windows\system32\drivers\asapiw2k.sys <Not Verified; VOB Computersysteme GmbH; asapi>
R3 DELTA (Service for Delta Driver (WDM)) - c:\windows\system32\drivers\delta.sys <Not Verified; Midiman/M-Audio; M-Audio Delta WDM Driver>
R3 ElbyDelay - c:\windows\system32\drivers\elbydelay.sys <Not Verified; Elaborate Bytes; CDRTools>
R3 mohfilt - c:\windows\system32\drivers\mohfilt.sys <Not Verified; Intel Corporation; Creatix V.9X data fax modem>
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>

S3 catchme - c:\docume~1\roberio\config~1\temp\catchme.sys (file missing)

-- Files created between 2007-12-20 and 2008-01-20 -----------------------------

2008-01-20 02:26:30 0 dr-h----- C:\Documents and Settings\ROBERIO\Recent
2008-01-18 17:46:48 0 d-------- C:\Arquivos de programas\Trend Micro
2008-01-18 10:41:22 8576 --a------ C:\WINDOWS\system32\drivers\vfhfvquoiswm.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-01-18 09:50:21 8576 --a------ C:\WINDOWS\system32\drivers\oemjiubaxbrj.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-01-17 19:22:01 8576 --a------ C:\WINDOWS\system32\drivers\jocnmljhbhvi.sys <Not Verified; Panda Software International; RKPavProc Driver>

-- Find3M Report ---------------------------------------------------------------

2008-01-18 02:29:18 0 d-------- C:\Arquivos de programas\Wireless Combo
2008-01-18 02:09:28 0 d-------- C:\Arquivos de programas\MFR6
2008-01-18 01:43:42 0 d-------- C:\Arquivos de programas\GbPlugin
2008-01-18 01:27:59 0 d-------- C:\Arquivos de programas\DAEMON Tools
2008-01-16 18:20:20 0 d-------- C:\Arquivos de programas\SpywareBlaster
2008-01-09 20:08:52 0 d-------- C:\Arquivos de programas\eMule
2008-01-09 16:58:40 0 d-------- C:\Documents and Settings\ROBERIO\Dados de aplicativos\BSplayer PRO
2008-01-09 16:58:29 0 d-------- C:\Arquivos de programas\Webteh
2007-12-20 14:35:19 5018 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-12-12 11:54:59 240 --a------ C:\WINDOWS\system32\RfmDat2.dat
2007-12-01 10:36:24 0 d-------- C:\Documents and Settings\ROBERIO\Dados de aplicativos\Adobe
2007-12-01 10:29:04 0 d-------- C:\Arquivos de programas\Arquivos comuns
2007-12-01 09:04:56 0 d-------- C:\Arquivos de programas\Sibelius Software
2007-11-29 22:32:20 0 d-------- C:\Documents and Settings\ROBERIO\Dados de aplicativos\uTorrent
2007-11-22 09:39:59 451670 --a------ C:\WINDOWS\system32\perfh016.dat
2007-11-22 09:39:59 78596 --a------ C:\WINDOWS\system32\perfc016.dat

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ptipbmf"="ptipbmf.dll" [20/06/2003 13:06 C:\WINDOWS\system32\ptipbmf.dll]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [22/10/2006 12:22]
"nwiz"="nwiz.exe" [22/10/2006 12:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [22/10/2006 12:22]
"SoundMan"="SOUNDMAN.EXE" [26/02/2004 06:53 C:\WINDOWS\SOUNDMAN.EXE]
"Pinnacle WebUpdater"="C:\Arquivos de programas\Pinnacle\Shared Files\Programs\WebUpdater\WebUpdater.exe" [26/03/2006 12:10]
"DAEMON Tools"="C:\Arquivos de programas\DAEMON Tools\daemon.exe" [10/12/2005 12:57]
"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 02:11]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\
Activar programa de Leading Scroll.lnk - C:\Arquivos de programas\Wireless Combo\MulMouse.exe [27/1/2007 14:33:31]
Media Key.lnk - C:\Arquivos de programas\Wireless Combo\MagicKey.exe [27/1/2007 14:33:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\ARQUIV~1\GbPlugin\gbieh.dll [03/12/2007 16:30 347976]
"{E37CB5F0-51F5-4395-A808-5FA49E399007}"= C:\Arquivos de programas\GbPlugin\gbiehabn.dll [15/08/2007 19:14 207280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]
C:\ARQUIV~1\GbPlugin\gbieh.dll 03/12/2007 16:30 347976 C:\ARQUIV~1\GbPlugin\gbieh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__GbPluginBb]
C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll 03/12/2007 16:30 347976 C:\Arquivos de programas\GbPlugin\gbieh.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
"C:\Arquivos de programas\Arquivos comuns\Acronis\Schedule2\schedhlp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
C:\Arquivos de programas\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdVantage]
"C:\Arquivos de programas\AdVantage\AdVantage.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
C:\Arquivos de programas\SyncroSoft\Pos\H2O\cledx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
C:\WINDOWS\system32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
C:\Arquivos de programas\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I downloaded pirated Software from P2P ]
C:\WINDOWS\system32\Sims 2 Pets.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"c:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Arquivos de programas\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Arquivos de programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Arquivos de programas\Java\jre1.5.0_11\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tomar Agua]
D:\Meus Documentos\E-mail\Slides\Tomar_Agua.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
C:\Arquivos de programas\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Arquivos de programas\Winamp\Winampa.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ebad148-5a83-11dc-90e0-0013d42eb01f}]
AutoRun\command- E:\LaunchU3.exe -a

-- End of Deckard's System Scanner: finished at 2008-01-20 03:47:30 ------------

Well, how are we going? Don't we have to delete these back-ups viruses now? And the file 'install.exe' in my documents too?

May I re-install AVG and Spybot? They will work?

One more thing: and the red line above "SafeBoot registry key needs repairs. This machine cannot enter Safe Mode."?

Thanks again and forever.

:

Rorschach112 · Jan 20, 2008

We are nearly done now

Download and run SafeBootKeyRepair-CF from:

http://download.bleepingcomputer.com/sUBs/SafeBootKeyRepair.exe
or
http://www.techsupportforum.com/sectools/sUBs/SafeBootKeyRepair-CF.exe

It will take only a moment for it to run.
A log will be produced at C:\SafeBoot_Repair.txt. Please post that in your next reply

And the file 'install.exe' in my documents too?

Go to this site and scan that file

http://virusscan.jotti.org/de/

Paste the results back here

Kankiz · Jan 20, 2008

Hi,

Here goes the SafeBootKeyRepair report:

Reg export of SafeBoot key after repair:
========================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot]
"AlternateShell"="cmd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AFD]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Browser]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Dhcp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DnsCache]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ip6fw.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ipnat.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanServer]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanWorkstation]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LmHosts]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Messenger]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS Wrapper]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Ndisuio]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOS]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOSGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBT]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetDDEGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetMan]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Network]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetworkProvider]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NtLmSsp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP_TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpcdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpwd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdsessmgr]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SharedAccess]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Streams Drivers]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Tcpip]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdpipe.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdtcp.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\termservice]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WZCSVC]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
@="Net"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
@="NetClient"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
@="NetService"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
@="NetTrans"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

========================

And the file scan:

Datei: install.exe
Auslastung: 0% 100%

Status: INFIZIERT/MALWARE
Entdeckte Packprogramme: PE_PATCH.PECOMPACT, PECBUNDLE, PECOMPACT
Bit9 rapportiert: No threat detected (more info)

A-Squared Keine Viren gefunden
AntiVir DR/Padonak.B gefunden
ArcaVir Keine Viren gefunden
Avast Win32:Trojan-gen {VC} gefunden
AVG Antivirus Keine Viren gefunden
BitDefender Keine Viren gefunden
ClamAV Keine Viren gefunden
CPsecure Keine Viren gefunden
Dr.Web Keine Viren gefunden
F-Prot Antivirus Keine Viren gefunden
F-Secure Anti-Virus P2P-Worm.Win32.Padonak.b gefunden
Fortinet Keine Viren gefunden
Ikarus P2P-Worm.Win32.Padonak.b gefunden
Kaspersky Anti-Virus P2P-Worm.Win32.Padonak.b gefunden
NOD32 Keine Viren gefunden
Norman Virus Control Keine Viren gefunden
Panda Antivirus Keine Viren gefunden
Rising Antivirus Keine Viren gefunden
Sophos Antivirus Keine Viren gefunden
VirusBuster Keine Viren gefunden
VBA32 P2P-Worm.Win32.Padonak.b gefunden

Rorschach112 · Jan 20, 2008

You can delete that install.exe file in My Documents

Reboot and tell me if it is still there and post a new DSS log

Kankiz · Jan 20, 2008

Hi,

The 'install.exe' seems to be gone. And the DSS have only created the 'main report'. Here it is:

Deckard's System Scanner v20071014.68
Run by ROBERIO on 2008-01-20 14:56:10
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as ROBERIO.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:56:15, on 20/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\GbPlugin\GbpSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Arquivos de programas\DAEMON Tools\daemon.exe
C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe
C:\Arquivos de programas\Wireless Combo\MulMouse.exe
C:\Arquivos de programas\Wireless Combo\MagicKey.exe
C:\Arquivos de programas\Wireless Combo\OSD.EXE
C:\Arquivos de programas\Wireless Combo\MagicWl.exe
C:\Arquivos de programas\Arquivos comuns\Acronis\Schedule2\schedul2.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\ROBERIO\Desktop\dss.exe
C:\ARQUIV~1\TRENDM~1\HIJACK~1\ROBERIO.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://br.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GbPlugin\gbieh.dll
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\Arquivos de programas\GbPlugin\gbiehabn.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Pinnacle WebUpdater] "C:\Arquivos de programas\Pinnacle\Shared Files\Programs\WebUpdater\WebUpdater.exe" -s -f=UpdateVersion.xml -url=http://cdn.pinnaclesys.com/SupportFiles
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Arquivos de programas\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Activar programa de Leading Scroll.lnk = C:\Arquivos de programas\Wireless Combo\MulMouse.exe
O4 - Global Startup: Media Key.lnk = C:\Arquivos de programas\Wireless Combo\MagicKey.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginABN.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1DA91069-F0A3-45D2-9120-5039B282F347}: NameServer = 200.165.132.147,200.165.132.154
O20 - Winlogon Notify: GbPluginBb - C:\ARQUIV~1\GbPlugin\gbieh.dll
O20 - Winlogon Notify: __GbPluginBb - C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Arquivos de programas\Arquivos comuns\Acronis\Schedule2\schedul2.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - C:\Arquivos de programas\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6376 bytes

-- Files created between 2007-12-20 and 2008-01-20 -----------------------------

2008-01-20 04:07:42 0 dr-h----- C:\Documents and Settings\ROBERIO\Recent
2008-01-18 17:46:48 0 d-------- C:\Arquivos de programas\Trend Micro
2008-01-18 10:41:22 8576 --a------ C:\WINDOWS\system32\drivers\vfhfvquoiswm.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-01-18 09:50:21 8576 --a------ C:\WINDOWS\system32\drivers\oemjiubaxbrj.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-01-17 19:22:01 8576 --a------ C:\WINDOWS\system32\drivers\jocnmljhbhvi.sys <Not Verified; Panda Software International; RKPavProc Driver>

-- Find3M Report ---------------------------------------------------------------

2008-01-20 04:01:18 0 d-------- C:\Arquivos de programas\SpywareBlaster
2008-01-18 02:29:18 0 d-------- C:\Arquivos de programas\Wireless Combo
2008-01-18 02:09:28 0 d-------- C:\Arquivos de programas\MFR6
2008-01-18 01:43:42 0 d-------- C:\Arquivos de programas\GbPlugin
2008-01-18 01:27:59 0 d-------- C:\Arquivos de programas\DAEMON Tools
2008-01-09 20:08:52 0 d-------- C:\Arquivos de programas\eMule
2008-01-09 16:58:40 0 d-------- C:\Documents and Settings\ROBERIO\Dados de aplicativos\BSplayer PRO
2008-01-09 16:58:29 0 d-------- C:\Arquivos de programas\Webteh
2007-12-20 14:35:19 5018 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-12-12 11:54:59 240 --a------ C:\WINDOWS\system32\RfmDat2.dat
2007-12-01 10:36:24 0 d-------- C:\Documents and Settings\ROBERIO\Dados de aplicativos\Adobe
2007-12-01 10:29:04 0 d-------- C:\Arquivos de programas\Arquivos comuns
2007-12-01 09:04:56 0 d-------- C:\Arquivos de programas\Sibelius Software
2007-11-29 22:32:20 0 d-------- C:\Documents and Settings\ROBERIO\Dados de aplicativos\uTorrent
2007-11-22 09:39:59 451670 --a------ C:\WINDOWS\system32\perfh016.dat
2007-11-22 09:39:59 78596 --a------ C:\WINDOWS\system32\perfc016.dat

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ptipbmf"="ptipbmf.dll" [20/06/2003 13:06 C:\WINDOWS\system32\ptipbmf.dll]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [22/10/2006 12:22]
"nwiz"="nwiz.exe" [22/10/2006 12:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [22/10/2006 12:22]
"SoundMan"="SOUNDMAN.EXE" [26/02/2004 06:53 C:\WINDOWS\SOUNDMAN.EXE]
"Pinnacle WebUpdater"="C:\Arquivos de programas\Pinnacle\Shared Files\Programs\WebUpdater\WebUpdater.exe" [26/03/2006 12:10]
"DAEMON Tools"="C:\Arquivos de programas\DAEMON Tools\daemon.exe" [10/12/2005 12:57]
"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 02:11]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\
Activar programa de Leading Scroll.lnk - C:\Arquivos de programas\Wireless Combo\MulMouse.exe [27/1/2007 14:33:31]
Media Key.lnk - C:\Arquivos de programas\Wireless Combo\MagicKey.exe [27/1/2007 14:33:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\ARQUIV~1\GbPlugin\gbieh.dll [03/12/2007 16:30 347976]
"{E37CB5F0-51F5-4395-A808-5FA49E399007}"= C:\Arquivos de programas\GbPlugin\gbiehabn.dll [15/08/2007 19:14 207280]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]
C:\ARQUIV~1\GbPlugin\gbieh.dll 03/12/2007 16:30 347976 C:\ARQUIV~1\GbPlugin\gbieh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__GbPluginBb]
C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll 03/12/2007 16:30 347976 C:\Arquivos de programas\GbPlugin\gbieh.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
"C:\Arquivos de programas\Arquivos comuns\Acronis\Schedule2\schedhlp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
C:\Arquivos de programas\Acronis\TrueImageHome\TimounterMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdVantage]
"C:\Arquivos de programas\AdVantage\AdVantage.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
C:\Arquivos de programas\SyncroSoft\Pos\H2O\cledx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
C:\WINDOWS\system32\hphmon05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
C:\Arquivos de programas\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I downloaded pirated Software from P2P ]
C:\WINDOWS\system32\Sims 2 Pets.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"c:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Arquivos de programas\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Arquivos de programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Arquivos de programas\Java\jre1.5.0_11\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tomar Agua]
D:\Meus Documentos\E-mail\Slides\Tomar_Agua.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
C:\Arquivos de programas\Acronis\TrueImageHome\TrueImageMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Arquivos de programas\Winamp\Winampa.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ebad148-5a83-11dc-90e0-0013d42eb01f}]
AutoRun\command- E:\LaunchU3.exe -a

-- End of Deckard's System Scanner: finished at 2008-01-20 14:56:32 ------------

Rorschach112 · Jan 20, 2008

Your logs are clean ! We need to do a few things

Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.

You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here

Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure

Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.

Kankiz · Jan 20, 2008

Hi,

Great! Man, you are the guy! :bow:

Spybot is already running and I'll install AVG next. I think I will not have any problems with it.

I've already had SpywareBlaster in my PC and I'm considering in trying Mozilla instead of IE. I've also downloaded all the programs and warnings you told me to. :2thumb:

One thing: The 'Deckard' folder in C:\ contains a folder named '\backup\' that has: 1. my old temp files (in 'C:\Deckard\System Scanner\20080120011756\backup\DOCUME~1\ROBERIO\CONFIG~1\Temp\') and 2. an back-up of the viruses themselves: mdelk.exe & wintems.exe (in 'C:\Deckard\System Scanner\20080120011756\backup\WINDOWS\temp\ASHeuristic\'). Also, a folder named '\Downloaded Program Files\' (in the same folder '\WINDOWS\') with some files.
Should I deleted all of them? :scratch:
And the programs HijackThis and Erunt, should I unninstall them too?

Thanks a lot. Guys like you make the world better to live. :bigthumb:

Robério, the Kankiz.

Trojans mdelk.exe & wintems.exe, please need help!

New member

Retired Security Volunteer

New member

New member

New member

New member

Retired Security Volunteer

New member

Retired Security Volunteer

Retired Security Volunteer

New member

Retired Security Volunteer

New member

New member

Retired Security Volunteer

New member

Retired Security Volunteer

New member

Retired Security Volunteer

New member