Avast finds but cannot deal with Win32:BHO-KD (Trojan)

[oldman]

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.





Click here to download HJTsetup.exe

• Save HJTsetup.exe to your desktop.
• Doubleclick on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  
• Put a check by Create a desktop icon then click Next again.
  
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.
  
• Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
  
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and Paste the log in your next reply.
• DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
  

[gipsyking]

Hi, i have this virus  "Win32:BHO-KD (Trojan)", you can help me please??

what i have to do??  thanks..

[gipsyking]

I have already, main.txt and extra.txt,  with Hijack... and next what i do??

[oldman]

I have already, main.txt and extra.txt,  with Hijack... and next what i do??

Please start your own thread and post the logs in it. With more than one person posting logs in the same thread, it will get really confusing. 

[Nic_1]

Hi,
I'm very new to the forums, so please bear w/me. I also have the trojan Win32:BHO-KD. I followed the reboot instructions and the message I get is access denied when I try to place it in the chest.
Does anyone have any info on what type of trojan it is, the damage level etc. ANY help and info would be greatly appreciated.
Thanks,
Nico

[oldman]

Welcome to the forum

If you start your own thread by clicking on the "new topic" button at the top of the page. I will give you instructions on removal of this pest. 

[Nic_1]

Welcome to the forum

If you start your own thread by clicking on the "new topic" button at the top of the page. I will give you instructions on removal of this pest. 

I'm not sure if you are ref. to me or not...sorry, I am not familiar w/the protocol on this board. Don't know which button/topic you want me to start. I thought this was a good place to post my problem since I too have gone through the steps and Avast doesn't seem to be able to rid my PC of this pest. So,any help anyone can give me would be greatly appreciated.
Thank you in advance.

[essexboy]

Hi nic I will start a new topic for you with your name and we can work from there 

[pino-88]

Hi Oldman

hereafter there are the logfiles of combofix and of Hijack This

thank you for your patience




ComboFix 08-01-03.3 - Anna 2000-01-01  8.40.31.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1040.18.176 [GMT 1:00]
Eseguito da: C:\Documents and Settings\Anna\Impostazioni locali\Temporary Internet Files\Content.IE5\G5QFOD2J\ComboFix[1].exe
 * Creato nuovo punto di ripristino
.

(((((((((((((((((((((((((((((((((((((   Altre eliminazioni   )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\start.exe

.
(((((((((((((((((((((((((   Files Creati Da 2007-12-03 al 2008-01-03  )))))))))))))))))))))))))))))))))))
.

Nessun nuovo file creato in questo arco di tempo

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-25 10:49   19,456   ----a-w   C:\WINDOWS\system32\drivers\ckocvhvs.dat
2007-05-26 21:10   19,160   ----a-w   C:\Documents and Settings\Anna\Dati applicazioni\GDIPFONTCACHEV1.DAT
2004-04-23 16:08   271   --sha-w   C:\Programmi\desktop.ini
2004-04-23 16:08   23,476   ---ha-w   C:\Programmi\folder.htt
.

(((((((((((((((((((((((((((((((((((((   Punti Reg Caricati   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
REGEDIT4
*Nota* i valori vuoti & legittimi/default non sono visualizzati.

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{721C1358-D3EF-4497-938F-3239AA4F74E7}]
2003-08-28 09:44   90880   --a------   C:\WINDOWS\system32\AC3AP.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@={7D688A77-C613-11D0-999B-00C04FD655E1}

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-19 15:39 15360]
"H/PC Connection Agent"="C:\Programmi\Microsoft ActiveSync\Wcescomm.exe" [2006-11-13 13:38 1289000]
"SUPERAntiSpyware"="C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe" [2001-08-31 12:00 3072 C:\WINDOWS\SYSTEM32\systray.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-07-15 11:42 4112384]
"nwiz"="nwiz.exe" [2004-07-15 11:42 843776 C:\WINDOWS\SYSTEM32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2004-07-15 11:42 81920]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"CTHelper"="CTHELPER.EXE" [2003-08-28 09:45 24576 C:\WINDOWS\SYSTEM32\CTHELPER.EXE]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"ashMaiSv"="C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe" [2007-09-06 11:05 243064]
"HP Software Update"="C:\Programmi\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 01:41 49152]
"Control Center"="C:\Programmi\ASUS\WLAN Card Utilities\Center.exe" [2004-11-04 18:36 1569280]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 11:06 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-19 15:39 15360]

C:\Documents and Settings\All Users\Menu Avvio\Programmi\Esecuzione automatica\
HP Digital Imaging Monitor.lnk - C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 03:21:22]
Microsoft Office.lnk - C:\Programmi\Microsoft Office\Office10\OSA.EXE [2001-02-13 09:01:04]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Programmi\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Programmi\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Programmi\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
"Rscmpt"=C:\WINDOWS\SYSTEM32\RSCMPT.EXE
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\SYSTEM32\NVCPL.DLL,NvStartup
"CARPService"=carpserv.exe

R0 jfbibhbj;jfbibhbj;C:\WINDOWS\system32\drivers\ckocvhvs.dat []
R2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys [2003-12-02 16:47]
R3 ASNDIS5;ASNDIS5 Protocol Driver;C:\WINDOWS\system32\ASNDIS5.SYS [2002-09-09 18:54]
S2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys [2003-12-02 16:47]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5ac6bc31-0a29-11dc-b080-0015f29962d3}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{aa2233a0-6d45-11dc-b0ea-0015f29962d3}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

*Newly Created Service* - HTTPFILTER
*Newly Created Service* - PROCEXP90

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\Programmi\Outlook Express\setup50.exe" /APP:OE /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
"C:\Programmi\Outlook Express\setup50.exe" /APP:OE /CALLER:WIN9X /user /install
"C:\Programmi\Outlook Express\setup50.exe" /APP:OE /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\Programmi\Outlook Express\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
"C:\Programmi\Outlook Express\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install
"C:\Programmi\Outlook Express\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
.
Contenuto della cartella 'Scheduled Tasks'
"2000-01-01 08:00:00 C:\WINDOWS\Tasks\Avvio ottimizzazione applicazione.job"
"2007-12-31 17:19:00 C:\WINDOWS\Tasks\Disinstalla Promemoria scadenza.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2007-12-31 16:15:16 C:\WINDOWS\Tasks\Utilità di pianificazione di Prevenzione e risoluzione dei problemi per Raccolta dati.job"
- C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-03 08:45:53
Windows 5.1.2600 Service Pack 2 NTFS

scansione processi nascosti ...

scansione entrate autostart nascoste ...

Scansione files nascosti ...

Scansione completata con successo
Files nascosti: 0

**************************************************************************
.
Ora fine scansione: 2008-01-02 22.43.01
ComboFix-quarantined-files.txt  2008-01-02 21:42:29

END OF COMBOFIX LOG

HIJACKTHIS LOG FOLLOWS ON DIFFERENT POST (max lenght exceeded)

[pino-88]

START OF HIJACKTHIS LOG



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23.02.22, on 02/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Ahead\InCD\InCDsrv.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
C:\Programmi\ASUS\WLAN Card Utilities\Center.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Microsoft ActiveSync\Wcescomm.exe
C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Programmi\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Programmi\Internet Explorer\iexplore.exe
C:\Programmi\Hijack This\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.it/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {721C1358-D3EF-4497-938F-3239AA4F74E7} - C:\WINDOWS\system32\AC3AP.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Programmi\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Control Center] C:\Programmi\ASUS\WLAN Card Utilities\Center.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Programmi\Microsoft ActiveSync\Wcescomm.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Programmi\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Programmi\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programmi\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - D:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Crea preferiti portatile... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmi\Messenger\msmsgs.exe
O12 - Plugin for .tif: C:\Programmi\Internet Explorer\PLUGINS\npqtplugin4.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Programmi\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Programmi\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 5531 bytes

[oldman]

1. Please download The Avenger by Swandog46 to your Desktop.

• Click on Avenger.zip to open the file
• Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

drivers to unload:
jfbibhbj

Files to delete:
C:\WINDOWS\system32\drivers\ckocvhvs.dat 
C:\WINDOWS\system32\AC3AP.dll
 

Note: the above code was created specifically for this user.  If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Script file to execute" choose "Input Script Manually".
  
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  
• Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  
• Click Done
  
• Now click on the Green Light to begin execution of the script
  
• Answer "Yes" twice when prompted.
  

4. The Avenger will automatically do the following:

• It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions.  This log file will be located at  C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log   by using Add/Reply

[gipsyking]

extra.txt


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: Portuguese

CPU 0: Intel(R) Pentium(R) D CPU 3.00GHz
CPU 1: Intel(R) Pentium(R) D CPU 3.00GHz
Percentage of Memory in Use: 26%
Physical Memory (total/avail): 2047.04 MiB / 1504.77 MiB
Pagefile Memory (total/avail): 3942.67 MiB / 3539.86 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1907.73 MiB

A: is Removable (Unformatted)
C: is Fixed (NTFS) - 136.09 GiB total, 113.7 GiB free.
D: is Fixed (NTFS) - 97.65 GiB total, 65.56 GiB free.
E: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Maxtor 6V250F0 - 233.76 GiB - 2 partitions
  \PARTITION0 (bootable) - Sistema de ficheiros instalável - 136.09 GiB - C:
  \PARTITION1 - Partição expandida - 97.65 GiB - D:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: avast! antivirus 4.7.1098 [VPS 080101-0] v4.7.1098 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Programas\\MSN Messenger\\msnmsgr.exe"="C:\\Programas\\MSN Messenger\\msnmsgr.exe:*:Enabled:Messenger"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\JP\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Programas\Ficheiros comuns
COMPUTERNAME=JP-915B3FD3F42E
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\JP
LOGONSERVER=\\JP-915B3FD3F42E
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Programas\Ficheiros comuns\Adobe\AGL;C:\Programas\Ficheiros comuns\Teleca Shared
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 6 Stepping 2, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0602
ProgramFiles=C:\Programas
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\JP\DEFINI~1\Temp
TMP=C:\DOCUME~1\JP\DEFINI~1\Temp
USERDOMAIN=JP-915B3FD3F42E
USERNAME=JP
USERPROFILE=C:\Documents and Settings\JP
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

JP (admin)
Convidado (new local, guest)


-- Add/Remove Programs ---------------------------------------------------------

 --> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acronis True Image --> C:\Programas\Acronis\TrueImage\MediaBuilder.exe -uninstall
Actualização para Windows XP (KB898461) --> "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Actualização para Windows XP (KB904942) --> "C:\WINDOWS\$NtUninstallKB904942$\spuninst\spuninst.exe"
Adobe Acrobat 6.0 Professional --> MsiExec.exe /I{AC76BA86-1033-0000-7760-000000000001}
Adobe Bridge 1.0 --> MsiExec.exe /I{AE3D38A6-13B1-40B3-9423-D1FA9982FB6A}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5102}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Help Center 2.0 --> MsiExec.exe /I{8FFC924C-ED06-44CB-8867-3CA778ECE903}
Adobe Premiere Pro 2.0 --> msiexec /I {FA17A726-B229-4116-B793-A2AB1A4EAE2E}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1437-443D-B06E-79A00FE45110}
Ahead NeroMediaPlayer --> C:\WINDOWS\UNNMP.exe /UNINSTALL
Ahead NeroVision Express --> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
ASUS Enhanced Display Driver --> RunDll32 C:\PROGRA~1\FICHEI~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Programas\InstallShield Installation Information\{315ACD04-BCEB-478B-9B1D-5431D0E6CB11}\setup.exe" -l0x9  -removeonly
ASUS nVIDIA Driver --> C:\PROGRA~1\FICHEI~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{3C3B2C97-0DAB-482F-9C95-6610827210E3} /l1033
avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
High Definition Audio - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\PROGRA~1\TRENDM~1\HIJACK~1\HijackThis.exe" /uninstall
Hotfix para Windows XP (KB914440) --> "C:\WINDOWS\$NtUninstallKB914440$\spuninst\spuninst.exe"
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
K-Lite Codec Pack 2.82 Standard --> "C:\Programas\K-Lite Codec Pack\unins000.exe"
Language Engineering Power Translator --> MsiExec.exe /I{66EDF2E5-6C37-4939-A837-FBF2C52F91CD}
Lexmark X1100 Series --> C:\WINDOWS\system32\spool\drivers\w32x86\3\LXBKUN5C.EXE -dLexmark X1100 Series
Marvell Miniport Driver --> MsiExec.exe /X{C950420B-4182-49EA-850A-A6A2ABF06C6B}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110816-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Mozilla Firefox (2.0.0.11) --> C:\Programas\Mozilla Firefox\uninstall\helper.exe
Multimedia Keyboard Driver --> C:\Programas\Ficheiros comuns\InstallShield\Driver\8\Intel 32\IDriver.exe /M{AA5AF806-46E2-498A-A562-0DD3145D2949}
Nero 6 Ultra Edition --> C:\Programas\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Os Sims™ 2 H&M® Moda Acessórios --> C:\Programas\EA GAMES\Os Sims 2 H&M® Moda Acessórios\EAUninstall.exe
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\FICHEI~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Programas\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" -l0x816  -removeonly
SpeechRedist --> MsiExec.exe /X{8795CBED-55E2-4693-9F14-84EC446935BE}
SpeedTouch USB Software --> RunDll32 C:\PROGRA~1\FICHEI~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Programas\InstallShield Installation Information\{D41FAAA9-8048-4906-86B2-9AADEA1FA0B7}\Setup.exe"  /l0416 -Control_Panel
Spybot - Search & Destroy --> "C:\Programas\Spybot - Search & Destroy\unins000.exe"
The Sims 2 --> C:\Programas\EA GAMES\The Sims 2\EAUninstall.exe
Unreal Tournament 2004 --> C:\UT2004\System\Setup.exe uninstall "UT2004"
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Live Messenger --> MsiExec.exe /I{37FD253D-5064-4034-8CEC-CC3995F823A4}
Windows Live Sign-in Assistant --> MsiExec.exe /I{F652D238-5F29-42D5-BAF3-0115EF977EC2}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Programas\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type169 / Success
Event Submitted/Written: 01/02/2008 05:59:17 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type166 / Warning
Event Submitted/Written: 01/02/2008 05:57:26 PM
Event ID/Source: 1524 / Userenv
Event Description:
Não é possível ao Windows descarregar o ficheiro de registo de classes - ainda está a ser utilizado por outras aplicações ou serviços. O ficheiro será descarregado quando já não estiver a ser utilizado.

Event Record #/Type154 / Success
Event Submitted/Written: 01/02/2008 05:14:54 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type143 / Success
Event Submitted/Written: 01/02/2008 03:38:28 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type140 / Warning
Event Submitted/Written: 01/02/2008 01:21:05 PM
Event ID/Source: 1524 / Userenv
Event Description:
Não é possível ao Windows descarregar o ficheiro de registo de classes - ainda está a ser utilizado por outras aplicações ou serviços. O ficheiro será descarregado quando já não estiver a ser utilizado.

[gipsyking]

...contination


-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type3304 / Warning
Event Submitted/Written: 01/02/2008 06:02:15 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%JP-915B3FD3F42E27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer.  Allow changes only if you trust the program or the software publisher. %JP-915B3FD3F42E27 can't undo changes that you allow.

For more information please see the following:
%JP-915B3FD3F42E275

   Scan ID: {31A7781C-D4B3-4D2F-93BB-D49F00E4F19F}

   User: JP-915B3FD3F42E\JP

   Name: %JP-915B3FD3F42E271

   ID: %JP-915B3FD3F42E272

   Severity: 1.1.1593.05

   Category: 1.1.1593.06

   Path Found: %JP-915B3FD3F42E276

   Alert Type: %JP-915B3FD3F42E278

   Detection Type: 1.1.1593.02

Event Record #/Type3303 / Warning
Event Submitted/Written: 01/02/2008 06:02:13 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%JP-915B3FD3F42E27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer.  Allow changes only if you trust the program or the software publisher. %JP-915B3FD3F42E27 can't undo changes that you allow.

For more information please see the following:
%JP-915B3FD3F42E275

   Scan ID: {5C93B462-C455-4E17-9A7F-8C29CC74884F}

   User: JP-915B3FD3F42E\JP

   Name: %JP-915B3FD3F42E271

   ID: %JP-915B3FD3F42E272

   Severity: 1.1.1593.05

   Category: 1.1.1593.06

   Path Found: %JP-915B3FD3F42E276

   Alert Type: %JP-915B3FD3F42E278

   Detection Type: 1.1.1593.02

Event Record #/Type3302 / Warning
Event Submitted/Written: 01/02/2008 06:02:13 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%JP-915B3FD3F42E27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer.  Allow changes only if you trust the program or the software publisher. %JP-915B3FD3F42E27 can't undo changes that you allow.

For more information please see the following:
%JP-915B3FD3F42E275

   Scan ID: {0D033C6F-B8FE-40BE-B480-22790250360E}

   User: JP-915B3FD3F42E\JP

   Name: %JP-915B3FD3F42E271

   ID: %JP-915B3FD3F42E272

   Severity: 1.1.1593.05

   Category: 1.1.1593.06

   Path Found: %JP-915B3FD3F42E276

   Alert Type: %JP-915B3FD3F42E278

   Detection Type: 1.1.1593.02

Event Record #/Type3301 / Warning
Event Submitted/Written: 01/02/2008 06:02:13 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%JP-915B3FD3F42E27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer.  Allow changes only if you trust the program or the software publisher. %JP-915B3FD3F42E27 can't undo changes that you allow.

For more information please see the following:
%JP-915B3FD3F42E275

   Scan ID: {D15587EF-79F2-4863-A371-035C34104D03}

   User: JP-915B3FD3F42E\JP

   Name: %JP-915B3FD3F42E271

   ID: %JP-915B3FD3F42E272

   Severity: 1.1.1593.05

   Category: 1.1.1593.06

   Path Found: %JP-915B3FD3F42E276

   Alert Type: %JP-915B3FD3F42E278

   Detection Type: 1.1.1593.02

Event Record #/Type3300 / Warning
Event Submitted/Written: 01/02/2008 06:02:13 PM
Event ID/Source: 3004 / WinDefend
Event Description:
%JP-915B3FD3F42E27 Real-Time Protection agent has detected changes. Microsoft recommends you analyze the software that made these changes for potential risks. You can use information about how these programs operate to choose whether to allow them to run or remove them from your computer.  Allow changes only if you trust the program or the software publisher. %JP-915B3FD3F42E27 can't undo changes that you allow.

For more information please see the following:
%JP-915B3FD3F42E275

   Scan ID: {EAD7C201-E66B-4F0A-AC60-D3AE66AA5CB9}

   User: JP-915B3FD3F42E\JP

   Name: %JP-915B3FD3F42E271

   ID: %JP-915B3FD3F42E272

   Severity: 1.1.1593.05

   Category: 1.1.1593.06

   Path Found: %JP-915B3FD3F42E276

   Alert Type: %JP-915B3FD3F42E278

   Detection Type: 1.1.1593.02



-- End of Deckard's System Scanner: finished at 2008-01-02 18:02:47 ------------

[gipsyking]

MAIN.txt

Deckard's System Scanner v20071014.68
Run by JP on 2008-01-02 18:00:53
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
21: 2008-01-02 18:00:57 UTC - RP21 - Deckard's System Scanner Restore Point
20: 2008-01-02 17:42:49 UTC - RP20 - ComboFix created restore point
19: 2008-01-02 17:06:30 UTC - RP19 - Configured PRODUCT_NAME
18: 2008-01-01 19:57:50 UTC - RP18 - Ponto de verificação do sistema
17: 2007-12-31 01:30:39 UTC - RP17 - SPTD setup V1.53


-- First Restore Point --
1: 2007-12-29 22:37:49 UTC - RP1 - Ponto de verificação do sistema


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as JP.exe) --------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:02:06, on 02-01-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Programas\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Programas\Acronis\TrueImage\TrueImageMonitor.exe
C:\Programas\Ficheiros comuns\Acronis\Schedule2\schedhlp.exe
C:\Programas\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Programas\Lexmark X1100 Series\lxbkbmgr.exe
C:\Programas\Java\jre1.6.0_03\bin\jusched.exe
C:\Programas\Lexmark X1100 Series\lxbkbmon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programas\Ficheiros comuns\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\ATKKBService.exe
C:\Programas\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Multimedia Keyboard Driver\PS2USBKbdDrv.exe
C:\Programas\MSN Messenger\MsnMsgr.Exe
C:\Programas\DAEMON Tools Lite\daemon.exe
C:\Programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Programas\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programas\Mozilla Firefox\firefox.exe
C:\Documents and Settings\JP\Ambiente de trabalho\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\JP.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {57952B9E-687A-415E-9D75-5A79317DFD23} - C:\WINDOWS\system32\drmv2cltl.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Programas\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Programas\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Acronis True Image Monitor] C:\Programas\Acronis\TrueImage\TrueImageMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] C:\Programas\Ficheiros comuns\Acronis\Schedule2\schedhlp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programas\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [WireLessKeyboard] C:\Programas\Multimedia Keyboard Driver\StartAutorun.exe PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Programas\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programas\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [AAWTray] C:\Programas\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Programas\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Programas\DAEMON Tools Lite\daemon.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIÇO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Serviço de rede')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1198416317375
O17 - HKLM\System\CCS\Services\Tcpip\..\{73E6E729-D71B-45DD-A0DD-27DD7208D5F4}: NameServer = 192.168.2.1
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Programas\Ficheiros comuns\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programas\Ficheiros comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: LEC TranslateDotNet Server - Language Engineering Corporation, LLC - C:\Programas\Power Translator\LogoMedia TranslateDotNet Server.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

[gipsyking]

...
--
End of file - 7793 bytes

-- File Associations -----------------------------------------------------------

All asociations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 snapman (Acronis Snapshots Manager) - c:\windows\system32\drivers\snapman.sys <Not Verified; Acronis; Acronis Snapshot API>
R0 sqxoeibo - c:\windows\system32\drivers\yfdaedfq.dat
R0 timounter (Acronis TrueImage Backup Archive Explorer) - c:\windows\system32\drivers\timntr.sys <Not Verified; Acronis; Acronis True Image>
R1 asuskbnt (Enhanced Display Driver Helper Service) - c:\windows\system32\drivers\atkkbnt.sys <Not Verified; ASUSTeK COMPUTER INC.; ASUS Help driver For Keyboard Service.>
R2 EIO - c:\windows\system32\drivers\eio.sys <Not Verified; ASUSTeK Computer Inc.; ASUS Kernel Mode Driver for NT>
R2 tifsfilter (Acronis TrueImage FS Filter) - c:\windows\system32\drivers\tifsfilt.sys <Not Verified; Acronis; TrueImage>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AcrSch2Svc (Acronis Scheduler2 Service) - c:\programas\ficheiros comuns\acronis\schedule2\schedul2.exe <Not Verified; Acronis; Acronis Sheduler 2>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-01-02 18:01:49       322 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job

-- Files created between 2007-12-02 and 2008-01-02 -----------------------------
2008-01-02 18:01:56         0 d-------- C:\Programas\Trend Micro
2008-01-01 22:22:37         0 dr-h----- C:\Documents and Settings\JP\Application Data\SecuROM
2007-12-31 04:56:10         0 d-------- C:\Documents and Settings\JP\Application Data\Help
2007-12-31 01:36:10         0 d-------- C:\Programas\EA GAMES
2007-12-31 01:36:09    442368 -ra------ C:\WINDOWS\system32\vp6vfw.dll <Not Verified; On2.com; On2_VP6>
2007-12-31 01:33:10         0 d-------- C:\Documents and Settings\JP\Application Data\DAEMON Tools
2007-12-31 01:33:03         0 d-------- C:\Programas\DAEMON Tools Lite
2007-12-31 01:30:40    715248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-12-30 22:31:22         0 d-------- C:\WINDOWS\system32\LogFiles
2007-12-30 02:02:17         0 d-------- C:\WINDOWS\system32\pt-pt
2007-12-30 01:57:23         0 d-------- C:\WINDOWS\network diagnostic
2007-12-30 01:41:17         0 d-------- C:\Programas\Windows Defender
2007-12-30 01:17:52         0 d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2007-12-30 00:11:33         0 d-------- C:\Documents and Settings\JP\Application Data\Grisoft
2007-12-30 00:10:47         0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-29 23:05:56         0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-29 22:26:34     84992 --a------ C:\WINDOWS\system32\drmv2cltl.dll
2007-12-28 03:48:49         0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-28 03:42:24         0 d-------- C:\Documents and Settings\JP\Application Data\Symantec
2007-12-28 03:34:19         0 d-------- C:\Programas\Alwil Software
2007-12-26 21:30:54         0 d-------- C:\Documents and Settings\JP\Application Data\Media Player Classic
2007-12-26 21:29:23      5120 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-12-26 21:29:21         0 d-------- C:\Programas\K-Lite Codec Pack
2007-12-26 14:37:41         0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-12-24 15:46:46         0 d-------- C:\WINDOWS\system32\appmgmt
2007-12-24 14:34:04         0 d-------- C:\Programas\Ficheiros comuns\Real
2007-12-24 14:33:36         0 d-------- C:\Programas\Real
2007-12-24 01:54:44         0 d-------- C:\Documents and Settings\JP\Application Data\DivX
2007-12-24 01:21:36         0 d-------- C:\Documents and Settings\JP\Application Data\Crystal Player
2007-12-23 23:46:20         0 d-------- C:\Documents and Settings\JP\Application Data\BSplayer
2007-12-23 23:46:20         0 d-------- C:\Documents and Settings\JP\Application Data\BSplayer Pro
3 23:25:40     19968 --a------ C:\WINDOWS\system32\cpuinf32.dll
2007-12-23 22:45:27         0 d-------- C:\Documents and Settings\JP\Application Data\uTorrent
2007-12-23 21:29:01         0 d-------- C:\WINDOWS\Sun
2007-12-23 21:29:01         0 d-------- C:\Documents and Settings\JP\Application Data\Sun
2007-12-23 21:26:28         0 d-------- C:\Programas\Java
2007-12-23 21:25:56         0 d-------- C:\Programas\Ficheiros comuns\Java
2007-12-23 19:14:29         0 d-------- C:\Documents and Settings\JP\Application Data\AdobeUM
2007-12-23 13:29:44         0 d-------- C:\WINDOWS\system32\PreInstall
2007-12-23 13:29:42         0 d--h----- C:\WINDOWS\$hf_mig$
2007-12-23 13:25:55         0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-12-23 13:24:55         0 d--hs---- C:\Documents and Settings\JP\UserData
2007-12-23 12:45:42         0 d-------- C:\Documents and Settings\JP\Application Data\dvdcss
2007-12-23 03:22:41         0 d-------- C:\WINDOWS\system32\drivers\umdf
2007-12-23 03:21:18         0 d-------- C:\Programas\Windows Media Connect 2
2007-12-23 00:23:48         0 d-------- C:\Documents and Settings\JP\Application Data\Macromedia
2007-12-22 18:51:13         0 d-------- C:\WINDOWS\RegisteredPackages
2007-12-22 18:50:30         0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-12-22 18:28:27         0 d-------- C:\Programas\Ficheiros comuns\Adobe Systems Shared
2007-12-22 18:28:13         0 d-------- C:\Documents and Settings\JP\Application Data\Adobe
2007-12-22 17:48:20         0 d-------- C:\Documents and Settings\JP\Contacts
2007-12-22 17:47:41         0 d------c- C:\WINDOWS\system32\DRVSTORE
2007-12-22 17:47:26         0 d-------- C:\Programas\MSN Messenger
2007-12-22 17:45:43         0 d-------- C:\Programas\Google
2007-12-22 17:38:50         0 d-------- C:\Programas\Lexmark X1100 Series
2007-12-22 17:32:46         0 d-------- C:\Programas\Multimedia Keyboard Driver
2007-12-22 17:32:36         0 d-------- C:\WINDOWS\Downloaded Installations


-- Find3M Report ---------------------------------------------------------------

2007-12-30 01:42:23         0 d-------- C:\Programas\Ficheiros comuns
2007-12-28 13:30:41         0 d-------- C:\Programas\Symantec
2007-12-28 13:30:41         0 d-------- C:\Programas\Ficheiros comuns\Symantec Shared
2007-12-22 18:52:51         0 d-------- C:\Programas\Ficheiros comuns\Adobe
2007-12-22 17:32:49         0 d--h----- C:\Programas\InstallShield Installation Information
2007-12-22 16:22:47    358982 --a------ C:\WINDOWS\system32\perfh016.dat
2007-12-22 16:22:47     50952 --a------ C:\WINDOWS\system32\perfc016.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{57952B9E-687A-415E-9D75-5A79317DFD23}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [25-05-2005 15:37 C:\WINDOWS\RTHDCPL.EXE]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [13-02-2006 13:05]
"nwiz"="nwiz.exe" [13-02-2006 13:05 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [13-02-2006 13:05]
"Acronis Scheduler2 Service"="C:\Programas\Ficheiros comuns\Acronis\Schedule2\schedhlp.exe" [08-07-2006 21:33]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09-07-2001 09:50]
"SunJavaUpdateSched"="C:\Programas\Java\jre1.6.0_03\bin\jusched.exe" [25-09-2007 01:11]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [04-12-2007 13:00]
"AAWTray"="C:\Programas\Lavasoft\Ad-Aware 2007\AAWTray.exe" []
"Windows Defender"="C:\Programas\Windows Defender\MSASCui.exe" [03-11-2006 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [21-09-2004 12:00]
"MsnMsgr"="C:\Programas\MSN Messenger\MsnMsgr.exe" [19-01-2007 12:54]
"DAEMON Tools Lite"="C:\Programas\DAEMON Tools Lite\daemon.exe" [19-12-2007 20:13]

C:\Documents and Settings\All Users\Menu Iniciar\Programas\Arranque\
Acrobat Assistant.lnk - C:\Programas\Adobe\Acrobat 6.0\Distillr\acrotray.exe [15-05-2003 0:19:50]




-- Hosts -----------------------------------------------------------------------

127.0.0.1   007guard.com
127.0.0.1   www.007guard.com
127.0.0.1   008i.com
127.0.0.1   008k.com
127.0.0.1   www.008k.com
127.0.0.1   00hq.com
127.0.0.1   www.00hq.com
127.0.0.1   010402.com
127.0.0.1   032439.com
127.0.0.1   www.032439.com

7791 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-01-02 18:02:47 ------------


OLDMEN.. please help.. thanks