Hijackthis log- fst - Unknown bandwidth usage

[fst]

I´m having a problem for a while that I can´t seem to solve. Some process is consuming bandwidth, and I can´t find it. I´m running Windows XP SP2, already tried to scan with avast, adAware, SpyBot, but they found nothing.

The IP´s that my machine connect to are never the same, this is output from netstat -ab showing one example:

TCP 4a795eec717849c:1033 208.51.35.88:http ESTABLISHED
c:\windows\system32\WS2_32.dll
c:\windows\system32\WINHTTP.dll

Analying the packets with ethereal, I found a lot of http GETs, like this:
GET /download/6/0/0/60022C13-E6A9-48E5-A47B-107703A03119/Install_Messenger.exe

Here´s the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 21:42:36, on 19/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\Arquivos de programas\SoftPerfect Bandwidth Manager\bwmsvc.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Arquivos de programas\ProcessExplorer\procexp.exe
C:\WINDOWS\system32\cmd.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\HijackThis\HijackThis.exe
C:\Arquivos de programas\Ethereal\dumpcap.exe
C:\Arquivos de programas\Ethereal\dumpcap.exe
C:\Arquivos de programas\Ethereal\ethereal.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ProcessExplorer] C:\Arquivos de programas\ProcessExplorer\procexp.exe
O8 - Extra context menu item: Download all links using BitComet - res://C:\Arquivos de programas\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Arquivos de programas\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: SoftPerfect Bandwidth Manager Lite (bwmservice) - Unknown owner - C:\Arquivos de programas\SoftPerfect Bandwidth Manager\bwmsvc.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Hope someone can help me with this.

thanks

[dahli]

Hello fst and welcome to SFDC,

You will need to use Internet Explorer for this scan.
Disable your antivirus program and go here to run BitDefender Online Scan.
Click on I Agree.
Avoid clicking on other links as you don't need to try out the full install at this point, just the online scanner.

When the ActiveX Control has loaded, click on "Click here to scan".
Please be patient, as this scan may take a few hours. It all depends on the number of files on your computer.

NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat the BitDefender Online Scan.


When BitDefender completes the scan, select the "Detected Problems" tab.
Click on "Click here to export scan".
Save the file as an HTML to your Desktop.
Then click on the saved file and allow it to open with your browser.
Go to Edit - Select All then copy/paste that log back here.
Post the BitDefender log.
_________________
Steve

[fst]

Hello, here´s the BitDefender log:

BitDefender Online Scanner

Scan report generated at: Sat, Jul 21, 2007 - 11:52:02
Scan path: C:\;D:\;E:\;

Statistics

Time 00:35:01
Files 170439
Folders 4041
Boot Sectors 3
Archives 838
Packed Files 6104

Results

Identified Viruses 1
Infected Files 2
Suspect Files 0
Warnings 0
Disinfected 0
Deleted Files 2

Engines Info

Virus Definitions 639841
Engine build AVCORE v1.0 (build 2410) (i386) (Jun 12 2007 21:08:27)
Scan plugins 14
Archive plugins 38
Unpack plugins 6
E-mail plugins 6
System plugins 1

Scan Settings

First Action Disinfect
Second Action Delete
Heuristics Yes
Enable Warnings Yes
Scanned Extensions *;
Exclude Extensions
Scan Emails Yes
Scan Archives Yes
Scan Packed Yes
Scan Files Yes
Scan Boot Yes

Scanned File

C:\Arquivos de programas\The All-Seeing Eye\movenrun.exe Infected with: Trojan.Zapchast.H
C:\Arquivos de programas\The All-Seeing Eye\movenrun.exe Disinfection failed
C:\Arquivos de programas\The All-Seeing Eye\movenrun.exe Deleted

C:\System Volume Information\_restore{03B6DCA8-88C5-4A46-BF0F-382AF797D930}\RP185\A0083569.exe Infected with: Trojan.Zapchast.H
C:\System Volume Information\_restore{03B6DCA8-88C5-4A46-BF0F-382AF797D930}\RP185\A0083569.exe Disinfection failed
C:\System Volume Information\_restore{03B6DCA8-88C5-4A46-BF0F-382AF797D930}\RP185\A0083569.exe Deleted

thanks for the answer

[dahli]

How is your system running now?
_________________
Steve

[fst]

The problem still happens

[dahli]

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post the ComboFix log and a fresh Hijackthis log in your next reply.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
If you have Norton Antivirus installed then disable script blocking so it will not interfere with the fix.

To disable Norton AntiVirus Script Blocking
Start Norton AntiVirus. If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.
Click Options. If you see a menu, click Norton AntiVirus.
In the left pane, click Script Blocking.
In the right pane, uncheck Enable Script Blocking (recommended).
Click OK

Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.
_________________
Steve

[fst]

ComboFix log

"USER" - 2007-07-23 20:42:58 - ComboFix 07-07-23.6 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\USER\Desktop.\internet explorer.lnk


((((((((((((((((((((((((( Files Created from 2007-06-23 to 2007-07-23 )))))))))))))))))))))))))))))))


2007-07-23 20:41 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-21 11:05 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-07-19 21:21 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2007-07-19 21:16 <DIR> d-------- C:\backup
2007-07-12 20:51 <DIR> d-------- C:\PLATOON_LA_ASIA
2007-07-12 20:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\DADOSD~1\DVD Shrink
2007-07-12 20:44 <DIR> d-------- C:\Arquivos de programas\DVD Shrink
2007-07-09 20:29 <DIR> d-------- C:\Arquivos de programas\Rockstar Games
2007-07-09 20:16 <DIR> d-------- C:\gta-saves


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-09 23:51:00 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-07-09 23:49:17 -------- d--h--w C:\Arquivos de programas\InstallShield Installation Information
2007-07-03 02:11:46 2,560 ----a-w C:\WINDOWS\system32\BitCometRes.dll
2007-06-18 01:49:56 -------- d-----w C:\Arquivos de programas\eMule
2007-05-16 15:13:54 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-04-25 14:22:27 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2005-05-13 20:12:00 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-10-24 14:13:58 66,560 --sha-r C:\WINDOWS\MOTA113.exe
2005-10-14 00:27:00 422,400 --sha-r C:\WINDOWS\x2.64.exe
2005-10-07 22:14:52 308,224 --sha-r C:\WINDOWS\system32\avisynth.dll
2005-07-14 15:31:20 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 18:32:28 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 01:37:42 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2004-01-25 03:00:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2006-04-27 13:24:24 2,945,024 --sha-r C:\WINDOWS\system32\Smab.dll
2005-02-28 16:16:22 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2004-01-25 03:00:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZoneAlarm Client"="C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"nwiz"="nwiz.exe" [2005-12-20 00:02 C:\WINDOWS\system32\nwiz.exe]
"avast!"="C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 12:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Arquivos de programas\MSN Messenger\MsnMsgr.exe" [2006-07-29 19:33]
"SpybotSD TeaTimer"="C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]
"ProcessExplorer"="C:\Arquivos de programas\ProcessExplorer\procexp.exe" [2006-11-01 13:07]

R0 srescan;srescan;C:\WINDOWS\system32\ZoneLabs\srescan.sys
R1 AmdK8;AMD Processor Driver;C:\WINDOWS\system32\DRIVERS\AmdK8.sys
R1 mnmdd;mnmdd;C:\WINDOWS\system32\drivers\mnmdd.sys
R1 Npfs;Npfs;C:\WINDOWS\system32\drivers\Npfs.sys
R1 SCDEmu;SCDEmu;C:\WINDOWS\system32\drivers\SCDEmu.sys
R2 lanmanserver;Servidor;C:\WINDOWS\system32\svchost.exe -k netsvcs
R2 lanmanworkstation;Esta‡Æo de trabalho;C:\WINDOWS\system32\svchost.exe -k netsvcs
R2 winmgmt;Testador de instrumenta‡Æo de gerenciam. do Windows;C:\WINDOWS\system32\svchost.exe -k netsvcs
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service;C:\WINDOWS\system32\drivers\ADIHdAud.sys
R3 AEAudioService;AEAudio Service;C:\WINDOWS\system32\drivers\AEAudio.sys
R3 dtscsi;dtscsi;C:\WINDOWS\system32\Drivers\dtscsi.sys
R3 MTsensor;ATK0110 ACPI UTILITY;C:\WINDOWS\system32\DRIVERS\ASACPI.sys
R3 SenFiltService;SenFilt Service;C:\WINDOWS\system32\drivers\Senfilt.sys
R3 wdmaud;Microsoft WINMM WDM Audio Compatibility Driver;C:\WINDOWS\system32\drivers\wdmaud.sys
S0 OCDE;ZTekWare Original CD Emulator Service;C:\WINDOWS\system32\Drivers\OCDE.sys
S3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service;C:\WINDOWS\system32\drivers\HdAudio.sys
S3 mnmsrvc;Compartilhamento remoto da rea de trabalho do NetMeeting;C:\WINDOWS\system32\mnmsrvc.exe
S3 nm;Driver de monitor de rede;C:\WINDOWS\system32\DRIVERS\NMnt.sys
S3 Nokia USB Generic;Nokia USB Generic;C:\WINDOWS\system32\drivers\nmwcdc.sys
S3 Nokia USB Modem;Nokia USB Modem;C:\WINDOWS\system32\drivers\nmwcdcm.sys
S3 Nokia USB Phone Parent;Nokia USB Phone Parent;C:\WINDOWS\system32\drivers\nmwcd.sys
S3 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\system32\drivers\npf.sys
S3 PciCon;PciCon;\??\D:\PciCon.sys
S3 tbhsd;Tunebite High-Speed Dubbing;C:\WINDOWS\system32\drivers\tbhsd.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28b0f4a3-5408-11db-9fc6-0015f2bb84e1}]
AutoRun\command- E:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d5cfb696-5b9a-11db-9fec-0015f2bb84e1}]
AutoRun\command- E:\Autorun.exe


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-23 20:44:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-23 20:44:36
C:\ComboFix-quarantined-files.txt ... 2007-07-23 20:44

--- E O F ---


HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 20:49:42, on 23/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
C:\Arquivos de programas\ProcessExplorer\procexp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Arquivos de programas\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ProcessExplorer] C:\Arquivos de programas\ProcessExplorer\procexp.exe
O8 - Extra context menu item: Download all links using BitComet - res://C:\Arquivos de programas\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Arquivos de programas\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/PT-BR/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[dahli]

Were you having other problems recently? Why did you download winhttp.dll and from where? Was this problem happening before or after the download?
_________________
Steve

[fst]

I didn't download winhttp.dll, I thought those two dll's (winhttp and ws2_32) were from Windows (they are in c:\windows\system\). I tried to remove them but Windows wouldn't start.
Maybe some process is using windows api to download something?
I tried to find something with ProcessExplorer, but haven't succeeded, just an svchost.exe instance with reference to those dll's.

[dahli]

I did not ask or suggest that you delete them. your log shows it was recently created/downloaded: