another virus issue: internet stopped working

[gengen]

I know. For a new guy I´m becoming a little annoying...

But what can I do? Viruses are a common issue nowadays...

Anyway, my brother is very...how can I say...reckless towards internet, surfing the web as if there were no sharks bitting his ankles.

I mean, he just clicks about anything, which makes his PC a perfect habitat for viruses

Yesterday I ran Spybot and Ad-aware SE in his PC and found out 6 or 7 viruses. Erased them.

The problem is that internet on his PC doesn´t work properly, or doesn´t work at all in fact.

It connects, but when i start a browser (mozilla) or even IE it doesn´t actually open the homepage or any page at all because it´s to slow.

How can I fix it?

and there is something on the registry called xdcc.exe. what is it?

 

[Osiris]

Go to start, run, type msconfig, disable all startup items and reboot. Run your AV, SWP, etc..


This malicious batch file connects to the remote machine (acbdefg.nailed.org) via FTP.

It copies the file XDCC.EXE, which Trend Micro detects as TROJ_XDCC.A, from the said host and creates the file named SL.TXT in the current directory. The file SL.TXT is a log file which records all the commands used by the malware.

When the file XDCC.EXE has been copied to the local host, it executes the file, leaving the system vulnerable to remote attacks.

 

[gengen]

Warez Monster: thank you for helping me. Had no ideia what XDCC.exe was really, all I know it was some kind of virus.

Still haven´t been able to correct it though, because when I "Go to start, run, type msconfig" it shows a message that the file or one of its components can´t be located, check the path, and all that.
Can you tell me were the file is exactly?
And how do I disable the startup items?
Can I do it with TuneUp?
My OS is W2000.

Sorry for being such a newbie and for my bad english.
Thanks again.

 

[southernlady]

gengen, I've just looked up xdcc.exe and there is a thread that caught my attention. Take your brother's PC OFFLINE and leave it there til he is clean. You are going to have to download and transfer all programs to his PC from yours. And do NOT copy back anything to yours except logs and scan those before putting them on your machine. It's been nicknamed *The Beast*and here is a quote from that board:

Tested the beast a couple of minutes ago..Within a couple of seconds, it located both my anti-virus, and my personal firewall and disabled both..

What you need to do now is to give us a HiJack Log. Also, download and put onto a cd these programs for your brother:

I will tell you which ones to run now and which reports I want...some are *JUST IN CASE*

Adaware Se Run Now

VX2 CleanerRun Now

Spybot Search & DestroyRun Now

HijackThisRun Now

Coolweb ShredderRun Now

CWS SmartKiller

Find "N" Fix

Find it.zip

Home page unlock.reg

Kill2Me

Lsp Fix

The rest are JUST in case we need them, you want have to download them later. Post the reports from the ones I have asked you to run now:

Security Steps for a Security Forum

Please perform the following prior to posting an HJT log, The following steps will likely clean most of the garbage from your system,

First

Start Ad-Aware SE Use the: “Check for Updates Now” option and download the latest reference files
Use the Start button, and on the next window, select: Perform Full System Scan
Press Next, and let Ad-aware scan the hard drive
When finished, right-click the window with the entries, choose: Select All from the menu, and click Next
Once AdAware has removed the entries, close the program
Restart the computer


Next
StartSpybot 1.3.
Please check it for updates, Run the program and have it fix anything it finds in Red.

Restart your computer,

Next
Update your Anti Virus

Next
Reboot to safe mode see http://www.spyware911.net/safemode.htm

Delete the entire contents of the below Temp folders, but not the TEMP folder itself.

Remove all the files and sub-folders from the below TEMP Folders:

C:\Documents and Settings\ \Local Settings\Temp
C:\temp
C:\windows\temp

The TIF ( Temporary Internet Files) can also be emptied via:
Internet Explorer--Tools--Internet Options--General tab--"Delete Files",
Also tick the "delete all offline content" box .

Clean out your Recycle Bin

Next
Run a full system scan with your Anti Virus,

Run a scan with Ad-aware, Have it fix anything it finds,
Run a scan with Spybot, Again have it fix anything it finds

Next
Restart your computer,

Next

Please create a directory on your C:\ drive called C:\HJT, download and unzip HijackThis into that directory. Run the program from that directory from now on.

STEPS For Creating Folder

1. 
   1. Please go to My Computer, open your C:\ drive, Select: New >> Folder and name the folder HJT.
   
   2. Download HijackThis to the new folder:
   
   3. Double Click on 'HijackThis.zip' to extract and install HijackThis.exe to the new folder.
   
   4. Close ALL windows except HJT
   
   5. SCAN with HJT and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')
   
   6. POST the log in this thread using 'Add Reply' (Ctrl-V to 'paste')

Please make sure you post the entire log including the top portion:

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS SOME OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER

Take the log you generate from his computer ON a floppy or cd and scan it, then post it to us from your computer. Liz

 

[SHAWN]

^ you must have a lot of time on your hands to post alot on all your posts.

 

[southernlady]

Shawn, are you talking to me? No, I don't...I just make very good use of my time and I have some of these in what we call *canned* speeches. Liz

 

[SHAWN]

gotcha

 

[gengen]

Liz, you have prooven to be a great helper.
your time taken to solve other people´s problems is very meritable.
If only everybody was such a concerned person such as yourself, I´m sure we wouldn´t be here discussing "time taking issues" like viruses...

Thanks for the help.
______________________________________________________

Getting into business:

-followed your advices.
I already had most of those utilities(the "run now" ones), except for CWshredder; the other ones I don´t have a single one and haven´t tried them yet, I´m still waiting for the response on the reports I´m about to send.

I already had previous reports of HijackThis from both PC´s (my Brother´s and mine) but the ones I´m posting are the ones that refer to the state of the machines after proceeding with your suggestions.

-CWshredder didn´t report nothing to fix;

-Ad-Aware Pro didn´t showed nothing and neither did SpyBot.
But that doesn´t mean much, because I run them very often and they are almost daily updated;

My Anti-virus is Avast Home Edition 4.6.
Daily Uptaded.
Still after Full scans(I usually only perform "smart scans") it reported :

In my Brother´s PC:
-VBS:Malware [Gen]

In my PC:
-Win32:Rbot-SF [Trj]

______________________________________________________
Here are the reports on my BROTHER pc:

CWShredder:
______________________________________________________

**** Run Keys ****

RUN: [Synchronization Manager] mobsync.exe /logon
RUN: [LoadQM] loadqm.exe
RUN: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
RUN: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
RUN: [AWMON] "C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe"
RUN: [WindowsRegKey update] lwzaweoxdd.exe
RUN: [SpeedTouch USB Diagnostics] "C:\Programas\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
RUN: [Start Upping] xdcc.exe
RUN: [FreeRAM XP] "C:\Programas\FreeRAM XP Pro 1.40.exe" -win
RUN: [WindowsRegKey update] lwzaweoxdd.exe
RUN: [LeechGet]
RUN: [STManager] "C:\Programas\SpeedTouch\Dr SpeedTouch\drst.exe" -b
RUN: [Start Upping] xdcc.exe


**** Browser Helper Objects ****

BHO: [] C:\PROGRA~1\SPYBOT~1\SDHelper.dll


**** IE Toolbars ****

TOOLBAR: [&Rádio] C:\WINNT\system32\msdxm.ocx


**** IE Extensions ****

IEExt: [Web Browser Applet Control] C:\WINNT\system32\msjava.dll


**** Hosts File Entries ****

HOSTS: 127.0.0.1 localhost


**** IE Settings ****

Default Page: http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Default Search: http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Local Page: C:\WINNT\system32\blank.htm
Search Page: http://www.microsoft.com/is&api/redir.dll?prd=iear=iesearch


**** IE Context Menu (Right click) ****

IEContext: [Analisar com LeechGet] file://C:\Programas\LeechGet 2004\\Parser.html
IEContext: [Download usando Assistente LeechGet] file://C:\Programas\LeechGet 2004\\Wizard.html
IEContext: [Download usando LeechGet] file://C:\Programas\LeechGet 2004\\AddUrl.html
IEContext: [E&xportar para o Microsoft Excel] res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000


**** Layered Service Providers ****

LSP: MSAFD Tcpip [TCP/IP]
LSP: MSAFD Tcpip [UDP/IP]
LSP: RSVP UDP Service Provider
LSP: RSVP TCP Service Provider
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7F8AD29C-AEF2-40B0-8108-5A4D9B4B4624}] SEQPACKET 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{7F8AD29C-AEF2-40B0-8108-5A4D9B4B4624}] DATAGRAM 0
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9532A504-2EA5-45DD-A1F2-49515F02C0AB}] SEQPACKET 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{9532A504-2EA5-45DD-A1F2-49515F02C0AB}] DATAGRAM 1
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C93A4E74-2798-4D17-94D0-7A4A64162615}] SEQPACKET 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{C93A4E74-2798-4D17-94D0-7A4A64162615}] DATAGRAM 2
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{DE1EF39C-BBDC-4FA4-9C76-2BEDB4D17E7D}] SEQPACKET 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{DE1EF39C-BBDC-4FA4-9C76-2BEDB4D17E7D}] DATAGRAM 3
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0B4F7CB3-A58F-4447-BA89-67D54778DDBD}] SEQPACKET 4
LSP: MSAFD NetBIOS [\Device\NetBT_Tcpip_{0B4F7CB3-A58F-4447-BA89-67D54778DDBD}] DATAGRAM 4


**** Blocked Control Panel Items ****

BLOCKED: [ncpa.cpl] No
BLOCKED: [odbccp32.cpl] No


**** Downloaded Program Files ****

DirectAnimation Java Classes [file://C:\WINNT\Java\classes\dajava.cab]
Microsoft XML Parser for Java [file://C:\WINNT\Java\classes\xmldso.cab]
{33564D57-0000-0010-8000-00AA00389B71} [http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB]


**** Windows Services ****

[Alerter] %SystemRoot%\System32\services.exe
[AppMgmt] %SystemRoot%\system32\services.exe
[aswUpdSv] "C:\Programas\Alwil Software\Avast4\aswUpdSv.exe"
[avast! Antivirus] "C:\Programas\Alwil Software\Avast4\ashServ.exe"
[avast! Mail Scanner] "C:\Programas\Alwil Software\Avast4\ashMaiSv.exe" /service
[avast! Web Scanner] "C:\Programas\Alwil Software\Avast4\ashWebSv.exe" /service
[BITS] %SystemRoot%\System32\svchost.exe -k BITSgroup
[Browser] %SystemRoot%\System32\services.exe
[cisvc] C:\WINNT\System32\cisvc.exe
[ClipSrv] %SystemRoot%\system32\clipsrv.exe
[Dhcp] %SystemRoot%\System32\services.exe
[dmadmin] %SystemRoot%\System32\dmadmin.exe /com
[dmserver] %SystemRoot%\System32\services.exe
[Dnscache] %SystemRoot%\System32\services.exe
[Eventlog] %SystemRoot%\system32\services.exe
[EventSystem] C:\WINNT\System32\svchost.exe -k netsvcs
[Fax] %systemroot%\system32\faxsvc.exe
[KPF4] C:\Programas\Kerio\Personal Firewall 4\kpf4ss.exe
[lanmanserver] %SystemRoot%\System32\services.exe
[lanmanworkstation] %SystemRoot%\System32\services.exe
[LmHosts] %SystemRoot%\System32\services.exe
[Messenger] %SystemRoot%\System32\services.exe
[mnmsrvc] C:\WINNT\System32\mnmsrvc.exe
[MSDTC] C:\WINNT\System32\msdtc.exe
[MSIServer] C:\WINNT\System32\MsiExec.exe /V
[NetDDE] %SystemRoot%\system32\netdde.exe
[NetDDEdsdm] %SystemRoot%\system32\netdde.exe
[Netlogon] %SystemRoot%\System32\lsass.exe
[Netman] %SystemRoot%\System32\svchost.exe -k netsvcs
[NtLmSsp] %SystemRoot%\System32\lsass.exe
[NtmsSvc] %SystemRoot%\System32\svchost.exe -k netsvcs
[PlugPlay] %SystemRoot%\system32\services.exe
[PolicyAgent] %SystemRoot%\System32\lsass.exe
[ProtectedStorage] %SystemRoot%\system32\services.exe
[RasAuto] %SystemRoot%\System32\svchost.exe -k netsvcs
[RasMan] %SystemRoot%\System32\svchost.exe -k netsvcs
[RemoteAccess] %SystemRoot%\System32\svchost.exe -k netsvcs
[RemoteRegistry] %SystemRoot%\system32\regsvc.exe
[RpcLocator] %SystemRoot%\System32\locator.exe
[RpcSs] %SystemRoot%\system32\svchost -k rpcss
[RSVP] %SystemRoot%\System32\rsvp.exe -s
[SamSs] %SystemRoot%\system32\lsass.exe
[SCardDrv] %SystemRoot%\System32\SCardSvr.exe
[SCardSvr] %SystemRoot%\System32\SCardSvr.exe
[Schedule] %SystemRoot%\system32\MSTask.exe
[seclogon] %SystemRoot%\system32\services.exe
[SENS] %SystemRoot%\system32\svchost.exe -k netsvcs
[SharedAccess] %SystemRoot%\System32\svchost.exe -k netsvcs
[Spooler] %SystemRoot%\system32\spoolsv.exe
[SysmonLog] %SystemRoot%\system32\smlogsvc.exe
[TapiSrv] %SystemRoot%\System32\svchost.exe -k netsvcs
[TlntSvr] %SystemRoot%\system32\tlntsvr.exe
[TrkWks] %SystemRoot%\system32\services.exe
[UPS] %SystemRoot%\System32\ups.exe
[UtilMan] %SystemRoot%\System32\UtilMan.exe
[W32Time] %SystemRoot%\System32\services.exe
[WinMgmt] %SystemRoot%\System32\WBEM\WinMgmt.exe
[WmdmPmSN] %SystemRoot%\System32\svchost.exe -k netsvcs
[Wmi] %SystemRoot%\system32\Services.exe
[wuauserv] %systemroot%\system32\svchost.exe -k wugroup
[WZCSVC] %SystemRoot%\System32\svchost.exe -k netsvcs


**** Custom IE Search Items ****

SEARCH: [SearchAssistant] http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
SEARCH: [CustomizeSearch] http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


**** Complete IE Options ****

IEOPT: [NoUpdateCheck]
IEOPT: [NoJITSetup]
IEOPT: [Show_ChannelBand] No
IEOPT: [Anchor Underline] yes
IEOPT: [Cache_Update_Frequency] Once_Per_Session
IEOPT: [Display Inline Images] yes
IEOPT: [Do404Search]
IEOPT: [Local Page] C:\WINNT\system32\blank.htm
IEOPT: [Save_Session_History_On_Exit] no
IEOPT: [Show_FullURL] no
IEOPT: [Show_StatusBar] yes
IEOPT: [Show_ToolBar] yes
IEOPT: [Show_URLinStatusBar] yes
IEOPT: [Show_URLToolBar] yes
IEOPT: [Start Page] http://www.sapo.pt/
IEOPT: [Use_DlgBox_Colors] yes
IEOPT: [Search Page] http://www.microsoft.com/is&api/redir.dll?prd=iear=iesearch
IEOPT: [ShowedCheckBrowser] Yes
IEOPT: [Check_Associations] No
IEOPT: [FullScreen] no
IEOPT: [Window_Placement] ,
IEOPT: [Q261272] yes
IEOPT: [Disable Script Debugger] yes
IEOPT: [Use FormSuggest] no
IEOPT: [Error Dlg Displayed On Every Error] no
IEOPT: [Friendly http errors] no
IEOPT: [Default_Page_URL] http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
IEOPT: [Default_Search_URL] http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
IEOPT: [Search Page] http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
IEOPT: [Enable_Disk_Cache] yes
IEOPT: [Cache_Percent_of_Disk]
IEOPT: [Delete_Temp_Files_On_Exit] yes
IEOPT: [Local Page] %SystemRoot%\system32\blank.htm
IEOPT: [Anchor_Visitation_Horizon]
IEOPT: [Use_Async_DNS] yes
IEOPT: [Placeholder_Width]
IEOPT: [Placeholder_Height]
IEOPT: [Start Page] http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
IEOPT: [CompanyName] Microsoft Corporation
IEOPT: [Custom_Key] MICROSO
IEOPT: [Wizard_Version] 6.00.2800.1106
IEOPT: [FullScreen] no

_____________________________________________________

My BROTHER´s HJT report

Logfile of HijackThis v1.99.1
Scan saved at 19:47:05, on 11-03-2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\WINNT\System32\svchost.exe
C:\Programas\Kerio\Personal Firewall 4\kpf4ss.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Programas\Kerio\Personal Firewall 4\kpf4gui.exe
C:\WINNT\Explorer.EXE
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programas\Kerio\Personal Firewall 4\kpf4gui.exe
C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe
C:\Programas\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Programas\FreeRAM XP Pro 1.40.exe
C:\Programas\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sapo.pt/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AWMON] "C:\PROGRA~1\LAVASOFT\AD-AWA~1\Ad-Watch.exe"
O4 - HKLM\..\Run: [WindowsRegKey update] lwzaweoxdd.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Programas\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Start Upping] xdcc.exe
O4 - HKLM\..\RunServices: [WindowsRegKey update] lwzaweoxdd.exe
O4 - HKLM\..\RunServices: [Start Upping] xdcc.exe
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINNT\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\ADMINI~1\DEFINI~1\Temp\IXP000.TMP\"
O4 - HKLM\..\RunOnce: [MSPQM] RUNDLL32.exe streamci,StreamingDeviceSetup {DDF4358E-BB2C-11D0-A42F-00A0C9223196},{97EBAACB-95BD-11D0-A3EA-00A0C9223196},{97EBAACB-95BD-11D0-A3EA-00A0C9223196}
O4 - HKLM\..\RunOnce: [MSPCLOCK] RUNDLL32.exe streamci,StreamingDeviceSetup {97ebaacc-95bd-11d0-a3ea-00a0c9223196},{53172480-4791-11D0-A5D6-28DB04C10000},{53172480-4791-11D0-A5D6-28DB04C10000}
O4 - HKLM\..\RunOnce: [MigrateMMDrivers] rundll32.exe mmsys.cpl,mmseRunOnce
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Programas\FreeRAM XP Pro 1.40.exe" -win
O4 - HKCU\..\Run: [WindowsRegKey update] lwzaweoxdd.exe
O4 - HKCU\..\Run: [STManager] "C:\Programas\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [Start Upping] xdcc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Programas\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Analisar com LeechGet - file://C:\Programas\LeechGet 2004\\Parser.html
O8 - Extra context menu item: Download usando Assistente LeechGet - file://C:\Programas\LeechGet 2004\\Wizard.html
O8 - Extra context menu item: Download usando LeechGet - file://C:\Programas\LeechGet 2004\\AddUrl.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0\bin\npjpi150.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Serviço administrativo de gestão de discos lógicos (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Programas\Kerio\Personal Firewall 4\kpf4ss.exe

_____________________________________________________

Hope you can find something useful in these reports.
One question:
after analysing these could you check my own PC reports?

I won´t put them in here without asking because it might get confusing for you.
Thanks.

PS: about XDCC.exe

I´ve searched my PC and there is no file with this name.
Still, it appears on the registry and on startup.
I´ve tried to erradicate it before, in TuneUp and in Startup but it always appears again after refresh.