What the Tech logo

Welcome ( Log In | Register )
Easy as 1,2,3!

 
 Closed TopicStart new topic
> [Closed] Trojan-Spy.Win32.Banker.gka
Caderudo
post Jun 20 2009, 10:34 AM
Post #1


New Member
*

Group: Authentic Member
Posts: 6
Joined: 20-June 09
From: Brazil
Member No.: 86,345
Operating System: Windows Vista Home Premium
Dear friends,

I´ve just checked the topic "[Resolved] Bancos IPA alias Trojan-Spy.Win32.Banker.gka [Kaspersk" at(http://forums.whatthetech.com/Bancos_IPA_alias_Trojan_Spy_Win32_Banker_gka_Kaspersk_t93875.html) and I got the very same problem.

I´ve followed the proposed actions:

1. Cleared "Hide protected operating system files."
2. Downloaded and executed ATF Cleaner (Under Main choose: Select All / Clicked the Empty Selected button).
3. Downloaded and executed combofix (I did not have it at my pc, so i just downloaded at Desktop and double clicked to execute it)

I noticed that a file "CFScript.txt" was created by LDTate, that was draged to combofix.exe.

Could you please generate the CFScript txt for me? Above, the combifix.txt content:

(I would like to thank you in advance for your help!!! thumbup.gif )

-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ComboFix 09-06-19.01 - adriano 20/06/2009 12:56.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.55.1046.18.3573.2121 [GMT -3:00]
Executando de: c:\users\adriano\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
ADS - drivers: deleted 208 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2869144217-1070373754-383600519-500
c:\$recycle.bin\S-1-5-21-2869144217-1070373754-383600519-500\desktop.ini
c:\users\adriano\AppData\Local\Temp\install_flash_player.exe

.
(((((((((((((((( Arquivos/Ficheiros criados de 2009-05-20 to 2009-06-20 ))))))))))))))))))))))))))))
.

2009-06-20 16:02 . 2009-06-20 16:02 -------- d-----w- c:\users\kelen\AppData\Local\temp
2009-06-20 16:02 . 2009-06-20 16:02 -------- d-----w- c:\users\flavia\AppData\Local\temp
2009-06-19 05:00 . 2008-12-11 11:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-06-19 05:00 . 2009-04-03 14:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-06-19 05:00 . 2008-12-18 15:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-19 04:59 . 2009-06-19 05:00 -------- d-----w- c:\program files\Common Files\PC Tools
2009-06-19 04:59 . 2008-12-10 14:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-06-19 04:59 . 2009-06-20 00:37 -------- d-----w- c:\program files\Spyware Doctor
2009-06-19 04:59 . 2009-06-19 04:59 -------- d-----w- c:\users\kelen\AppData\Roaming\PC Tools
2009-06-19 04:59 . 2009-06-19 04:59 -------- d-----w- c:\programdata\PC Tools
2009-06-19 04:45 . 2009-06-19 04:45 456304 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtbE034.tmp.exe
2009-06-19 04:36 . 2009-06-19 05:17 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-19 04:36 . 2009-06-19 05:17 -------- d-----w- c:\program files\Norton Security Scan
2009-06-19 04:35 . 2009-06-19 04:57 -------- d-----w- c:\programdata\Google Updater
2009-06-19 04:08 . 2009-06-19 04:13 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-06-19 04:08 . 2009-06-19 04:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-19 03:48 . 2009-06-19 03:48 -------- d-----w- c:\users\kelen\AppData\Roaming\Roxio
2009-06-12 22:03 . 2009-04-30 12:37 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-06-12 22:03 . 2009-04-30 12:37 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-06-12 03:47 . 2009-06-12 03:47 -------- d-----w- c:\program files\UndeleteMyFiles
2009-06-11 01:30 . 2009-06-11 01:30 -------- d-----w- c:\users\kelen\AppData\Local\Mozilla
2009-06-11 00:36 . 2009-04-23 12:43 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-06-05 03:17 . 2009-06-05 03:17 -------- d-----w- c:\program files\MSECache
2009-06-03 15:26 . 2009-06-03 15:26 24390976 ----a-w- c:\programdata\Installations\{9F59C3AE-81B0-4EF6-9762-D674BB079705}\NokiaSoftwareUpdaterSetup_1.6.13PT_BR.exe
2009-06-03 15:26 . 2009-06-03 15:26 3351812 ----a-w- c:\programdata\Installations\{9F59C3AE-81B0-4EF6-9762-D674BB079705}\Installer\CommonCustomActions\msxml6Exec.exe
2009-06-03 15:26 . 2009-06-03 15:26 36864 ----a-w- c:\programdata\Installations\{9F59C3AE-81B0-4EF6-9762-D674BB079705}\Installer\CommonCustomActions\Sleep.exe
2009-06-03 15:26 . 2009-06-03 15:26 3181612 ----a-w- c:\programdata\Installations\{9F59C3AE-81B0-4EF6-9762-D674BB079705}\Installer\CommonCustomActions\vcredistExec.exe
2009-06-02 19:34 . 2009-06-18 17:19 -------- d-----w- c:\users\flavia\Tracing
2009-06-01 02:09 . 2009-06-01 02:09 262144 ----a-w- C:\ntuser.dat
2009-06-01 02:09 . 2009-06-01 02:09 -------- d-----w- c:\programdata\Yahoo!
2009-06-01 01:55 . 2009-06-01 01:55 -------- d-----w- c:\program files\Common Files\Scanner
2009-06-01 01:55 . 2009-06-01 01:58 -------- d-----w- c:\program files\CA Yahoo! Anti-Spy
2009-05-30 05:41 . 2009-05-30 05:41 -------- d-----w- c:\users\adriano\AppData\Local\Mozilla
2009-05-28 02:04 . 2009-05-28 02:04 -------- d-----w- c:\users\adriano\AppData\Roaming\Flickr
2009-05-28 02:04 . 2009-05-28 02:04 -------- d-----w- c:\users\adriano\AppData\Local\Flickr
2009-05-28 02:03 . 2009-05-28 02:03 -------- d-----w- c:\program files\Flickr Uploadr
2009-05-21 18:54 . 2009-06-06 05:19 -------- d-----w- c:\users\adriano\AppData\Local\WinZip
2009-05-21 18:53 . 2009-05-21 18:54 -------- d-----w- c:\programdata\WinZip

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-20 15:55 . 2009-02-18 01:05 -------- d-----w- c:\users\adriano\AppData\Roaming\DNA
2009-06-20 15:31 . 2008-01-21 05:26 634222 ----a-w- c:\windows\system32\prfh0416.dat
2009-06-20 15:31 . 2008-01-21 05:26 121888 ----a-w- c:\windows\system32\prfc0416.dat
2009-06-20 02:38 . 2008-12-19 15:46 1660 ----a-w- c:\windows\bthservsdp.dat
2009-06-16 01:50 . 2008-12-26 00:01 -------- d-----w- c:\users\adriano\AppData\Roaming\Skype
2009-06-16 01:38 . 2008-12-26 00:02 -------- d-----w- c:\users\adriano\AppData\Roaming\skypePM
2009-06-12 22:05 . 2009-01-01 23:01 -------- d-----w- c:\programdata\Microsoft Help
2009-06-12 21:44 . 2008-12-19 18:00 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-12 02:59 . 2009-02-18 01:06 -------- d-----w- c:\users\adriano\AppData\Roaming\BitTorrent
2009-06-11 02:21 . 2008-12-19 18:18 -------- d-----w- c:\program files\Microsoft Works
2009-06-08 23:35 . 2008-12-26 02:10 -------- d-----w- c:\users\kelen\AppData\Roaming\Yahoo!
2009-06-08 17:57 . 2009-06-08 17:57 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-06-07 15:45 . 2009-01-15 22:18 -------- d-----w- c:\program files\DivX
2009-06-07 15:44 . 2009-04-15 02:23 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-06-03 15:30 . 2009-01-20 00:38 -------- d-----w- c:\programdata\Installations
2009-06-03 15:28 . 2009-01-20 00:39 -------- d-----w- c:\program files\Nokia
2009-06-03 15:27 . 2009-01-20 01:04 -------- d-----w- c:\program files\Common Files\Nokia
2009-06-03 13:51 . 2008-12-26 00:32 -------- d-----w- c:\users\adriano\AppData\Roaming\Yahoo!
2009-06-02 19:40 . 2009-01-05 12:29 -------- d-----w- c:\users\flavia\AppData\Roaming\Yahoo!
2009-06-02 19:33 . 2008-12-29 21:41 101856 ----a-w- c:\users\flavia\AppData\Local\GDIPFONTCACHEV1.DAT
2009-06-01 02:09 . 2008-12-25 16:22 -------- d-----w- c:\program files\Yahoo!
2009-06-01 02:09 . 2008-12-26 00:32 -------- d-----w- c:\programdata\Yahoo! Companion
2009-05-15 02:02 . 2009-05-15 02:02 -------- d-----w- c:\program files\Unity
2009-05-14 23:18 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-05-09 05:50 . 2009-06-11 00:37 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-09 05:34 . 2009-06-11 00:37 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-05-09 02:09 . 2009-02-09 01:07 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-05-09 02:09 . 2009-02-09 01:07 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-05-09 02:09 . 2009-02-09 01:07 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-05-09 02:09 . 2009-02-09 01:07 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-01 21:51 . 2008-12-25 05:00 101856 ----a-w- c:\users\kelen\AppData\Local\GDIPFONTCACHEV1.DAT
2009-05-01 21:42 . 2008-12-25 16:05 101856 ----a-w- c:\users\adriano\AppData\Local\GDIPFONTCACHEV1.DAT
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-05-01 21:02 . 2009-05-01 21:02 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-05-01 21:02 . 2009-05-01 21:02 811008 ----a-w- c:\windows\system32\divx_xx16.dll
2009-05-01 21:02 . 2009-05-01 21:02 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-05-01 21:02 . 2009-05-01 21:02 685056 ----a-w- c:\windows\system32\DivX.dll
2009-04-23 12:42 . 2009-06-11 00:37 636928 ----a-w- c:\windows\system32\localspl.dll
2009-04-21 11:55 . 2009-06-11 00:37 2033152 ----a-w- c:\windows\system32\win32k.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-12-19 18:02 . 2008-12-19 18:02 76 --sh--r- c:\windows\CT4CET.bin
2008-12-19 23:23 . 2008-12-19 23:21 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"BitTorrent DNA"="c:\users\adriano\Program Files\DNA\btdna.exe" [2009-02-18 321344]
"googletalk"="c:\users\adriano\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2009-05-26 24264488]
"Google Update"="c:\users\adriano\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-04-16 133104]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-05-04 167936]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-28 36864]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-11-12 405504]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-06 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-06 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-06 133656]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-10-27 3563520]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-12-19 30192]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-10-04 206064]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-09 1947928]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"YMailAdvisor"="c:\program files\Yahoo!\Common\YMailAdvisor.exe" [2008-06-05 125208]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-06-19 68592]
"ISTray"="c:\program files\Spyware Doctor\pctsTray.exe" [2008-12-08 1173384]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-3 703280]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-12-19 50688]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-2-22 1193240]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-5-11 525640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399008}"= "c:\program files\GbPlugin\gbiehuni.dll" [2008-11-04 396192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-12-19 18:22 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~3\GoogleDesktopNetwork3.dll c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer3"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{773AF746-145C-423A-85C8-B1A150CFC25D}"= c:\program files\Dell\MediaDirect\MediaDirect.exe:Dell MediaDirect
"{C5D7D5F4-FD3B-4409-B8F3-9C1DFB00FB9B}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{B02EF930-1E57-470B-8B6D-5D041C2A39CF}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{BBF96C42-904B-4425-A878-C958193D4B46}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{380D0500-E170-40F5-AC1C-41838E03CBF5}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{77225A2B-F29C-4913-A5B6-D62FA33ABEC9}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{6C4AFC4D-902A-41D7-81CC-8CC971E158A5}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{E5497C45-169F-445F-A5D8-D74C2E20D249}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{F4A32F14-17BA-4FF4-9C48-1482F09043F6}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{7165BA5D-BB34-404F-9905-68558D47CE9F}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{DCAD8096-C4FA-48F6-9F45-9FF1AEFBC220}c:\\program files\\common files\\nokia\\service layer\\a\\nsl_host_process.exe"= UDP:c:\program files\common files\nokia\service layer\a\nsl_host_process.exe:Nokia Service Layer Host Process
"UDP Query User{08141B50-F959-440B-B1A3-03ED78461004}c:\\program files\\common files\\nokia\\service layer\\a\\nsl_host_process.exe"= TCP:c:\program files\common files\nokia\service layer\a\nsl_host_process.exe:Nokia Service Layer Host Process
"TCP Query User{F7701ABA-C77A-496F-8C28-5248A976876F}c:\\program files\\nokia\\nokia software updater\\nsu_ui_client.exe"= UDP:c:\program files\nokia\nokia software updater\nsu_ui_client.exe:Nokia Software Updater
"UDP Query User{E6573D1F-D6EF-46C3-AE80-E1D409CC578D}c:\\program files\\nokia\\nokia software updater\\nsu_ui_client.exe"= TCP:c:\program files\nokia\nokia software updater\nsu_ui_client.exe:Nokia Software Updater
"TCP Query User{C723B025-4B54-44CE-B893-5BC2F6AEE908}c:\\program files\\common files\\nokia\\service layer\\a\\nsl_host_process.exe"= UDP:c:\program files\common files\nokia\service layer\a\nsl_host_process.exe:Nokia Service Layer Host Process
"UDP Query User{C0FE67A4-CE07-4D54-B399-B51E6112E4F2}c:\\program files\\common files\\nokia\\service layer\\a\\nsl_host_process.exe"= TCP:c:\program files\common files\nokia\service layer\a\nsl_host_process.exe:Nokia Service Layer Host Process
"TCP Query User{E1077BC1-C6FA-47D7-AB19-66505CAF444B}c:\\program files\\nokia\\nokia software updater\\nsu_ui_client.exe"= UDP:c:\program files\nokia\nokia software updater\nsu_ui_client.exe:Nokia Software Updater
"UDP Query User{540E61FE-500B-4526-A5A2-DB50BC1F9015}c:\\program files\\nokia\\nokia software updater\\nsu_ui_client.exe"= TCP:c:\program files\nokia\nokia software updater\nsu_ui_client.exe:Nokia Software Updater
"{0A250C5D-FAA2-42DC-98A8-E5A8FF20DBF7}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{DA13687D-D0E8-4132-8CD0-B74D1DCE72F0}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{95D206CB-EDCF-4B6A-8808-60C6B9F6083E}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe
"{39C769ED-4B55-41C1-8CD1-2B7F7576390A}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{33CE1F2E-4DFA-4190-807F-C3713025FC03}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"TCP Query User{D49A89B4-352E-44C1-A6AA-5797E106FE59}c:\\program files\\bittorrent\\bittorrent.exe"= UDP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"UDP Query User{A358433E-CDE9-42DF-BAC6-1C03B86F7873}c:\\program files\\bittorrent\\bittorrent.exe"= TCP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"TCP Query User{91069196-3B8A-47F7-8943-5DF5800E846A}c:\\program files\\bittorrent\\bittorrent.exe"= UDP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"UDP Query User{6825808F-F97B-45B4-A0E6-2C442FA4BB1E}c:\\program files\\bittorrent\\bittorrent.exe"= TCP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"TCP Query User{46EA7947-894A-4FC1-B25A-1378574B7595}c:\\program files\\java\\jre6\\bin\\javaw.exe"= UDP:c:\program files\java\jre6\bin\javaw.exe:Java™ Platform SE binary
"UDP Query User{FE185843-306E-4DE6-B7A4-35901C1D9B5F}c:\\program files\\java\\jre6\\bin\\javaw.exe"= TCP:c:\program files\java\jre6\bin\javaw.exe:Java™ Platform SE binary
"TCP Query User{7A02F47D-3C65-48CA-8917-506760DCB014}c:\\program files\\java\\jre6\\bin\\javaw.exe"= UDP:c:\program files\java\jre6\bin\javaw.exe:Java™ Platform SE binary
"UDP Query User{CFC07E7C-577E-48F8-992A-9E902E3EC495}c:\\program files\\java\\jre6\\bin\\javaw.exe"= TCP:c:\program files\java\jre6\bin\javaw.exe:Java™ Platform SE binary
"TCP Query User{059A12F5-B36C-4DD8-BF3F-DFC4FD845A32}c:\\program files\\oneeko\\oneeko.exe"= UDP:c:\program files\oneeko\oneeko.exe:ONEEKO
"UDP Query User{92982878-84B4-441E-BAA3-044A9A8652F7}c:\\program files\\oneeko\\oneeko.exe"= TCP:c:\program files\oneeko\oneeko.exe:ONEEKO
"TCP Query User{B3A516B5-63E9-41D5-8493-BC9564DF299E}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{ADECA9D6-A705-49F2-B646-CD166D01120C}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R0 PCTCore;PCTools KDS;c:\windows\System32\drivers\PCTCore.sys [19/06/2009 02:00 130936]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [08/02/2009 22:07 325896]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [08/02/2009 22:07 108552]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [19/12/2008 12:45 73728]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [08/02/2009 22:06 908568]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [08/02/2009 22:06 298776]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [19/06/2009 01:59 348752]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\System32\drivers\IntcHdmi.sys [19/12/2008 20:39 111616]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\System32\drivers\OEM02Dev.sys [10/10/2007 16:03 235648]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\System32\drivers\OEM02Vfx.sys [19/12/2008 20:39 7424]
S2 scpVista;scpVista;c:\program files\Scpad\scpVista.exe [15/02/2009 19:41 136448]
S3 GoogleDesktopManager-092308-165331;Gerenciador do Google Desktop 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [19/12/2008 15:14 30192]
S4 PS3 Media Server;PS3 Media Server;c:\program files\PS3 Media Server\win32\service\wrapper.exe [17/08/2008 05:40 217088]

--- =Outros Serviços/Drivers Na Memória ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Conteúdo da pasta 'Tarefas Agendadas'

2009-06-20 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-19 04:35]

2009-06-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2869144217-1070373754-383600519-1001.job
- c:\users\adriano\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-16 02:48]

2009-06-19 c:\windows\Tasks\Norton Security Scan for kelen.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 23:20]
.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://br.yahoo.com/?fr=fp-yie8
IE: E&xportar para o Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Enviar imagem para Dispositivo &Bluetooth... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Enviar página para Dispositivo &Bluetooth ... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
LSP: c:\windows\system32\wpclsp.dll
FF - ProfilePath - c:\users\adriano\AppData\Roaming\Mozilla\Firefox\Profiles\fn6il6mb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://cade.search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://br.yahoo.com/?fr=fp-yie8
FF - prefs.js: keyword.URL - hxxp://cade.search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc&p=
FF - plugin: c:\program files\Google\Google Updater\2.4.1601.7122\npCIDetect13.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\users\adriano\AppData\Local\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\users\adriano\Program Files\DNA\plugins\npbtdna.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-20 13:03
Windows 6.0.6001 Service Pack 1 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'lsass.exe'(700)
c:\program files\Scpad\scpLIB.dll
c:\program files\Scpad\scpMIB.dll
c:\program files\Scpad\sshib.dll
.
Tempo para conclusão: 2009-06-20 13:05
ComboFix-quarantined-files.txt 2009-06-20 16:05

Pré-execução: 40.432.459.776 bytes disponíveis
Pós execução: 40.785.211.392 bytes disponíveis

292 --- E O F --- 2009-06-18 20:47
Go to the top of the page
 
+Quote Post
Tomk
post Jun 23 2009, 09:09 PM
Post #2


Forum God
Group Icon

Group: Classroom Teacher
Posts: 11,226
Joined: 27-December 07
From: Sisters, OR
Member No.: 75,503
Operating System: xp
Hi Caderudo,

welcome.gif

My name is Tomk. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.


It is a really bad idea to use a fix for someone elses computer. Your infection is not the same as the one you were following. It is posted about 100 places around the forum to not run ComboFix unless you are specifically instructed to by a helper.

That being said, let's see what we can do now.

BitTorrent
You have BitTorrent, a P2P/file sharing programs installed on your computer. P2P applications like it are the largest source of malware we see. You'll be doing yourself a favor by removing it.

References for the risk of these programs can be found in these links:
http://www.microsoft.com/windows/ie/commun...protection.mspx
http://www.techweb.com/wire/160500554
[url=http://www.internetworldstats.com/articles/art053.htm]http://www.internetworldstats.com/articles/art053.htm://http://www.techweb.com/wire/1605005...cles/art053.htm


I would recommend that you uninstall BitTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

Download Rooter.exe to your desktop

  • Then doubleclick it to start the tool
  • A Notepad file containing the report will open, also found at %systemdrive%\Rooter.txt. Post that here


COMBOFIX-Script

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    CODE
    File::
    c:\programdata\Google\Google Toolbar\Update\gtbE034.tmp.exe
    c:\program files\GbPlugin\gbiehuni.dll

    Registry::
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{E37CB5F0-51F5-4395-A808-5FA49E399008}"=-

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Go to the top of the page
 
+Quote Post
Caderudo
post Jun 28 2009, 09:04 PM
Post #3


New Member
*

Group: Authentic Member
Posts: 6
Joined: 20-June 09
From: Brazil
Member No.: 86,345
Operating System: Windows Vista Home Premium
Dear Tomk,

First of all, thank you for your support. I did exactly as you resquested. thumbup.gif


Follow the root.exe log:

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows Vista Home Edition (6.0.6001) Service Pack 1
[32_bits] - x86 Family 6 Model 15 Stepping 13, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[MpsSvc] RUNNING (state:4)
Windows Firewall -> Enabled
Windows Defender -> Enabled
User Account Control (UAC) -> Enabled
.
Internet Explorer 8.0.6001.18702
Mozilla Firefox 3.0.10 (pt-BR)
.
C:\ [Fixed-NTFS] .. ( Total:136 Go - Free:38 Go )
D:\ [Fixed-NTFS] .. ( Total:9 Go - Free:4 Go )
E:\ [CD_Rom]
.
Scan : 23:42.42
Path : C:\Users\adriano\Desktop\Rooter.exe
User : adriano ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
Locked System (4)
______ \SystemRoot\System32\smss.exe (456)
______ C:\Windows\system32\csrss.exe (524)
______ C:\Windows\system32\wininit.exe (568)
______ C:\Windows\system32\csrss.exe (576)
______ C:\Windows\system32\services.exe (612)
______ C:\Windows\system32\lsass.exe (628)
______ C:\Windows\system32\lsm.exe (636)
______ C:\Windows\system32\winlogon.exe (704)
______ C:\Windows\system32\svchost.exe (836)
______ C:\Windows\system32\svchost.exe (896)
______ C:\Windows\System32\svchost.exe (952)
______ C:\Windows\System32\svchost.exe (1024)
______ C:\Windows\System32\svchost.exe (1080)
______ C:\Windows\system32\svchost.exe (1104)
Locked audiodg.exe (1204)
______ C:\Windows\system32\svchost.exe (1232)
______ C:\Windows\system32\SLsvc.exe (1252)
______ C:\Windows\system32\svchost.exe (1296)
______ C:\Windows\system32\svchost.exe (1472)
______ C:\Windows\System32\WLTRYSVC.EXE (1616)
______ C:\Windows\system32\WLANExt.exe (1624)
______ C:\Windows\System32\bcmwltry.exe (1644)
______ C:\Windows\System32\spoolsv.exe (1768)
______ C:\Windows\system32\svchost.exe (1792)
______ C:\Windows\system32\aestsrv.exe (2044)
______ C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (332)
______ C:\Windows\system32\svchost.exe (376)
______ C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe (468)
______ C:\Windows\system32\svchost.exe (564)
______ C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe (1140)
______ C:\Windows\system32\STacSV.exe (2072)
______ C:\PROGRA~1\AVG\AVG8\avgrsx.exe (2148)
______ C:\PROGRA~1\AVG\AVG8\avgnsx.exe (2160)
______ C:\Windows\system32\svchost.exe (2328)
______ C:\Windows\System32\svchost.exe (2360)
______ C:\Windows\system32\SearchIndexer.exe (2388)
______ C:\Windows\system32\DRIVERS\xaudio.exe (2464)
______ C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe (2496)
______ C:\PROGRA~1\AVG\AVG8\avgemc.exe (2536)
______ C:\Program Files\AVG\AVG8\avgcsrvx.exe (2720)
______ C:\Windows\system32\taskeng.exe (3044)
______ C:\Windows\system32\Dwm.exe (3360)
______ C:\Windows\system32\taskeng.exe (3372)
______ C:\Program Files\DellTPad\Apoint.exe (3680)
______ C:\Windows\OEM02Mon.exe (3696)
______ C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe (3712)
______ C:\Windows\System32\hkcmd.exe (3796)
______ C:\Windows\System32\igfxpers.exe (3804)
______ C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe (3836)
______ C:\Windows\System32\WLTRAY.EXE (3848)
______ C:\Program Files\Dell\MediaDirect\PCMService.exe (3904)
______ C:\Program Files\Dell Support Center\bin\sprtcmd.exe (3912)
______ C:\Windows\system32\igfxsrvc.exe (3920)
______ C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe (3928)
______ C:\Program Files\Java\jre6\bin\jusched.exe (3956)
______ C:\Program Files\Yahoo!\Common\YMailAdvisor.exe (3972)
______ C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe (4028)
______ C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe (2524)
______ C:\Program Files\DellTPad\ApMsgFwd.exe (1328)
______ C:\Windows\ehome\ehtray.exe (320)
______ C:\Program Files\DellTPad\HidFind.exe (3084)
______ C:\Program Files\DellTPad\Apntex.exe (1408)
______ C:\Users\adriano\Program Files\DNA\btdna.exe (2788)
______ C:\Users\adriano\AppData\Local\Google\Update\GoogleUpdate.exe (3292)
______ C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (3768)
______ C:\Program Files\Digital Line Detect\DLG.exe (1036)
______ C:\Program Files\Dell\QuickSet\quickset.exe (1088)
______ C:\Program Files\WinZip\WZQKPICK.EXE (980)
______ C:\Windows\ehome\ehmsas.exe (3900)
______ C:\Windows\system32\wbem\wmiprvse.exe (1044)
______ c:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe (672)
______ C:\Program Files\Windows Media Player\wmpnscfg.exe (5264)
______ C:\Program Files\Windows Media Player\wmpnetwk.exe (5384)
______ C:\Program Files\Dell Support Center\bin\sprtsvc.exe (4308)
______ ?? (2384)
______ C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe (340)
______ C:\Windows\system32\conime.exe (3176)
______ C:\Windows\System32\svchost.exe (5228)
______ C:\Windows\Explorer.exe (4660)
______ C:\Windows\system32\SearchProtocolHost.exe (6032)
______ C:\Windows\system32\SearchFilterHost.exe (5960)
______ C:\Windows\system32\DllHost.exe (504)
______ C:\Windows\system32\DllHost.exe (928)
______ C:\Users\adriano\Desktop\Rooter.exe (4568)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 (Start_Offset:32256 | Length:82220544)
\Device\Harddisk0\Partition2 (Start_Offset:82837504 | Length:10737418240)
\Device\Harddisk0\Partition3 --[ MBR ]-- (Start_Offset:10820255744 | Length:146535346176)
\Device\Harddisk0\Partition0 (Start_Offset:157355606016 | Length:2684354560)
\Device\Harddisk0\Partition4 (Start_Offset:157356654592 | Length:2683305984)
.
----------------------\\ Scheduled Tasks
.
C:\Windows\Tasks\Google Software Updater.job
C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2869144217-1070373754-383600519-1001.job
C:\Windows\Tasks\Norton Security Scan for kelen.job
C:\Windows\Tasks\SA.DAT
C:\Windows\Tasks\SCHEDLGU.TXT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
C:\Users\adriano\Documents\softwares\garmin\City Navigator Brazil v4 NT[1]\City Navigator Brazil v4 NT\keygen.exe
==> Cracks & Keygens <==
.
----------------------\\ Scan completed at 23:42.45
.
C:\Rooter$\Rooter_5.txt - (28/06/2009 | 23:42.45).c


---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------





And now, the combofix log:

ComboFix 09-06-26.02 - adriano 28/06/2009 23:48.4 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.55.1046.18.3573.2092 [GMT -3:00]
Executando de: c:\users\adriano\Desktop\ComboFix.exe
Comandos utilizados :: c:\users\adriano\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\program files\GbPlugin\gbiehuni.dll"
"c:\programdata\Google\Google Toolbar\Update\gtbE034.tmp.exe"
.

(((((((((((((((( Arquivos/Ficheiros criados de 2009-05-28 to 2009-06-29 ))))))))))))))))))))))))))))
.

2009-06-29 02:52 . 2009-06-29 02:52 -------- d-----w- c:\users\kelen\AppData\Local\temp
2009-06-29 02:52 . 2009-06-29 02:52 -------- d-----w- c:\users\flavia\AppData\Local\temp
2009-06-29 02:23 . 2009-06-29 02:42 -------- d-----w- C:\Rooter$
2009-06-22 01:39 . 2009-06-25 01:28 -------- d-----w- c:\users\adriano\AppData\Local\Adobe
2009-06-20 23:49 . 2009-06-20 23:49 -------- d-----w- C:\temp
2009-06-19 05:00 . 2008-12-11 11:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-06-19 05:00 . 2009-04-03 14:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-06-19 05:00 . 2008-12-18 15:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-19 04:59 . 2009-06-19 05:00 -------- d-----w- c:\program files\Common Files\PC Tools
2009-06-19 04:59 . 2008-12-10 14:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-06-19 04:59 . 2009-06-24 21:44 -------- d-----w- c:\program files\Spyware Doctor
2009-06-19 04:59 . 2009-06-19 04:59 -------- d-----w- c:\users\kelen\AppData\Roaming\PC Tools
2009-06-19 04:59 . 2009-06-19 04:59 -------- d-----w- c:\programdata\PC Tools
2009-06-19 04:36 . 2009-06-19 05:17 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-19 04:36 . 2009-06-19 05:17 -------- d-----w- c:\program files\Norton Security Scan
2009-06-19 04:35 . 2009-06-19 04:57 -------- d-----w- c:\programdata\Google Updater
2009-06-19 04:08 . 2009-06-19 04:13 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-06-19 04:08 . 2009-06-19 04:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-19 03:48 . 2009-06-19 03:48 -------- d-----w- c:\users\kelen\AppData\Roaming\Roxio
2009-06-12 22:03 . 2009-04-30 12:37 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-06-12 22:03 . 2009-04-30 12:37 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-06-12 03:47 . 2009-06-12 03:47 -------- d-----w- c:\program files\UndeleteMyFiles
2009-06-11 01:30 . 2009-06-11 01:30 -------- d-----w- c:\users\kelen\AppData\Local\Mozilla
2009-06-11 00:36 . 2009-04-23 12:43 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-06-05 03:17 . 2009-06-05 03:17 -------- d-----w- c:\program files\MSECache
2009-06-03 15:26 . 2009-06-03 15:26 24390976 ----a-w- c:\programdata\Installations\{9F59C3AE-81B0-4EF6-9762-D674BB079705}\NokiaSoftwareUpdaterSetup_1.6.13PT_BR.exe
2009-06-03 15:26 . 2009-06-03 15:26 3351812 ----a-w- c:\programdata\Installations\{9F59C3AE-81B0-4EF6-9762-D674BB079705}\Installer\CommonCustomActions\msxml6Exec.exe
2009-06-03 15:26 . 2009-06-03 15:26 36864 ----a-w- c:\programdata\Installations\{9F59C3AE-81B0-4EF6-9762-D674BB079705}\Installer\CommonCustomActions\Sleep.exe
2009-06-03 15:26 . 2009-06-03 15:26 3181612 ----a-w- c:\programdata\Installations\{9F59C3AE-81B0-4EF6-9762-D674BB079705}\Installer\CommonCustomActions\vcredistExec.exe
2009-06-02 19:34 . 2009-06-26 23:35 -------- d-----w- c:\users\flavia\Tracing
2009-06-01 02:09 . 2009-06-01 02:09 262144 ----a-w- C:\ntuser.dat
2009-06-01 02:09 . 2009-06-01 02:09 -------- d-----w- c:\programdata\Yahoo!
2009-06-01 01:55 . 2009-06-01 01:55 -------- d-----w- c:\program files\Common Files\Scanner
2009-06-01 01:55 . 2009-06-01 01:58 -------- d-----w- c:\program files\CA Yahoo! Anti-Spy
2009-05-30 05:41 . 2009-05-30 05:41 -------- d-----w- c:\users\adriano\AppData\Local\Mozilla

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-29 02:50 . 2009-02-18 01:05 -------- d-----w- c:\users\adriano\AppData\Roaming\DNA
2009-06-29 02:34 . 2009-01-15 17:50 -------- d-----w- c:\program files\GbPlugin
2009-06-29 00:05 . 2008-01-21 05:26 634222 ----a-w- c:\windows\system32\prfh0416.dat
2009-06-29 00:05 . 2008-01-21 05:26 121888 ----a-w- c:\windows\system32\prfc0416.dat
2009-06-28 20:23 . 2008-12-19 15:46 1660 ----a-w- c:\windows\bthservsdp.dat
2009-06-28 19:25 . 2009-01-24 20:48 -------- d-----w- c:\programdata\DVD Shrink
2009-06-25 18:51 . 2009-02-09 01:07 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-25 18:51 . 2009-02-09 01:07 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-25 18:51 . 2009-02-09 01:07 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-25 04:08 . 2009-02-03 01:30 -------- d-----w- c:\program files\Microsoft
2009-06-24 21:17 . 2009-01-20 00:39 -------- d-----w- c:\program files\Nokia
2009-06-22 06:48 . 2009-02-18 01:06 -------- d-----w- c:\users\adriano\AppData\Roaming\BitTorrent
2009-06-22 02:11 . 2008-12-26 00:38 -------- d-----w- c:\programdata\Roxio
2009-06-16 01:50 . 2008-12-26 00:01 -------- d-----w- c:\users\adriano\AppData\Roaming\Skype
2009-06-16 01:38 . 2008-12-26 00:02 -------- d-----w- c:\users\adriano\AppData\Roaming\skypePM
2009-06-12 22:05 . 2009-01-01 23:01 -------- d-----w- c:\programdata\Microsoft Help
2009-06-12 21:44 . 2008-12-19 18:00 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-11 02:21 . 2008-12-19 18:18 -------- d-----w- c:\program files\Microsoft Works
2009-06-08 23:35 . 2008-12-26 02:10 -------- d-----w- c:\users\kelen\AppData\Roaming\Yahoo!
2009-06-08 17:57 . 2009-06-08 17:57 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-06-07 15:45 . 2009-01-15 22:18 -------- d-----w- c:\program files\DivX
2009-06-07 15:44 . 2009-04-15 02:23 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-06-03 15:30 . 2009-01-20 00:38 -------- d-----w- c:\programdata\Installations
2009-06-03 15:27 . 2009-01-20 01:04 -------- d-----w- c:\program files\Common Files\Nokia
2009-06-03 13:51 . 2008-12-26 00:32 -------- d-----w- c:\users\adriano\AppData\Roaming\Yahoo!
2009-06-02 19:40 . 2009-01-05 12:29 -------- d-----w- c:\users\flavia\AppData\Roaming\Yahoo!
2009-06-02 19:33 . 2008-12-29 21:41 101856 ----a-w- c:\users\flavia\AppData\Local\GDIPFONTCACHEV1.DAT
2009-06-01 02:09 . 2008-12-25 16:22 -------- d-----w- c:\program files\Yahoo!
2009-06-01 02:09 . 2008-12-26 00:32 -------- d-----w- c:\programdata\Yahoo! Companion
2009-05-28 02:04 . 2009-05-28 02:04 -------- d-----w- c:\users\adriano\AppData\Roaming\Flickr
2009-05-28 02:03 . 2009-05-28 02:03 -------- d-----w- c:\program files\Flickr Uploadr
2009-05-21 18:54 . 2009-05-21 18:53 -------- d-----w- c:\programdata\WinZip
2009-05-15 02:02 . 2009-05-15 02:02 -------- d-----w- c:\program files\Unity
2009-05-14 23:18 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-05-09 05:50 . 2009-06-11 00:37 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-09 05:34 . 2009-06-11 00:37 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-05-09 02:09 . 2009-02-09 01:07 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-01 21:51 . 2008-12-25 05:00 101856 ----a-w- c:\users\kelen\AppData\Local\GDIPFONTCACHEV1.DAT
2009-05-01 21:42 . 2008-12-25 16:05 101856 ----a-w- c:\users\adriano\AppData\Local\GDIPFONTCACHEV1.DAT
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-05-01 21:02 . 2009-05-01 21:02 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-05-01 21:02 . 2009-05-01 21:02 811008 ----a-w- c:\windows\system32\divx_xx16.dll
2009-05-01 21:02 . 2009-05-01 21:02 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-05-01 21:02 . 2009-05-01 21:02 685056 ----a-w- c:\windows\system32\DivX.dll
2009-04-23 12:42 . 2009-06-11 00:37 636928 ----a-w- c:\windows\system32\localspl.dll
2009-04-21 11:55 . 2009-06-11 00:37 2033152 ----a-w- c:\windows\system32\win32k.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-12-19 18:02 . 2008-12-19 18:02 76 --sh--r- c:\windows\CT4CET.bin
2008-12-19 23:23 . 2008-12-19 23:21 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2009-06-20_16.03.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-12-25 04:58 . 2009-06-23 22:43 62594 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2008-01-21 01:58 . 2009-06-29 00:01 61144 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-06-29 00:01 83522 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-12-25 05:03 . 2009-06-20 15:46 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-12-25 05:03 . 2009-06-29 02:45 32768 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-12-25 05:03 . 2009-06-20 15:46 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-25 05:03 . 2009-06-29 02:45 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-12-25 05:03 . 2009-06-29 02:45 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-12-25 05:03 . 2009-06-20 15:46 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-02-28 05:10 . 2009-06-12 15:57 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-02-28 05:10 . 2009-06-22 03:13 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-02-28 05:10 . 2009-06-12 15:57 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-28 05:10 . 2009-06-22 03:13 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-28 05:10 . 2009-06-22 03:13 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-02-28 05:10 . 2009-06-12 15:57 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-02-28 03:15 . 2009-06-12 16:37 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-02-28 03:15 . 2009-06-26 17:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-02-28 03:15 . 2009-06-26 17:03 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-02-28 03:15 . 2009-06-12 16:37 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-02-28 03:15 . 2009-06-26 17:03 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-02-28 03:15 . 2009-06-12 16:37 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2006-11-02 10:25 . 2009-06-03 15:35 51200 c:\windows\inf\infpub.dat
+ 2006-11-02 10:25 . 2009-06-25 01:42 51200 c:\windows\inf\infpub.dat
+ 2008-12-29 21:43 . 2009-06-26 16:56 4530 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2869144217-1070373754-383600519-1002_UserData.bin
+ 2008-12-26 00:31 . 2009-06-29 00:01 8030 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2869144217-1070373754-383600519-1001_UserData.bin
+ 2008-12-25 05:01 . 2009-06-28 15:24 6770 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2869144217-1070373754-383600519-1000_UserData.bin
+ 2009-03-19 16:48 . 2009-03-19 16:48 8320 c:\windows\System32\drivers\nmwcdnsuc.sys
+ 2009-06-28 23:59 . 2009-06-28 23:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-06-20 15:24 . 2009-06-20 15:24 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-06-20 15:24 . 2009-06-20 15:24 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-06-28 23:59 . 2009-06-28 23:59 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-06-23 21:11 . 2009-05-30 13:15 102912 c:\windows\winsxs\x86_microsoft-windows-ie-iecompat_31bf3856ad364e35_8.0.6001.22883_none_840ec88560132cdf\iecompat.dll
+ 2009-06-23 21:11 . 2009-06-02 03:27 102912 c:\windows\winsxs\x86_microsoft-windows-ie-iecompat_31bf3856ad364e35_8.0.6001.18793_none_837a5bce46fda906\iecompat.dll
+ 2006-11-02 10:33 . 2009-06-29 00:05 587178 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-06-20 15:31 587178 c:\windows\System32\perfh009.dat
- 2006-11-02 10:33 . 2009-06-20 15:31 101250 c:\windows\System32\perfc009.dat
+ 2006-11-02 10:33 . 2009-06-29 00:05 101250 c:\windows\System32\perfc009.dat
+ 2009-03-19 16:48 . 2009-03-19 16:48 136704 c:\windows\System32\drivers\nmwcdnsu.sys
+ 2009-04-19 03:27 . 2009-06-25 01:31 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2009-04-19 03:27 . 2009-06-11 03:11 245760 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
- 2006-11-02 10:25 . 2009-06-03 15:35 143360 c:\windows\inf\infstrng.dat
+ 2006-11-02 10:25 . 2009-06-25 01:42 143360 c:\windows\inf\infstrng.dat
+ 2009-06-12 22:00 . 2009-06-23 21:10 5032120 c:\windows\winsxs\ManifestCache\6.0.6002.18005_001c11ba_blobs.bin
- 2006-11-02 10:22 . 2009-06-12 22:14 6553600 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2006-11-02 10:22 . 2009-06-24 11:36 6553600 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"BitTorrent DNA"="c:\users\adriano\Program Files\DNA\btdna.exe" [2009-02-18 321344]
"googletalk"="c:\users\adriano\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2009-05-26 24264488]
"Google Update"="c:\users\adriano\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-04-16 133104]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-05-04 167936]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-28 36864]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-11-12 405504]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-06 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-06 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-06 133656]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-10-27 3563520]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-12-19 30192]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-10-04 206064]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-25 1948440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"YMailAdvisor"="c:\program files\Yahoo!\Common\YMailAdvisor.exe" [2008-06-05 125208]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-06-19 68592]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-3 703280]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-12-19 50688]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-2-22 1193240]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-5-11 525640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-12-19 18:22 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~3\GoogleDesktopNetwork3.dll c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer3"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{773AF746-145C-423A-85C8-B1A150CFC25D}"= c:\program files\Dell\MediaDirect\MediaDirect.exe:Dell MediaDirect
"{C5D7D5F4-FD3B-4409-B8F3-9C1DFB00FB9B}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{B02EF930-1E57-470B-8B6D-5D041C2A39CF}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{BBF96C42-904B-4425-A878-C958193D4B46}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{380D0500-E170-40F5-AC1C-41838E03CBF5}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{77225A2B-F29C-4913-A5B6-D62FA33ABEC9}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{6C4AFC4D-902A-41D7-81CC-8CC971E158A5}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{E5497C45-169F-445F-A5D8-D74C2E20D249}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{F4A32F14-17BA-4FF4-9C48-1482F09043F6}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{7165BA5D-BB34-404F-9905-68558D47CE9F}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{DCAD8096-C4FA-48F6-9F45-9FF1AEFBC220}c:\\program files\\common files\\nokia\\service layer\\a\\nsl_host_process.exe"= UDP:c:\program files\common files\nokia\service layer\a\nsl_host_process.exe:Nokia Service Layer Host Process
"UDP Query User{08141B50-F959-440B-B1A3-03ED78461004}c:\\program files\\common files\\nokia\\service layer\\a\\nsl_host_process.exe"= TCP:c:\program files\common files\nokia\service layer\a\nsl_host_process.exe:Nokia Service Layer Host Process
"TCP Query User{F7701ABA-C77A-496F-8C28-5248A976876F}c:\\program files\\nokia\\nokia software updater\\nsu_ui_client.exe"= UDP:c:\program files\nokia\nokia software updater\nsu_ui_client.exe:Nokia Software Updater
"UDP Query User{E6573D1F-D6EF-46C3-AE80-E1D409CC578D}c:\\program files\\nokia\\nokia software updater\\nsu_ui_client.exe"= TCP:c:\program files\nokia\nokia software updater\nsu_ui_client.exe:Nokia Software Updater
"TCP Query User{C723B025-4B54-44CE-B893-5BC2F6AEE908}c:\\program files\\common files\\nokia\\service layer\\a\\nsl_host_process.exe"= UDP:c:\program files\common files\nokia\service layer\a\nsl_host_process.exe:Nokia Service Layer Host Process
"UDP Query User{C0FE67A4-CE07-4D54-B399-B51E6112E4F2}c:\\program files\\common files\\nokia\\service layer\\a\\nsl_host_process.exe"= TCP:c:\program files\common files\nokia\service layer\a\nsl_host_process.exe:Nokia Service Layer Host Process
"TCP Query User{E1077BC1-C6FA-47D7-AB19-66505CAF444B}c:\\program files\\nokia\\nokia software updater\\nsu_ui_client.exe"= UDP:c:\program files\nokia\nokia software updater\nsu_ui_client.exe:Nokia Software Updater
"UDP Query User{540E61FE-500B-4526-A5A2-DB50BC1F9015}c:\\program files\\nokia\\nokia software updater\\nsu_ui_client.exe"= TCP:c:\program files\nokia\nokia software updater\nsu_ui_client.exe:Nokia Software Updater
"{0A250C5D-FAA2-42DC-98A8-E5A8FF20DBF7}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{DA13687D-D0E8-4132-8CD0-B74D1DCE72F0}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{95D206CB-EDCF-4B6A-8808-60C6B9F6083E}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe
"{39C769ED-4B55-41C1-8CD1-2B7F7576390A}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{33CE1F2E-4DFA-4190-807F-C3713025FC03}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"TCP Query User{D49A89B4-352E-44C1-A6AA-5797E106FE59}c:\\program files\\bittorrent\\bittorrent.exe"= UDP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"UDP Query User{A358433E-CDE9-42DF-BAC6-1C03B86F7873}c:\\program files\\bittorrent\\bittorrent.exe"= TCP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"TCP Query User{91069196-3B8A-47F7-8943-5DF5800E846A}c:\\program files\\bittorrent\\bittorrent.exe"= UDP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"UDP Query User{6825808F-F97B-45B4-A0E6-2C442FA4BB1E}c:\\program files\\bittorrent\\bittorrent.exe"= TCP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"TCP Query User{46EA7947-894A-4FC1-B25A-1378574B7595}c:\\program files\\java\\jre6\\bin\\javaw.exe"= UDP:c:\program files\java\jre6\bin\javaw.exe:Java™ Platform SE binary
"UDP Query User{FE185843-306E-4DE6-B7A4-35901C1D9B5F}c:\\program files\\java\\jre6\\bin\\javaw.exe"= TCP:c:\program files\java\jre6\bin\javaw.exe:Java™ Platform SE binary
"TCP Query User{7A02F47D-3C65-48CA-8917-506760DCB014}c:\\program files\\java\\jre6\\bin\\javaw.exe"= UDP:c:\program files\java\jre6\bin\javaw.exe:Java™ Platform SE binary
"UDP Query User{CFC07E7C-577E-48F8-992A-9E902E3EC495}c:\\program files\\java\\jre6\\bin\\javaw.exe"= TCP:c:\program files\java\jre6\bin\javaw.exe:Java™ Platform SE binary
"TCP Query User{059A12F5-B36C-4DD8-BF3F-DFC4FD845A32}c:\\program files\\oneeko\\oneeko.exe"= UDP:c:\program files\oneeko\oneeko.exe:ONEEKO
"UDP Query User{92982878-84B4-441E-BAA3-044A9A8652F7}c:\\program files\\oneeko\\oneeko.exe"= TCP:c:\program files\oneeko\oneeko.exe:ONEEKO
"TCP Query User{B3A516B5-63E9-41D5-8493-BC9564DF299E}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{ADECA9D6-A705-49F2-B646-CD166D01120C}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R0 PCTCore;PCTools KDS;c:\windows\System32\drivers\PCTCore.sys [19/06/2009 02:00 130936]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [08/02/2009 22:07 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [08/02/2009 22:07 108552]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [19/12/2008 12:45 73728]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [08/02/2009 22:06 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [08/02/2009 22:06 298776]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\System32\drivers\IntcHdmi.sys [19/12/2008 20:39 111616]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\System32\drivers\OEM02Dev.sys [10/10/2007 16:03 235648]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\System32\drivers\OEM02Vfx.sys [19/12/2008 20:39 7424]
S2 scpVista;scpVista;c:\program files\Scpad\scpVista.exe [15/02/2009 19:41 136448]
S3 GoogleDesktopManager-092308-165331;Gerenciador do Google Desktop 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [19/12/2008 15:14 30192]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\System32\drivers\nmwcdnsu.sys [19/03/2009 13:48 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\System32\drivers\nmwcdnsuc.sys [19/03/2009 13:48 8320]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [19/06/2009 01:59 348752]
S4 PS3 Media Server;PS3 Media Server;c:\program files\PS3 Media Server\win32\service\wrapper.exe [17/08/2008 05:40 217088]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Conteúdo da pasta 'Tarefas Agendadas'

2009-06-29 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-19 04:35]

2009-06-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2869144217-1070373754-383600519-1001.job
- c:\users\adriano\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-16 02:48]

2009-06-26 c:\windows\Tasks\Norton Security Scan for kelen.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 23:20]
.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://br.yahoo.com/?fr=fp-yie8
IE: E&xportar para o Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Enviar imagem para Dispositivo &Bluetooth... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Enviar página para Dispositivo &Bluetooth ... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
LSP: c:\windows\system32\wpclsp.dll
FF - ProfilePath - c:\users\adriano\AppData\Roaming\Mozilla\Firefox\Profiles\fn6il6mb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://cade.search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://br.yahoo.com/?fr=fp-yie8
FF - prefs.js: keyword.URL - hxxp://cade.search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc&p=
FF - plugin: c:\program files\Google\Google Updater\2.4.1601.7122\npCIDetect13.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\users\adriano\AppData\Local\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\users\adriano\Program Files\DNA\plugins\npbtdna.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-28 23:52
Windows 6.0.6001 Service Pack 1 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'lsass.exe'(628)
c:\program files\Scpad\scpLIB.dll
c:\program files\Scpad\scpMIB.dll
c:\program files\Scpad\sshib.dll

- - - - - - - > 'Explorer.exe'(3212)
c:\program files\Scpad\scpLIB.dll
c:\program files\Scpad\scpMIB.dll
c:\program files\Scpad\sshib.dll
c:\program files\Scpad\scpsssh2.dll
c:\windows\system32\BtwNamespaceExt.dll
c:\windows\system32\BtwNeLib.dll
c:\windows\system32\btwapi.dll
c:\windows\system32\btosif.dll
c:\windows\system32\btwpimif.dll
c:\windows\system32\btrez.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_por-br.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
.
Tempo para conclusão: 2009-06-29 23:54
ComboFix-quarantined-files.txt 2009-06-29 02:54
ComboFix2.txt 2009-06-29 02:36

Pré-execução: 41.587.822.592 bytes disponíveis
Pós execução: 41.556.348.928 bytes disponíveis

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
360 --- E O F --- 2009-06-25 18:51
Go to the top of the page
 
+Quote Post
Tomk
post Jun 28 2009, 10:00 PM
Post #4


Forum God
Group Icon

Group: Classroom Teacher
Posts: 11,226
Joined: 27-December 07
From: Sisters, OR
Member No.: 75,503
Operating System: xp
Caderudo,

COMBOFIX-Script

  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    CODE
    File::
    C:\Users\adriano\Documents\softwares\garmin\City Navigator Brazil v4 NT[1]\City Navigator Brazil v4 NT\keygen.exe

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.



Please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
      Mail databases
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Go to the top of the page
 
+Quote Post
Caderudo
post Jul 1 2009, 08:30 PM
Post #5


New Member
*

Group: Authentic Member
Posts: 6
Joined: 20-June 09
From: Brazil
Member No.: 86,345
Operating System: Windows Vista Home Premium
Dear Tomk,

Follows the Combofix log:

ComboFix 09-06-26.02 - adriano 01/07/2009 23:11.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.55.1046.18.3573.2232 [GMT -3:00]
Executando de: c:\users\adriano\Desktop\ComboFix.exe
Comandos utilizados :: c:\users\adriano\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

(((((((((((((((( Arquivos/Ficheiros criados de 2009-06-02 to 2009-07-02 ))))))))))))))))))))))))))))
.

2009-07-02 02:16 . 2009-07-02 02:16 -------- d-----w- c:\users\kelen\AppData\Local\temp
2009-07-02 02:16 . 2009-07-02 02:16 -------- d-----w- c:\users\flavia\AppData\Local\temp
2009-06-29 02:23 . 2009-06-29 02:42 -------- d-----w- C:\Rooter$
2009-06-22 01:39 . 2009-06-25 01:28 -------- d-----w- c:\users\adriano\AppData\Local\Adobe
2009-06-20 23:49 . 2009-06-20 23:49 -------- d-----w- C:\temp
2009-06-19 05:00 . 2008-12-11 11:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-06-19 05:00 . 2009-04-03 14:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-06-19 05:00 . 2008-12-18 15:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-06-19 04:59 . 2009-06-19 05:00 -------- d-----w- c:\program files\Common Files\PC Tools
2009-06-19 04:59 . 2008-12-10 14:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-06-19 04:59 . 2009-07-01 17:03 -------- d-----w- c:\program files\Spyware Doctor
2009-06-19 04:59 . 2009-06-19 04:59 -------- d-----w- c:\users\kelen\AppData\Roaming\PC Tools
2009-06-19 04:59 . 2009-06-19 04:59 -------- d-----w- c:\programdata\PC Tools
2009-06-19 04:36 . 2009-06-19 05:17 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-06-19 04:36 . 2009-06-19 05:17 -------- d-----w- c:\program files\Norton Security Scan
2009-06-19 04:35 . 2009-06-19 04:57 -------- d-----w- c:\programdata\Google Updater
2009-06-19 04:08 . 2009-06-19 04:13 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2009-06-19 04:08 . 2009-06-19 04:08 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-19 03:48 . 2009-06-19 03:48 -------- d-----w- c:\users\kelen\AppData\Roaming\Roxio
2009-06-12 22:03 . 2009-04-30 12:37 293376 ----a-w- c:\windows\system32\psisdecd.dll
2009-06-12 22:03 . 2009-04-30 12:37 428544 ----a-w- c:\windows\system32\EncDec.dll
2009-06-12 03:47 . 2009-06-12 03:47 -------- d-----w- c:\program files\UndeleteMyFiles
2009-06-11 01:30 . 2009-06-11 01:30 -------- d-----w- c:\users\kelen\AppData\Local\Mozilla
2009-06-11 00:36 . 2009-04-23 12:43 784896 ----a-w- c:\windows\system32\rpcrt4.dll
2009-06-05 03:17 . 2009-06-05 03:17 -------- d-----w- c:\program files\MSECache
2009-06-03 15:26 . 2009-06-03 15:26 24390976 ----a-w- c:\programdata\Installations\{9F59C3AE-81B0-4EF6-9762-D674BB079705}\NokiaSoftwareUpdaterSetup_1.6.13PT_BR.exe
2009-06-03 15:26 . 2009-06-03 15:26 3351812 ----a-w- c:\programdata\Installations\{9F59C3AE-81B0-4EF6-9762-D674BB079705}\Installer\CommonCustomActions\msxml6Exec.exe
2009-06-03 15:26 . 2009-06-03 15:26 36864 ----a-w- c:\programdata\Installations\{9F59C3AE-81B0-4EF6-9762-D674BB079705}\Installer\CommonCustomActions\Sleep.exe
2009-06-03 15:26 . 2009-06-03 15:26 3181612 ----a-w- c:\programdata\Installations\{9F59C3AE-81B0-4EF6-9762-D674BB079705}\Installer\CommonCustomActions\vcredistExec.exe
2009-06-02 19:34 . 2009-07-01 16:46 -------- d-----w- c:\users\flavia\Tracing

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-02 02:15 . 2009-02-18 01:05 -------- d-----w- c:\users\adriano\AppData\Roaming\DNA
2009-07-02 02:01 . 2008-01-21 05:26 634222 ----a-w- c:\windows\system32\prfh0416.dat
2009-07-02 02:01 . 2008-01-21 05:26 121888 ----a-w- c:\windows\system32\prfc0416.dat
2009-07-02 01:16 . 2008-12-19 15:46 1660 ----a-w- c:\windows\bthservsdp.dat
2009-06-29 02:34 . 2009-01-15 17:50 -------- d-----w- c:\program files\GbPlugin
2009-06-28 19:25 . 2009-01-24 20:48 -------- d-----w- c:\programdata\DVD Shrink
2009-06-25 18:51 . 2009-02-09 01:07 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-06-25 18:51 . 2009-02-09 01:07 327688 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-06-25 18:51 . 2009-02-09 01:07 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-25 04:08 . 2009-02-03 01:30 -------- d-----w- c:\program files\Microsoft
2009-06-24 21:17 . 2009-01-20 00:39 -------- d-----w- c:\program files\Nokia
2009-06-22 06:48 . 2009-02-18 01:06 -------- d-----w- c:\users\adriano\AppData\Roaming\BitTorrent
2009-06-22 02:11 . 2008-12-26 00:38 -------- d-----w- c:\programdata\Roxio
2009-06-16 01:50 . 2008-12-26 00:01 -------- d-----w- c:\users\adriano\AppData\Roaming\Skype
2009-06-16 01:38 . 2008-12-26 00:02 -------- d-----w- c:\users\adriano\AppData\Roaming\skypePM
2009-06-12 22:05 . 2009-01-01 23:01 -------- d-----w- c:\programdata\Microsoft Help
2009-06-12 21:44 . 2008-12-19 18:00 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-11 02:21 . 2008-12-19 18:18 -------- d-----w- c:\program files\Microsoft Works
2009-06-08 23:35 . 2008-12-26 02:10 -------- d-----w- c:\users\kelen\AppData\Roaming\Yahoo!
2009-06-08 17:57 . 2009-06-08 17:57 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2009-06-07 15:45 . 2009-01-15 22:18 -------- d-----w- c:\program files\DivX
2009-06-07 15:44 . 2009-04-15 02:23 -------- d-----w- c:\program files\Common Files\DivX Shared
2009-06-03 15:30 . 2009-01-20 00:38 -------- d-----w- c:\programdata\Installations
2009-06-03 15:27 . 2009-01-20 01:04 -------- d-----w- c:\program files\Common Files\Nokia
2009-06-03 13:51 . 2008-12-26 00:32 -------- d-----w- c:\users\adriano\AppData\Roaming\Yahoo!
2009-06-02 19:40 . 2009-01-05 12:29 -------- d-----w- c:\users\flavia\AppData\Roaming\Yahoo!
2009-06-02 19:33 . 2008-12-29 21:41 101856 ----a-w- c:\users\flavia\AppData\Local\GDIPFONTCACHEV1.DAT
2009-06-01 02:09 . 2009-06-01 02:09 262144 ----a-w- C:\ntuser.dat
2009-06-01 02:09 . 2008-12-25 16:22 -------- d-----w- c:\program files\Yahoo!
2009-06-01 02:09 . 2009-06-01 02:09 -------- d-----w- c:\programdata\Yahoo!
2009-06-01 02:09 . 2008-12-26 00:32 -------- d-----w- c:\programdata\Yahoo! Companion
2009-06-01 01:58 . 2009-06-01 01:55 -------- d-----w- c:\program files\CA Yahoo! Anti-Spy
2009-06-01 01:55 . 2009-06-01 01:55 -------- d-----w- c:\program files\Common Files\Scanner
2009-05-28 02:04 . 2009-05-28 02:04 -------- d-----w- c:\users\adriano\AppData\Roaming\Flickr
2009-05-28 02:03 . 2009-05-28 02:03 -------- d-----w- c:\program files\Flickr Uploadr
2009-05-21 18:54 . 2009-05-21 18:53 -------- d-----w- c:\programdata\WinZip
2009-05-15 02:02 . 2009-05-15 02:02 -------- d-----w- c:\program files\Unity
2009-05-14 23:18 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-05-09 05:50 . 2009-06-11 00:37 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-09 05:34 . 2009-06-11 00:37 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-05-09 02:09 . 2009-02-09 01:07 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-01 21:51 . 2008-12-25 05:00 101856 ----a-w- c:\users\kelen\AppData\Local\GDIPFONTCACHEV1.DAT
2009-05-01 21:42 . 2008-12-25 16:05 101856 ----a-w- c:\users\adriano\AppData\Local\GDIPFONTCACHEV1.DAT
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx0c.dll
2009-05-01 21:02 . 2009-05-01 21:02 823296 ----a-w- c:\windows\system32\divx_xx07.dll
2009-05-01 21:02 . 2009-05-01 21:02 815104 ----a-w- c:\windows\system32\divx_xx0a.dll
2009-05-01 21:02 . 2009-05-01 21:02 811008 ----a-w- c:\windows\system32\divx_xx16.dll
2009-05-01 21:02 . 2009-05-01 21:02 802816 ----a-w- c:\windows\system32\divx_xx11.dll
2009-05-01 21:02 . 2009-05-01 21:02 685056 ----a-w- c:\windows\system32\DivX.dll
2009-04-23 12:42 . 2009-06-11 00:37 636928 ----a-w- c:\windows\system32\localspl.dll
2009-04-21 11:55 . 2009-06-11 00:37 2033152 ----a-w- c:\windows\system32\win32k.sys
2009-05-01 21:02 . 2009-05-01 21:02 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-01 21:02 . 2009-05-01 21:02 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-12-19 18:02 . 2008-12-19 18:02 76 --sh--r- c:\windows\CT4CET.bin
2008-12-19 23:23 . 2008-12-19 23:21 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"BitTorrent DNA"="c:\users\adriano\Program Files\DNA\btdna.exe" [2009-02-18 321344]
"googletalk"="c:\users\adriano\AppData\Roaming\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2009-05-26 24264488]
"Google Update"="c:\users\adriano\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-04-16 133104]
"Search Protection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2008-05-04 167936]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-28 36864]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-11-12 405504]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-03-06 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-03-06 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-03-06 133656]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-10-27 3563520]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-12-19 30192]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-12-21 184320]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-10-04 206064]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-25 1948440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"YMailAdvisor"="c:\program files\Yahoo!\Common\YMailAdvisor.exe" [2008-06-05 125208]
"YSearchProtection"="c:\program files\Yahoo!\Search Protection\SearchProtection.exe" [2009-02-03 111856]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-06-19 68592]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-3 703280]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-12-19 50688]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2008-2-22 1193240]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-5-11 525640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2008-12-19 18:22 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~3\GoogleDesktopNetwork3.dll c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer3"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{773AF746-145C-423A-85C8-B1A150CFC25D}"= c:\program files\Dell\MediaDirect\MediaDirect.exe:Dell MediaDirect
"{C5D7D5F4-FD3B-4409-B8F3-9C1DFB00FB9B}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{B02EF930-1E57-470B-8B6D-5D041C2A39CF}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{BBF96C42-904B-4425-A878-C958193D4B46}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{380D0500-E170-40F5-AC1C-41838E03CBF5}"= c:\program files\Skype\Phone\Skype.exe:Skype
"{77225A2B-F29C-4913-A5B6-D62FA33ABEC9}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{6C4AFC4D-902A-41D7-81CC-8CC971E158A5}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{E5497C45-169F-445F-A5D8-D74C2E20D249}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{F4A32F14-17BA-4FF4-9C48-1482F09043F6}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{7165BA5D-BB34-404F-9905-68558D47CE9F}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{DCAD8096-C4FA-48F6-9F45-9FF1AEFBC220}c:\\program files\\common files\\nokia\\service layer\\a\\nsl_host_process.exe"= UDP:c:\program files\common files\nokia\service layer\a\nsl_host_process.exe:Nokia Service Layer Host Process
"UDP Query User{08141B50-F959-440B-B1A3-03ED78461004}c:\\program files\\common files\\nokia\\service layer\\a\\nsl_host_process.exe"= TCP:c:\program files\common files\nokia\service layer\a\nsl_host_process.exe:Nokia Service Layer Host Process
"TCP Query User{F7701ABA-C77A-496F-8C28-5248A976876F}c:\\program files\\nokia\\nokia software updater\\nsu_ui_client.exe"= UDP:c:\program files\nokia\nokia software updater\nsu_ui_client.exe:Nokia Software Updater
"UDP Query User{E6573D1F-D6EF-46C3-AE80-E1D409CC578D}c:\\program files\\nokia\\nokia software updater\\nsu_ui_client.exe"= TCP:c:\program files\nokia\nokia software updater\nsu_ui_client.exe:Nokia Software Updater
"TCP Query User{C723B025-4B54-44CE-B893-5BC2F6AEE908}c:\\program files\\common files\\nokia\\service layer\\a\\nsl_host_process.exe"= UDP:c:\program files\common files\nokia\service layer\a\nsl_host_process.exe:Nokia Service Layer Host Process
"UDP Query User{C0FE67A4-CE07-4D54-B399-B51E6112E4F2}c:\\program files\\common files\\nokia\\service layer\\a\\nsl_host_process.exe"= TCP:c:\program files\common files\nokia\service layer\a\nsl_host_process.exe:Nokia Service Layer Host Process
"TCP Query User{E1077BC1-C6FA-47D7-AB19-66505CAF444B}c:\\program files\\nokia\\nokia software updater\\nsu_ui_client.exe"= UDP:c:\program files\nokia\nokia software updater\nsu_ui_client.exe:Nokia Software Updater
"UDP Query User{540E61FE-500B-4526-A5A2-DB50BC1F9015}c:\\program files\\nokia\\nokia software updater\\nsu_ui_client.exe"= TCP:c:\program files\nokia\nokia software updater\nsu_ui_client.exe:Nokia Software Updater
"{0A250C5D-FAA2-42DC-98A8-E5A8FF20DBF7}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe
"{DA13687D-D0E8-4132-8CD0-B74D1DCE72F0}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe
"{95D206CB-EDCF-4B6A-8808-60C6B9F6083E}"= c:\program files\AVG\AVG8\avgnsx.exe:avgnsx.exe
"{39C769ED-4B55-41C1-8CD1-2B7F7576390A}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{33CE1F2E-4DFA-4190-807F-C3713025FC03}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"TCP Query User{D49A89B4-352E-44C1-A6AA-5797E106FE59}c:\\program files\\bittorrent\\bittorrent.exe"= UDP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"UDP Query User{A358433E-CDE9-42DF-BAC6-1C03B86F7873}c:\\program files\\bittorrent\\bittorrent.exe"= TCP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"TCP Query User{91069196-3B8A-47F7-8943-5DF5800E846A}c:\\program files\\bittorrent\\bittorrent.exe"= UDP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"UDP Query User{6825808F-F97B-45B4-A0E6-2C442FA4BB1E}c:\\program files\\bittorrent\\bittorrent.exe"= TCP:c:\program files\bittorrent\bittorrent.exe:BitTorrent
"TCP Query User{46EA7947-894A-4FC1-B25A-1378574B7595}c:\\program files\\java\\jre6\\bin\\javaw.exe"= UDP:c:\program files\java\jre6\bin\javaw.exe:Java™ Platform SE binary
"UDP Query User{FE185843-306E-4DE6-B7A4-35901C1D9B5F}c:\\program files\\java\\jre6\\bin\\javaw.exe"= TCP:c:\program files\java\jre6\bin\javaw.exe:Java™ Platform SE binary
"TCP Query User{7A02F47D-3C65-48CA-8917-506760DCB014}c:\\program files\\java\\jre6\\bin\\javaw.exe"= UDP:c:\program files\java\jre6\bin\javaw.exe:Java™ Platform SE binary
"UDP Query User{CFC07E7C-577E-48F8-992A-9E902E3EC495}c:\\program files\\java\\jre6\\bin\\javaw.exe"= TCP:c:\program files\java\jre6\bin\javaw.exe:Java™ Platform SE binary
"TCP Query User{059A12F5-B36C-4DD8-BF3F-DFC4FD845A32}c:\\program files\\oneeko\\oneeko.exe"= UDP:c:\program files\oneeko\oneeko.exe:ONEEKO
"UDP Query User{92982878-84B4-441E-BAA3-044A9A8652F7}c:\\program files\\oneeko\\oneeko.exe"= TCP:c:\program files\oneeko\oneeko.exe:ONEEKO
"TCP Query User{B3A516B5-63E9-41D5-8493-BC9564DF299E}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{ADECA9D6-A705-49F2-B646-CD166D01120C}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R0 PCTCore;PCTools KDS;c:\windows\System32\drivers\PCTCore.sys [19/06/2009 02:00 130936]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [08/02/2009 22:07 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [08/02/2009 22:07 108552]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\AEstSrv.exe [19/12/2008 12:45 73728]
R2 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [08/02/2009 22:06 906520]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [08/02/2009 22:06 298776]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\System32\drivers\IntcHdmi.sys [19/12/2008 20:39 111616]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\System32\drivers\OEM02Dev.sys [10/10/2007 16:03 235648]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\System32\drivers\OEM02Vfx.sys [19/12/2008 20:39 7424]
S2 scpVista;scpVista;c:\program files\Scpad\scpVista.exe [15/02/2009 19:41 136448]
S3 GoogleDesktopManager-092308-165331;Gerenciador do Google Desktop 5.8.809.23506;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [19/12/2008 15:14 30192]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\System32\drivers\nmwcdnsu.sys [19/03/2009 13:48 136704]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\System32\drivers\nmwcdnsuc.sys [19/03/2009 13:48 8320]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [19/06/2009 01:59 348752]
S4 PS3 Media Server;PS3 Media Server;c:\program files\PS3 Media Server\win32\service\wrapper.exe [17/08/2008 05:40 217088]

--- =Outros Serviços/Drivers Na Memória ---

*Deregistered* - mchInjDrv

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,LaunchINFSectionEx c:\program files\Internet Explorer\clrtour.inf,DefaultInstall.ResetTour,,12
.
Conteúdo da pasta 'Tarefas Agendadas'

2009-07-02 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-06-19 04:35]

2009-07-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2869144217-1070373754-383600519-1001Core.job
- c:\users\adriano\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-16 02:48]

2009-07-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2869144217-1070373754-383600519-1001UA.job
- c:\users\adriano\AppData\Local\Google\Update\GoogleUpdate.exe [2009-04-16 02:48]

2009-06-26 c:\windows\Tasks\Norton Security Scan for kelen.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 23:20]
.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://br.yahoo.com/?fr=fp-yie8
IE: E&xportar para o Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Enviar imagem para Dispositivo &Bluetooth... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Enviar página para Dispositivo &Bluetooth ... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
LSP: c:\windows\system32\wpclsp.dll
FF - ProfilePath - c:\users\adriano\AppData\Roaming\Mozilla\Firefox\Profiles\fn6il6mb.default\
FF - prefs.js: browser.search.defaulturl - hxxp://cade.search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://br.yahoo.com/?fr=fp-yie8
FF - prefs.js: keyword.URL - hxxp://cade.search.yahoo.com/search?ei=UTF-8&fr=ytff-tyc&p=
FF - plugin: c:\program files\Google\Google Updater\2.4.1601.7122\npCIDetect13.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Unity\WebPlayer\loader\npUnity3D32.dll
FF - plugin: c:\users\adriano\Program Files\DNA\plugins\npbtdna.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-01 23:16
Windows 6.0.6001 Service Pack 1 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'lsass.exe'(624)
c:\program files\Scpad\scpLIB.dll
c:\program files\Scpad\scpMIB.dll
c:\program files\Scpad\sshib.dll

- - - - - - - > 'Explorer.exe'(256)
c:\program files\Scpad\scpLIB.dll
c:\program files\Scpad\scpMIB.dll
c:\program files\Scpad\sshib.dll
.
Tempo para conclusão: 2009-07-02 23:18
ComboFix-quarantined-files.txt 2009-07-02 02:18
ComboFix2.txt 2009-06-29 02:54
ComboFix3.txt 2009-06-29 02:36

Pré-execução: 40.201.363.456 bytes disponíveis
Pós execução: 40.187.510.784 bytes disponíveis

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
301 --- E O F --- 2009-06-29 21:17



(I´m downloading Kapersky at this moment...)
Go to the top of the page
 
+Quote Post
Tomk
post Jul 1 2009, 08:39 PM
Post #6


Forum God
Group Icon

Group: Classroom Teacher
Posts: 11,226
Joined: 27-December 07
From: Sisters, OR
Member No.: 75,503
Operating System: xp
thumbup.gif
Go to the top of the page
 
+Quote Post
Caderudo
post Jul 1 2009, 11:31 PM
Post #7


New Member
*

Group: Authentic Member
Posts: 6
Joined: 20-June 09
From: Brazil
Member No.: 86,345
Operating System: Windows Vista Home Premium
and now the Kaspersky scan report...


KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, July 2, 2009
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Thursday, July 02, 2009 02:25:15
Records in database: 2413044


Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes

Scan area My Computer
C:\
D:\
E:\

Scan statistics
Files scanned 138936
Threat name 1
Infected objects 10
Suspicious objects 0
Duration of the scan 02:09:18

File name Threat name Threats count
C:\Users\kelen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\01DA4QT1\fc[1].htm Infected: Trojan-Clicker.HTML.IFrame.ail 1

C:\Users\kelen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\01DA4QT1\fc[2].htm Infected: Trojan-Clicker.HTML.IFrame.ail 1

C:\Users\kelen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\01DA4QT1\launch[1].htm Infected: Trojan-Clicker.HTML.IFrame.ail 1

C:\Users\kelen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\249WP3V0\fc[1].htm Infected: Trojan-Clicker.HTML.IFrame.ail 1

C:\Users\kelen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\249WP3V0\fc[2].htm Infected: Trojan-Clicker.HTML.IFrame.ail 1

C:\Users\kelen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\J06RZ4X7\launch[1].htm Infected: Trojan-Clicker.HTML.IFrame.ail 1

C:\Users\kelen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UL0T9BVL\launch[2].htm Infected: Trojan-Clicker.HTML.IFrame.ail 1

C:\Users\kelen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WPLCJ0E1\fc[1].htm Infected: Trojan-Clicker.HTML.IFrame.ail 1

C:\Users\kelen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WPLCJ0E1\fc[2].htm Infected: Trojan-Clicker.HTML.IFrame.ail 1

C:\Users\kelen\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WPLCJ0E1\launch[1].htm Infected: Trojan-Clicker.HTML.IFrame.ail 1

The selected area was scanned.
[color="#0000FF"][/color]


But when I execute CA Antispy (from yahoo toolbar) the "bancos ipa trojan" is still found.

Tks!

Caderudo
Go to the top of the page
 
+Quote Post
Tomk
post Jul 1 2009, 11:47 PM
Post #8


Forum God
Group Icon

Group: Classroom Teacher
Posts: 11,226
Joined: 27-December 07
From: Sisters, OR
Member No.: 75,503
Operating System: xp
Caderudo,

Does CA say what file it is finding related to the infection?

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot (shut down your computer then restart it).
Go to the top of the page
 
+Quote Post
Caderudo
post Jul 2 2009, 11:10 PM
Post #9


New Member
*

Group: Authentic Member
Posts: 6
Joined: 20-June 09
From: Brazil
Member No.: 86,345
Operating System: Windows Vista Home Premium
Hi, I did as you told, (the sw is in portuguese) but it find no problems... But CA AntiSpy still finds "Bancos IPA"

Regards,

Adriano

Malwarebytes' Anti-Malware 1.38
Versão do banco de dados: 2366
Windows 6.0.6001 Service Pack 1

03/07/2009 02:06:57
mbam-log-2009-07-03 (02-06-57).txt

Tipo de Verificação: Completa (C:\|D:\|)
Objetos verificados: 258551
Tempo decorrido: 1 hour(s), 23 minute(s), 2 second(s)

Processos da Memória infectados: 0
Módulos de Memória Infectados: 0
Chaves do Registro infectadas: 0
Valores do Registro infectados: 0
Ítens do Registro infectados: 0
Pastas infectadas: 0
Arquivos infectados: 0

Processos da Memória infectados:
(Nenhum ítem malicioso foi detectado)

Módulos de Memória Infectados:
(Nenhum ítem malicioso foi detectado)

Chaves do Registro infectadas:
(Nenhum ítem malicioso foi detectado)

Valores do Registro infectados:
(Nenhum ítem malicioso foi detectado)

Ítens do Registro infectados:
(Nenhum ítem malicioso foi detectado)

Pastas infectadas:
(Nenhum ítem malicioso foi detectado)

Arquivos infectados:
(Nenhum ítem malicioso foi detectado)
Go to the top of the page
 
+Quote Post
Tomk
post Jul 2 2009, 11:15 PM
Post #10


Forum God
Group Icon

Group: Classroom Teacher
Posts: 11,226
Joined: 27-December 07
From: Sisters, OR
Member No.: 75,503
Operating System: xp
Caderudo,

Does CA say what file it is finding related to the infection?
Go to the top of the page
 
+Quote Post
Caderudo
post Jul 3 2009, 07:10 PM
Post #11


New Member
*

Group: Authentic Member
Posts: 6
Joined: 20-June 09
From: Brazil
Member No.: 86,345
Operating System: Windows Vista Home Premium
When I click on Details at report list I got:

Type: key
hkey_current_user\software\microsoft\windows\currentversion\ext\stat\{c41a1c0e-ea6c-11d4-b1b8-444553540008}
Go to the top of the page
 
+Quote Post
Tomk
post Jul 5 2009, 08:06 PM
Post #12


Forum God
Group Icon

Group: Classroom Teacher
Posts: 11,226
Joined: 27-December 07
From: Sisters, OR
Member No.: 75,503
Operating System: xp
Caderudo,

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :reg
    hkey_current_user\software\microsoft\windows\currentversion\ext\stat /sub

    :file
    %System%\Msvbvm60.dll
    %System%\Winmaxy.exe

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Go to the top of the page
 
+Quote Post
Tomk
post Jul 12 2009, 11:35 PM
Post #13


Forum God
Group Icon

Group: Classroom Teacher
Posts: 11,226
Joined: 27-December 07
From: Sisters, OR
Member No.: 75,503
Operating System: xp
Due to inactivity this topic will be closed.
If you need help please start a new thread and post a new HJT log
Go to the top of the page
 
+Quote Post
« Next Oldest · Infections Removal · Next Newest »
 

Closed TopicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 
RSS Time is now: 21st November 2009 - 01:00 AM
Advertisements do not imply our endorsement of that product or service. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk.
Member site: Alliance of Security Analysis Professionals | UNITE Against Malware
Memory Forums | Auto Repair Forum
© Geeks to Go, Inc. | All Rights Reserved | Privacy Policy
Powered By IP.Board © 2009  IPS, Inc.