Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit 00000001.@, 800000cb.@ & 80000000.@


  • This topic is locked This topic is locked
25 replies to this topic

#1 Vítor Cunha

Vítor Cunha

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 24 July 2012 - 02:09 PM

Hello!

According to my searches, what I face is a Zero Access/Trojan Horse/rootkit.
It is located on my mother's PC (the one i'm typing from). According to her, a "Adobe" update reminder kept popping endlessly and she allowed it to run after many times closing the window. (It always showed up again just as she closed the window). She has no more details.

What I face now is a Mcafee window popping every 20~30 seconds saying a trojan horse has been found, moved to quarentine and that i had not to take any action.
The files it detects as the malware are:
C:\Windows\Installer\{86f64cf2-6bb0-4186-ae52-26fadd963751}\U\80000000.@
C:\Windows\Installer\{86f64cf2-6bb0-4186-ae52-26fadd963751}\U\800000cb.@
C:\Windows\Installer\{86f64cf2-6bb0-4186-ae52-26fadd963751}\U\00000001.@

The first two, now, are the two that are shown the most, always in order, one right after another. While I was finding out what my malware was and trying to find an answer, approx. half an hour ago (when i came across this website), it was the third that kept popping.
I tried to browse the folder and I had to turn off/uncheck "Hide system protected files (Reccomended)" (or something like that, my OS is not in english).
I also noticed the option keeps getting checked again.

In the folder there is only the 00000001.@ file.
Other files in the folder "{86f64cf2-6bb0-4186-ae52-26fadd963751}" are "@" ("system file"), "n" ("system file") and a folder "L", nothing inside.

Possible extra info: As soon as she called me to take a look, there was an icon next to the clock of a person-like green doll. It was not Messenger's. While my cursor was on it, no text balloon was shown. I opened the task manager and closed (not sure if typed correctly, but almost) tbispc.exe. Took my mouse to the icon and it disappeared.

Since you insist in not running any program unless you were told to, I decided to post here. Looking forward to being helped.

I'm running on 64-bit, GMER just won't run. The log:


.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385 BrowserJavaVersion: 10.4.1
Run by Vera Cunha at 15:15:23 on 2012-07-24
Microsoft Windows 7 Home Basic 6.1.7600.0.1252.55.1046.18.3895.1050 [GMT -3:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\PROGRA~2\GbPlugin\GbpSv.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_58afa5ca50c7b5e7\STacSV64.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_58afa5ca50c7b5e7\AESTSr64.exe
C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files (x86)\Bonjour\mDNSResponder.exe
c:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
C:\Windows\SysWOW64\svchost.exe -k hpdevmgmt
C:\Program Files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Windows\system32\mfevtps.exe
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
C:\Program Files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray64.exe
C:\Program Files\Dell\DW WLAN Card\WLTRAY.EXE
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files (x86)\Nokia\Nokia Internet Modem\Wellphone2.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\mcafee.com\agent\mcagent.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files (x86)\Yuna Software\Messenger Plus!\PlusService.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Users\Vera Cunha\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Skype\Phone\Skype.exe
C:\Program Files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe
C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe
C:\Program Files\Common Files\McAfee\Core\mchost.exe
C:\Program Files\mcafee\VirusScan\mcods.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\explorer.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
mWinlogon: Userinit=userinit.exe,
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20120627175529.dll
BHO: Auxiliar de Conexão do Windows Live ID: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Windows Live Messenger Companion Helper: {9fdde16b-836f-4806-ab1f-1455cbeff289} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
BHO: Skype Browser Helper: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
BHO: GbIehObj Class: {c41a1c0e-ea6c-11d4-b1b8-444553540008} - C:\Program Files (x86)\GbPlugin\gbiehuni.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\jp2ssv.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB: HP Smart Web Printing: {555d4d79-4bd2-4094-a395-cfc534424a05} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_bho.dll
uRun: [cdloader] "C:\Users\Vera Cunha\AppData\Roaming\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
uRun: [Nokia Internet Modem] "C:\Program Files (x86)\Nokia\Nokia Internet Modem\WellPhone2.exe" /background
uRunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil11e_Plugin.exe -update plugin
mRun: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
mRun: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun: [PlusService] "C:\Program Files (x86)\Yuna Software\Messenger Plus!\PlusService.exe"
mRun: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"
StartupFolder: C:\Users\VERACU~1\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\ADOBEG~1.LNK - C:\Program Files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xportar para o Microsoft Excel - C:\PROGRA~2\MICROS~1\Office10\EXCEL.EXE/3000
IE: Enviar imagem para Dispositivo &Bluetooth... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Enviar página para Dispositivo &Bluetooth ... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {0000036B-C524-4050-81A0-243669A86B9F} - {B63DBA5F-523F-4B9C-A43D-65DF1977EAD3} - C:\Program Files (x86)\Windows Live\Companion\companioncore.dll
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
Trusted Zone: celebrationtt.com\www
Trusted Zone: com.br\www.bb
Trusted Zone: com.br\www14.bancobrasil
Trusted Zone: com.br\www2.bancobrasil
Trusted Zone: sahacampos.com.br
DPF: {2D36AF92-04D3-11D8-B719-0000865F231B} - hxxps://my.sabre.com/jars/TMinReqX.dll
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
TCP: Interfaces\{1ED794FB-5B88-42D7-B302-650D4913A9C6} : DhcpNameServer = 192.168.1.1
TCP: Interfaces\{1ED794FB-5B88-42D7-B302-650D4913A9C6}\563707962716E64656C6C696 : DhcpNameServer = 192.168.0.1
Filter: application/x-mfe-ipt - {3EF5086B-5478-4598-A054-786C45D75692} - c:\PROGRA~2\McAfee\msc\McSnIePl.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\PKMCDO.DLL
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
Notify: GbPluginUni - C:\Program Files (x86)\GbPlugin\gbiehUni.dll
SEH: GbPluginObj Class: {e37cb5f0-51f5-4395-a808-5fa49e399008} - C:\Program Files (x86)\GbPlugin\gbiehuni.dll
{0347C33E-8762-4905-BF09-768834316C61}
{18DF081C-E8AD-4283-A596-FA578C2EBDC3}
{27B4851A-3207-45A2-B947-BE8AFE6163AB}
{3049C3E9-B461-4BC5-8870-4C09146192CA}
{53707962-6F74-2D53-2644-206D7942484F}
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
{7DB2D5A0-7241-4E79-B68D-6309F01C5231}
{9030D464-4C02-4ABF-8ECC-5164760863C6}
{9FDDE16B-836F-4806-AB1F-1455CBEFF289}
{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}
{C41A1C0E-EA6C-11D4-B1B8-444553540008}
{DBC80044-A445-435b-BC74-9C25C1C588A9}
{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}
TB-X64: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
EB-X64: {555D4D79-4BD2-4094-A395-CFC534424A05} - No File
mRun-x64: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
mRun-x64: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
mRun-x64: [PlusService] "C:\Program Files (x86)\Yuna Software\Messenger Plus!\PlusService.exe"
mRun-x64: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
mRunOnce-x64: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"
IE-X64: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
SEH-X64: {E37CB5F0-51F5-4395-A808-5FA49E399008}: GbPlugin ShlObj
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - C:\Users\Vera Cunha\AppData\Roaming\Mozilla\Firefox\Profiles\oxxpm67a.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\progra~2\mcafee\msc\npMcSnFFPl.dll
FF - plugin: C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Update\1.3.21.115\npGoogleUpdate3.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\4.0.60129.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll
FF - plugin: C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
FF - plugin: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: C:\Users\Vera Cunha\AppData\Roaming\Mozilla\Firefox\Profiles\oxxpm67a.default\extensions\{87F8774F-B485-47E2-A755-A40A8A5E886C}\plugins\npgbfnc_bb.dll
FF - plugin: C:\Users\Vera Cunha\AppData\Roaming\Mozilla\Firefox\Profiles\oxxpm67a.default\extensions\{87F8774F-B485-47E2-A755-A40A8A5E8873}\plugins\npgbfnc_uni.dll
FF - plugin: C:\Windows\system32\npDeployJava1.dll
FF - plugin: C:\Windows\system32\npmproxy.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32.dll
.
============= SERVICES / DRIVERS ===============
.
.
=============== Created Last 30 ================
.
2012-07-24 16:45:15 328704 ----a-w- C:\Windows\System32\zz-services.tmp
2012-07-24 16:33:37 426184 ----a-w- C:\Windows\SysWow64\FlashPlayerApp.exe
2012-07-24 16:28:38 352256 ----a-w- C:\Users\Vera Cunha\AppData\Local\tbipsc.exe
2012-07-24 12:20:28 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{8246A1BB-A0A7-4EAE-ADCE-45BC5623DBDC}
2012-07-24 12:20:15 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{BF255E6B-C06D-437D-906C-847D43BEDB06}
2012-07-24 12:20:04 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{981ED634-52C6-4D60-9C07-BC131F9C0846}
2012-07-24 12:19:41 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{6339532D-D754-459B-8047-606BA332CD55}
2012-07-24 00:19:12 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{1FF4402B-B0FE-45BA-8627-19EEA004EEAB}
2012-07-24 00:19:01 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{1DC4E981-6EF7-415B-A227-45C97C6A66E6}
2012-07-24 00:18:49 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{211F177E-8B95-4472-8035-C4E5169F1E88}
2012-07-24 00:18:26 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{C36C932C-AB06-4CDE-BB7E-ADF0F53F1E96}
2012-07-23 12:17:17 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{DD3BD2D0-D983-47AC-8D56-080A9A339A6C}
2012-07-23 12:17:05 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{4C88DFDC-3E8E-497E-8FC4-754CF341789B}
2012-07-23 12:16:40 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{CDEC319E-FB2E-43B6-B258-8AB1184EBE31}
2012-07-23 12:16:28 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{26802D75-F560-4387-9B0C-6646CA62AFA8}
2012-07-23 12:15:58 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{9065DDCB-DCDD-439B-9A50-9957420AC3DF}
2012-07-23 12:15:41 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{C9DC6E1C-EF8E-418B-AD9A-F1081CAA02FF}
2012-07-22 00:34:59 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{43A33E05-18FD-43AE-8E1D-5308AC7DA551}
2012-07-22 00:34:46 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{65732F14-8E18-438D-9113-FBA4A9FC7C71}
2012-07-22 00:34:33 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{FF668F41-971A-4993-9078-1A34AB87C720}
2012-07-22 00:34:08 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{63E896F7-016D-4DE8-976D-208EC4108466}
2012-07-21 12:33:53 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{59E9CFD3-7FBB-4B09-9752-21130257AEAB}
2012-07-21 12:33:40 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{29A794EA-19C5-4A22-BBC7-E07AE6E374ED}
2012-07-21 12:33:27 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{11DEE701-57CF-4513-8357-F4A0723535A5}
2012-07-21 12:32:58 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{DDE57FDA-4D13-4842-8D26-C55BA8B03B9F}
2012-07-21 00:31:21 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{4DB79238-6437-44CF-96BB-3C604ED1588D}
2012-07-21 00:31:06 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{ED10C42E-5044-4EAF-B3AB-FC69AC666CFE}
2012-07-21 00:30:18 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{D90A77B0-A3F3-427E-B5A8-7272B195CE35}
2012-07-21 00:27:41 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{8B017D5C-E4E0-4F16-8468-F1A472D57758}
2012-07-20 12:25:59 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{DA3BA936-3379-49F0-AC38-CD45562C11F5}
2012-07-20 12:25:26 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{1F85224A-F4F9-4963-8F48-294777F0ED14}
2012-07-20 12:24:59 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{6E2F94B5-9202-48AD-912E-CB03B02D3158}
2012-07-19 12:38:49 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{176C34D4-5DE6-432A-97B8-2481AE922E3F}
2012-07-19 12:38:23 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{496A27FE-1568-4B2A-A36A-EB4193776946}
2012-07-19 00:08:39 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{D18346A0-5448-4977-9397-3D0EB59F7490}
2012-07-19 00:08:28 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{7872B03E-B21B-4E89-ADB5-98DC9B0F95E3}
2012-07-19 00:08:17 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{A3AE32CC-5A1B-4932-9534-72639B0E7A8E}
2012-07-19 00:07:50 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{16FB078C-6B30-47F2-BE16-7499E747870D}
2012-07-18 12:06:04 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{79A2E6BA-434A-45D6-8D4E-622BB6AEA9E7}
2012-07-18 12:05:26 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{1EEEA92D-C28A-4041-AA29-7840941972AC}
2012-07-17 23:54:12 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{A5A3B94D-A01F-441E-9D69-9431EB8F9770}
2012-07-17 23:54:02 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{650F8853-F4F6-4CF9-A336-767BF85CC2D1}
2012-07-17 23:53:51 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{7C86BBC9-5E15-413D-95B9-F34E25CF1D1D}
2012-07-17 23:53:40 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{C6B633EE-7B8C-48D8-AF99-DAC71D0E3FE7}
2012-07-17 23:53:13 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{C5B72F42-7CE7-4A5F-B394-03979F555B7C}
2012-07-17 11:52:29 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{21A8B8B4-D300-4AE1-BC2C-86CD3BBA0143}
2012-07-17 11:52:16 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{4B65EDDF-432E-4E84-9190-26119C1320A3}
2012-07-17 11:51:59 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{8A0F2EB0-4E97-4403-8F39-8E8C431DFB33}
2012-07-17 11:51:30 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{A0E463C2-97A2-4FF9-BF5F-43972A805E31}
2012-07-16 22:55:45 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{A7BC9FFE-7920-49D4-867B-885E9850D345}
2012-07-16 22:55:34 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{27229BEC-0A88-4965-A762-1E80B878537B}
2012-07-16 22:55:24 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{DFB4018B-8B9C-466C-BCD5-1D84A764FCC3}
2012-07-16 22:54:33 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{C253362E-DBC8-4955-AA5C-C60D3810BCF8}
2012-07-16 10:54:14 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{C2C40EAA-7C09-4AFA-A266-2F40E06C05A5}
2012-07-16 10:53:35 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{816687AF-2C15-4B97-A38E-05B368202469}
2012-07-15 14:44:28 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{03EA176A-78DD-4C2E-BF47-C21EFCDDC595}
2012-07-15 14:44:12 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{10BF033B-91A4-4295-B37D-1D40593A7D48}
2012-07-14 22:47:49 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{A3ABDDB3-F58D-4071-8440-3967532EA70E}
2012-07-14 22:47:25 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{108C6DAB-9548-42E8-872A-A02C40EF0002}
2012-07-14 10:46:32 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{64D37D1F-FD21-4077-858D-833C663B8FEC}
2012-07-14 10:45:52 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{D47F65E8-BB6A-4B4F-98FE-116CE744EF4F}
2012-07-13 12:47:24 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{4E9124D1-5A10-43F1-966F-E48710449005}
2012-07-13 12:47:13 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{928CBBD6-43FD-4018-9758-341F18D331C6}
2012-07-13 12:47:02 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{08F7B07D-312A-4A6B-BA32-5B933AA235A9}
2012-07-13 12:46:50 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{579C3464-05E0-4D11-B41B-407FEE0DF599}
2012-07-13 12:46:39 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{DEB8C10B-1DE9-4ACE-B3F3-3229E13CE2D4}
2012-07-13 12:46:14 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{EE19A99A-2C32-4A71-A5BC-12ABE02DBE06}
2012-07-13 00:46:00 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{16886974-E4BE-407B-A2BC-32EE589CC0BA}
2012-07-13 00:45:49 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{D0487309-D376-48DC-B5A5-F44243B86369}
2012-07-13 00:45:37 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{284F3E1D-812A-40B2-8301-BFD3B94B96E1}
2012-07-13 00:45:25 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{891B0C74-C9C9-4762-8A18-E90ABD5CB789}
2012-07-13 00:45:02 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{8F5700AD-B086-46D8-B17B-D16684BB98D4}
2012-07-12 12:44:36 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{898490F0-4EB9-4C82-9EC5-F9346F0E3F99}
2012-07-12 12:43:51 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{431189A2-AD9B-41DD-A14D-3A107375F2F8}
2012-07-12 12:43:26 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{C975EF65-997A-427D-B392-B8C47FC244F0}
2012-07-12 00:38:31 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{FD925332-0998-4C93-8780-58695303E36A}
2012-07-12 00:38:07 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{21325585-5A14-4309-9B0D-D2D0D278B599}
2012-07-11 12:37:18 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{8E1AF527-BE9B-4984-B426-BFE3851C38A3}
2012-07-11 12:36:29 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{9091EA8F-49F3-492A-A9D9-6AE09AD23FFF}
2012-07-11 12:17:29 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{D8F0FA49-5324-40C1-97F4-4D7D1B19CC24}
2012-07-11 12:13:11 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{B93DE15F-E903-40E6-96A0-3C60794BD7D7}
2012-07-10 12:22:33 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{8A0EF5CD-FFE5-4A70-B3F7-1959E13A805B}
2012-07-10 12:22:17 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{AE8071E5-3B5A-4FB4-A465-E6C7353198F3}
2012-07-10 12:22:04 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{58000694-92E2-4180-A981-EAB4804CF7B4}
2012-07-10 12:21:35 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{8A7997AA-7BC5-4426-9660-17B66AE5E9C2}
2012-07-09 12:33:56 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{691C702C-F4E9-4DDC-AEBA-37D9B0C6D76A}
2012-07-09 12:33:33 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{B7547850-CB21-4DF1-893B-47B34F8BBA8F}
2012-07-08 12:44:01 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{86EE1BF8-EB6F-4794-A310-80496803D99A}
2012-07-08 12:43:33 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{E535DF2B-6EE3-43EB-BE90-6DA2FF12B728}
2012-07-08 00:43:14 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{2A044888-09D8-4263-84FE-81398E07A3C1}
2012-07-08 00:42:50 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{6B7CF296-19C1-4423-9100-DED39C36A942}
2012-07-07 12:42:07 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{856E2AB0-7DB4-4B69-8E08-DE0A598F1CEC}
2012-07-07 12:41:55 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{6C7B28FC-19BF-472A-A028-2299A9531255}
2012-07-07 12:41:29 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{70DBCA52-AD96-4E14-B0B4-5AA9EBB85BCB}
2012-07-07 12:41:06 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{50CE74D7-D9D2-4A3C-89AD-28A99023800E}
2012-07-07 00:40:35 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{FBD6B1E4-97D6-448A-A1EF-A51F31162462}
2012-07-07 00:40:22 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{DAF9239F-937B-4404-959F-026128D5636B}
2012-07-07 00:40:11 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{E4728550-A2D5-4A4F-8D62-7C5CEFE99E6F}
2012-07-07 00:39:46 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{1DE66ED9-8676-4B0D-A067-5CB52331089B}
2012-07-06 12:39:33 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{F4A3F422-11E5-44B8-BD5D-D4CD90AE340E}
2012-07-06 12:39:22 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{F6A79A69-6769-4B94-A604-5DCA5A1942A1}
2012-07-06 12:39:11 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{F9438A94-38FD-49A0-97EE-4EBC46D9647C}
2012-07-06 12:39:00 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{8BF93D1F-F6B7-4FC0-9C03-3C20965F1063}
2012-07-06 12:38:37 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{25928ED9-984D-4017-88FE-E6C0BFC98220}
2012-07-06 00:38:06 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{F585C2B8-F5CB-4B4E-BE76-B85E052F825D}
2012-07-06 00:37:40 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{1C1215C1-B9C4-4A18-A5F3-42F5DBFF74AA}
2012-07-05 12:37:13 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{2DB899E3-A4C8-4D37-80B3-02AA55EF3692}
2012-07-05 12:36:49 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{8A0E37A4-AA46-40AC-A7BA-A36A1AF07B7A}
2012-07-05 12:36:37 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{BDE15075-2325-4C95-8519-436789E60A7F}
2012-07-05 12:36:25 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{C9661677-7F53-412D-9658-8CC1B5FB5151}
2012-07-05 12:36:13 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{7AA7DBA3-F393-40F5-B78E-19F430119AFE}
2012-07-05 12:35:58 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{D93B59F7-B060-4128-9E94-3BCF54B641CC}
2012-07-04 12:40:54 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{C062D17B-0B52-4A21-908D-14E53D9F4C6A}
2012-07-04 12:40:44 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{32145213-FF8C-49A8-B9F8-2F4396B81CB1}
2012-07-04 12:40:30 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{770DC9B1-5C32-4E9A-BE32-EF66D9BFBA5A}
2012-07-04 12:40:19 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{AFFF109C-E6A3-4AB2-B040-CB5F04CC9098}
2012-07-04 12:39:57 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{89CF39E0-BEAF-4081-A8E3-9B3F8E92C843}
2012-07-04 00:39:30 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{3E5631A4-0EC7-4285-A4FD-3346C9194783}
2012-07-04 00:39:19 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{ABDF4A0B-CC2D-48CD-BCDA-9DD8E358406E}
2012-07-04 00:39:09 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{43AD5AF3-CC72-42EC-B5D6-45A67850B45E}
2012-07-04 00:38:58 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{BD51D433-4E0C-479E-8419-A784CCF4C408}
2012-07-04 00:38:29 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{2BD26DAA-468C-4510-BEC5-0A5E6C5C496C}
2012-07-03 12:38:17 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{E16293D3-6E3C-4E6B-A57F-2591B5B97090}
2012-07-03 12:38:06 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{39CAEBEF-3713-467A-A26B-DAC8DA2035C4}
2012-07-03 12:37:55 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{A9FBF747-9FA2-4CE9-BF4C-4A2FFD6F9E4B}
2012-07-03 12:37:44 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{8B590AB4-3CEF-441E-A7F3-9554E14108A6}
2012-07-03 12:37:19 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{2915888D-9D31-44B1-92AA-5B2DC6E7DAB4}
2012-07-03 00:36:50 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{CE82DA88-BF03-4A41-BEDB-D17B0AC37914}
2012-07-03 00:36:39 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{2AF4FDAC-58D7-4988-8197-287147B49374}
2012-07-03 00:36:28 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{7A50AF59-6F02-4670-BEF8-95A4357B0FD8}
2012-07-03 00:36:14 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{A825D78D-F272-46FB-9CC3-DD270296A678}
2012-07-02 12:36:01 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{BE0290B8-CEF1-4DDD-96EA-CC516CB4A6FC}
2012-07-02 12:35:50 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{F3376D47-06BD-45C6-9A80-52763B57F9BF}
2012-07-02 12:35:39 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{E56860A0-F8FF-4BD7-A9E2-E5B178844155}
2012-07-02 12:35:17 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{6216B1D8-25BD-4F53-9B6D-960A83B78F73}
2012-07-02 00:35:04 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{7BFB0DD0-BF60-46C9-9D75-A05E08C030DF}
2012-07-02 00:34:53 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{8004790E-DC62-4EA7-9807-D3F293611AC8}
2012-07-02 00:34:42 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{DEB85307-8ADB-4EC6-8152-08FBC1AFCC7C}
2012-07-02 00:34:20 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{B1A63AB5-796E-451D-825B-036974374D00}
2012-07-01 12:33:23 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{7886E2F6-5346-4C3D-8C63-85A1261538AB}
2012-07-01 12:33:10 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{8CE67C39-079F-4D15-AE68-4B906AF6A53A}
2012-06-30 00:14:57 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{AD2AD4A2-03BC-4C4F-A9FF-98CC19F223EE}
2012-06-30 00:11:19 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{74B1322C-2427-4CB2-BB2A-7538DD8F26EC}
2012-06-29 11:38:27 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{6311634A-DB2D-4BCF-9679-6EC14C5E5533}
2012-06-29 11:38:16 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{616BC1E6-3A2D-441F-91A1-76EB6568AF15}
2012-06-29 11:38:05 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{7DDFA95F-6E35-4A69-80C2-258FAEFA767F}
2012-06-29 11:37:42 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{30868A99-ACDA-4861-B2E0-9A349957DCD1}
2012-06-29 11:33:45 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{AD7781F3-8127-4CE5-897C-4CF2A05B8F0B}
2012-06-28 12:45:35 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{940A6640-4DA6-47B6-8B70-F5BE7FDD34F5}
2012-06-28 12:45:06 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{10313172-BEF0-4729-9D8C-D1D24F23B6A5}
2012-06-27 12:35:23 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{C318CC76-4837-4F5D-96ED-6639BA3CABD2}
2012-06-27 12:35:09 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{F891F258-41E4-49F6-8D93-98D5693122F8}
2012-06-26 14:20:59 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{95BA926A-7E3B-40D1-83EC-378475A452B6}
2012-06-26 14:20:48 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{6149D465-4CCC-4E01-985A-903B53DF7942}
2012-06-26 14:20:34 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{E34F6293-699A-4879-9C07-2A0706DC6A42}
2012-06-26 14:20:23 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{3C16563E-C746-40C1-89E1-0EE7951ECEEC}
2012-06-26 14:20:02 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{4CD12C78-BD15-43EE-939E-0C619DDFA732}
2012-06-26 06:00:18 40960 ----a-w- C:\Windows\DelPiv.exe
2012-06-26 06:00:18 -------- d-----w- C:\Windows\Profiles
2012-06-26 06:00:18 -------- d-----w- C:\Program Files (x86)\Prismatic Software
2012-06-26 02:19:35 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{ABA08EC1-6761-4D4D-B871-60F0A56E1466}
2012-06-26 02:19:24 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{FB567219-03D7-46BA-A47A-668CE373F19C}
2012-06-26 02:19:14 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{FE5834F6-0B0B-40E6-848C-1129239D9095}
2012-06-26 02:18:36 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{E13B673F-BAA7-45BA-BF57-55DDEAE4B56B}
2012-06-25 12:23:57 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{108AECE7-2332-42EA-9C84-E446791F25AA}
2012-06-25 12:23:44 -------- d-----w- C:\Users\Vera Cunha\AppData\Local\{6A34BA7D-FA74-4CED-A8D3-4770E66237EC}
.
==================== Find3M ====================
.
2012-07-24 16:33:37 70344 ----a-w- C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-16 21:11:19 33344 ----a-w- C:\Windows\System32\drivers\hamachi.sys
.
============= FINISH: 15:26:08,33 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,360 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:15 PM

Posted 25 July 2012 - 11:57 AM

please run the following:

download Farbar Recovery Scan Tool and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Use the arrow keys to select the Repair your computer menu item.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
To enter System Recovery Options by using Windows installation disc:
  • Insert the installation disc.
  • Restart your computer.
  • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
  • Click Repair your computer.
  • Choose your language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account an click Next.
On the System Recovery Options menu you will get the following options:
Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt
[*]Select Command Prompt
[*]In the command window type in notepad and press Enter.
[*]The notepad opens. Under File menu select Open.
[*]Select "Computer" and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe (for x64 bit version type e:\frst64) and press Enter
Note: Replace letter e with the drive letter of your flash drive.
[*]The tool will start to run.
[*]When the tool opens click Yes to the disclaimer.
[*]Place a check next to List Drivers MD5 as well as the default check marks that are already there
[*]Press Scan button.
[*]FRST will let you know when the scan is complete and has written the FRST.txt to file, close out this message, then type the following into the search box:
services.exe
[*]now press the search button
[*]when the search is complete, search.txt will also be written to your USB
[*]type exit and reboot the computer normally
[*]please copy and paste both logs in your reply.(FRST.txt and Search.txt)[/list]
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#3 Vítor Cunha

Vítor Cunha
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 26 July 2012 - 07:31 AM

First of all, thanks a lot for your reply, CatByte. I really appreciate what you and your partners are freewillingly doing here. Thanks in advance.
I'm posting both .txts now





Search.txt:



Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SISTEMA at 2012-07-26 02:45:40
Running from E:\

================== Search: "services.exe" ===================

C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe
[2009-07-13 20:19] - [2009-07-13 22:39] - 0328704 ____A (Microsoft Corporation) 24ACB7E5BE595468E3B9AA488B9B4FCB

C:\Windows\System32\services.exe
[2009-07-13 20:19] - [2009-07-13 22:39] - 0328704 ____A (Microsoft Corporation) 014A9CB92514E27C0107614DF764BC06

====== End Of Search ======






FRST.txt:


Scan result of Farbar Recovery Scan Tool Version: 25-07-2012 01
Ran by SISTEMA at 26-07-2012 02:41:43
Running from E:\
Windows 7 Home Basic (X64) OS Language: Portuguese Brazilian
The current controlset is ControlSet001

========================== Registry (Whitelisted) =============

HKLM\...\Run: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe [1890088 2009-12-23] (Synaptics Incorporated)
HKLM\...\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray64.exe [487424 2010-01-21] (IDT, Inc.)
HKLM\...\Run: [Broadcom Wireless Manager UI] C:\Program Files\Dell\DW WLAN Card\WLTRAY.exe [5470208 2009-12-17] (Dell Inc.)
HKLM\...\Run: [IntelliPoint] "c:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2399632 2011-04-13] (Microsoft Corporation)
HKLM\...\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe [167704 2012-01-23] (Intel Corporation)
HKLM\...\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe [392984 2012-01-23] (Intel Corporation)
HKLM\...\Run: [Persistence] C:\Windows\system32\igfxpers.exe [417560 2012-01-23] (Intel Corporation)
HKLM-x32\...\Run: [mcui_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey [1675160 2012-03-21] (McAfee, Inc.)
HKLM-x32\...\Run: [HP Software Update] C:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [54576 2009-11-18] (Hewlett-Packard)
HKLM-x32\...\Run: [PlusService] "C:\Program Files (x86)\Yuna Software\Messenger Plus!\PlusService.exe" [800768 2011-05-26] (Yuna Software)
HKLM-x32\...\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe" [252296 2011-09-30] (Sun Microsystems, Inc.)
HKU\Vera Cunha\...\Run: [cdloader] "C:\Users\Vera Cunha\AppData\Roaming\mjusbsp\cdloader2.exe" MAGICJACK [50592 2012-02-01] (magicJack L.P.)
HKU\Vera Cunha\...\Run: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2260480 2009-03-05] (Safer-Networking Ltd.)
HKU\Vera Cunha\...\Run: [Nokia Internet Modem] "C:\Program Files (x86)\Nokia\Nokia Internet Modem\WellPhone2.exe" /background [1962648 2009-07-29] (SmartCom)
HKLM-x32\...\RunOnce: ["C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"] "C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [560128 2011-09-21] (Dell)
HKLM\...\Winlogon: [Userinit] userinit.exe,
Winlogon\Notify\GoToAssist: C:\Program Files (x86)\Citrix\GoToAssist\514\G2AWinLogon_x64.dll [X]
Winlogon\Notify\igfxcui: igfxdev.dll (Intel Corporation)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Users\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)
Startup: C:\Users\Todos os Usuários\Start Menu\Programs\Startup\Bluetooth.lnk
ShortcutTarget: Bluetooth.lnk -> C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe (Broadcom Corporation.)
Startup: C:\Users\Todos os Usuários\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
ShortcutTarget: HP Digital Imaging Monitor.lnk -> C:\Program Files (x86)\HP\Digital Imaging\bin\hpqtra08.exe (Hewlett-Packard Co.)
Startup: C:\Users\Todos os Usuários\Start Menu\Programs\Startup\Microsoft Office.lnk
ShortcutTarget: Microsoft Office.lnk -> C:\Program Files (x86)\Microsoft Office\Office10\OSA.EXE (Microsoft Corporation)

==================== Services (Whitelisted) ======

3 Adobe LM Service; "C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" [72704 2012-06-02] (Adobe Systems)
2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_58afa5ca50c7b5e7\AESTSr64.exe [89600 2009-03-03] (Andrea Electronics Corporation)
2 GbpSv; C:\PROGRA~2\GbPlugin\GbpSv.exe [203256 2012-02-01] ( )
3 McAWFwk; C:\PROGRA~1\mcafee\msc\mcawfwk.exe [220528 2010-08-30] (McAfee, Inc.)
2 McMPFSvc; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
2 mcmscsvc; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
2 McNaiAnn; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
2 McNASvc; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
3 McODS; "C:\Program Files\mcafee\VirusScan\mcods.exe" [502032 2012-04-19] (McAfee, Inc.)
4 McOobeSv; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
2 McProxy; "C:\Program Files\Common Files\mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
2 McShield; "C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe" [199272 2012-03-20] (McAfee, Inc.)
2 mfefire; "C:\Program Files\Common Files\McAfee\SystemCore\\mfefire.exe" [210584 2012-03-20] (McAfee, Inc.)
2 mfevtp; "C:\Windows\system32\mfevtps.exe" [162192 2012-03-20] (McAfee, Inc.)
2 MSK80Service; "C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [249936 2011-01-27] (McAfee, Inc.)
2 RoxWatch12; "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe" [219632 2010-09-04] (Sonic Solutions)
2 SBSDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [1153368 2009-01-26] (Safer Networking Ltd.)
2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_58afa5ca50c7b5e7\STacSV64.exe [244736 2010-01-21] (IDT, Inc.)
3 stllssvr; "C:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe" [74392 2010-08-26] (MicroVision Development, Inc.)
2 UNS; "C:\Program Files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe" [2320920 2010-03-03] (Intel Corporation)

========================== Drivers (Whitelisted) =============

3 cfwids; C:\Windows\System32\Drivers\cfwids.sys [65264 2012-02-22] (McAfee, Inc.)
1 fanio; C:\Windows\System32\Drivers\fanio.sys [22528 2007-02-16] (Christian Diefer)
0 GbpKm; C:\Windows\SysWow64\Drivers\GbpKm.sys [44280 2012-02-01] (GAS Tecnologia)
3 hamachi; C:\Windows\System32\Drivers\hamachi.sys [33344 2012-06-16] (LogMeIn, Inc.)
3 mfeapfk; C:\Windows\System32\Drivers\mfeapfk.sys [160792 2012-02-22] (McAfee, Inc.)
3 mfeavfk; C:\Windows\System32\Drivers\mfeavfk.sys [229528 2012-02-22] (McAfee, Inc.)
3 mfefirek; C:\Windows\System32\Drivers\mfefirek.sys [487296 2012-02-22] (McAfee, Inc.)
0 mfehidk; C:\Windows\System32\Drivers\mfehidk.sys [647208 2012-02-22] (McAfee, Inc.)
1 mfenlfk; C:\Windows\System32\Drivers\mfenlfk.sys [75936 2012-02-22] (McAfee, Inc.)
3 mferkdet; C:\Windows\System32\Drivers\mferkdet.sys [100912 2012-02-22] (McAfee, Inc.)
0 mfewfpk; C:\Windows\System32\Drivers\mfewfpk.sys [289664 2012-02-22] (McAfee, Inc.)
3 npkcusb; \??\C:\Program Files (x86)\Gravity\RagnarokOnline\npkcusb.sys [37009 2005-09-07] (INCA Internet Co., Ltd.)
3 pfc; C:\Windows\SysWow64\Drivers\pfc.sys [10368 2004-04-01] (Padus, Inc.)
2 TurboB; C:\Windows\System32\Drivers\TurboB.sys [13784 2009-11-02] ()
3 dump_wmimmc; \??\C:\Program Files (x86)\Gravity\RagnarokOnline\GameGuard\dump_wmimmc.sys [x]
3 GGSAFERDriver; \??\C:\Program Files (x86)\Garena\safedrv.sys [x]
3 NPPTNT2; \??\C:\Windows\system32\npptNT2.sys [x]

========================== NetSvcs (Whitelisted) ===========


============ One Month Created Files and Folders ==============

2012-07-26 02:18 - 2012-07-26 02:18 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{C5687848-CD7B-4FF2-AFDE-9F2E520EBC61}
2012-07-26 02:12 - 2012-07-26 02:12 - 00000000 ____D C:\Users\Vera Cunha\Desktop\Arrumando o computador
2012-07-25 21:23 - 2012-07-25 21:23 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{879457EA-CF52-4714-BE31-C8FA912BC72B}
2012-07-25 09:22 - 2012-07-25 09:22 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{DB64C0E3-880A-42C2-8706-331850D887AD}
2012-07-25 09:22 - 2012-07-25 09:22 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{59FE2049-8BB4-45C5-8760-26DD1759213A}
2012-07-24 21:21 - 2012-07-24 21:21 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{E0DC5966-3255-43A5-939A-499C9F449F4B}
2012-07-24 21:21 - 2012-07-24 21:21 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{BD79A444-90DD-4B8F-B8C3-3BB2531BF8FD}
2012-07-24 21:21 - 2012-07-24 21:21 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{3A7684C7-2A24-45D5-9DBA-EFC09F38C66D}
2012-07-24 21:20 - 2012-07-24 21:21 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{23D98416-AA24-4308-AE76-75297E467F74}
2012-07-24 18:59 - 2012-07-24 18:59 - 00000000 __SHD C:\Windows\System32\%APPDATA%
2012-07-24 14:56 - 2012-07-24 14:56 - 00000000 ____A C:\Users\Vera Cunha\defogger_reenable
2012-07-24 13:45 - 2009-07-13 22:39 - 00328704 ____A (Microsoft Corporation) C:\Windows\System32\zz-services.tmp
2012-07-24 13:33 - 2012-07-24 13:33 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-07-24 13:28 - 2012-07-24 13:28 - 00352256 ____A C:\Users\Vera Cunha\AppData\Local\tbipsc.exe
2012-07-24 09:20 - 2012-07-24 09:20 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{BF255E6B-C06D-437D-906C-847D43BEDB06}
2012-07-24 09:20 - 2012-07-24 09:20 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{981ED634-52C6-4D60-9C07-BC131F9C0846}
2012-07-24 09:20 - 2012-07-24 09:20 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{8246A1BB-A0A7-4EAE-ADCE-45BC5623DBDC}
2012-07-24 09:19 - 2012-07-24 09:20 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{6339532D-D754-459B-8047-606BA332CD55}
2012-07-23 21:19 - 2012-07-23 21:19 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{1FF4402B-B0FE-45BA-8627-19EEA004EEAB}
2012-07-23 21:19 - 2012-07-23 21:19 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{1DC4E981-6EF7-415B-A227-45C97C6A66E6}
2012-07-23 21:18 - 2012-07-23 21:19 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{211F177E-8B95-4472-8035-C4E5169F1E88}
2012-07-23 21:18 - 2012-07-23 21:18 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{C36C932C-AB06-4CDE-BB7E-ADF0F53F1E96}
2012-07-23 09:17 - 2012-07-23 09:17 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{DD3BD2D0-D983-47AC-8D56-080A9A339A6C}
2012-07-23 09:17 - 2012-07-23 09:17 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{4C88DFDC-3E8E-497E-8FC4-754CF341789B}
2012-07-23 09:16 - 2012-07-23 09:17 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{CDEC319E-FB2E-43B6-B258-8AB1184EBE31}
2012-07-23 09:16 - 2012-07-23 09:16 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{26802D75-F560-4387-9B0C-6646CA62AFA8}
2012-07-23 09:15 - 2012-07-23 09:16 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{9065DDCB-DCDD-439B-9A50-9957420AC3DF}
2012-07-23 09:15 - 2012-07-23 09:15 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{C9DC6E1C-EF8E-418B-AD9A-F1081CAA02FF}
2012-07-21 21:34 - 2012-07-21 21:35 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{43A33E05-18FD-43AE-8E1D-5308AC7DA551}
2012-07-21 21:34 - 2012-07-21 21:34 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{FF668F41-971A-4993-9078-1A34AB87C720}
2012-07-21 21:34 - 2012-07-21 21:34 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{65732F14-8E18-438D-9113-FBA4A9FC7C71}
2012-07-21 21:34 - 2012-07-21 21:34 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{63E896F7-016D-4DE8-976D-208EC4108466}
2012-07-21 09:33 - 2012-07-21 09:34 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{59E9CFD3-7FBB-4B09-9752-21130257AEAB}
2012-07-21 09:33 - 2012-07-21 09:33 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{29A794EA-19C5-4A22-BBC7-E07AE6E374ED}
2012-07-21 09:33 - 2012-07-21 09:33 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{11DEE701-57CF-4513-8357-F4A0723535A5}
2012-07-21 09:32 - 2012-07-21 09:33 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{DDE57FDA-4D13-4842-8D26-C55BA8B03B9F}
2012-07-20 21:31 - 2012-07-20 21:31 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{ED10C42E-5044-4EAF-B3AB-FC69AC666CFE}
2012-07-20 21:31 - 2012-07-20 21:31 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{4DB79238-6437-44CF-96BB-3C604ED1588D}
2012-07-20 21:30 - 2012-07-20 21:31 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{D90A77B0-A3F3-427E-B5A8-7272B195CE35}
2012-07-20 21:27 - 2012-07-20 21:30 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{8B017D5C-E4E0-4F16-8468-F1A472D57758}
2012-07-20 09:25 - 2012-07-20 09:26 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{DA3BA936-3379-49F0-AC38-CD45562C11F5}
2012-07-20 09:25 - 2012-07-20 09:25 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{1F85224A-F4F9-4963-8F48-294777F0ED14}
2012-07-20 09:24 - 2012-07-20 09:25 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{6E2F94B5-9202-48AD-912E-CB03B02D3158}
2012-07-19 09:38 - 2012-07-19 09:39 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{176C34D4-5DE6-432A-97B8-2481AE922E3F}
2012-07-19 09:38 - 2012-07-19 09:38 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{496A27FE-1568-4B2A-A36A-EB4193776946}
2012-07-18 21:08 - 2012-07-18 21:08 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{D18346A0-5448-4977-9397-3D0EB59F7490}
2012-07-18 21:08 - 2012-07-18 21:08 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{A3AE32CC-5A1B-4932-9534-72639B0E7A8E}
2012-07-18 21:08 - 2012-07-18 21:08 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{7872B03E-B21B-4E89-ADB5-98DC9B0F95E3}
2012-07-18 21:07 - 2012-07-18 21:08 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{16FB078C-6B30-47F2-BE16-7499E747870D}
2012-07-18 09:06 - 2012-07-18 09:06 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{79A2E6BA-434A-45D6-8D4E-622BB6AEA9E7}
2012-07-18 09:05 - 2012-07-18 09:06 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{1EEEA92D-C28A-4041-AA29-7840941972AC}
2012-07-17 20:54 - 2012-07-17 20:54 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{A5A3B94D-A01F-441E-9D69-9431EB8F9770}
2012-07-17 20:54 - 2012-07-17 20:54 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{650F8853-F4F6-4CF9-A336-767BF85CC2D1}
2012-07-17 20:53 - 2012-07-17 20:54 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{7C86BBC9-5E15-413D-95B9-F34E25CF1D1D}
2012-07-17 20:53 - 2012-07-17 20:53 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{C6B633EE-7B8C-48D8-AF99-DAC71D0E3FE7}
2012-07-17 20:53 - 2012-07-17 20:53 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{C5B72F42-7CE7-4A5F-B394-03979F555B7C}
2012-07-17 08:52 - 2012-07-17 08:52 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{4B65EDDF-432E-4E84-9190-26119C1320A3}
2012-07-17 08:52 - 2012-07-17 08:52 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{21A8B8B4-D300-4AE1-BC2C-86CD3BBA0143}
2012-07-17 08:51 - 2012-07-17 08:52 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{8A0F2EB0-4E97-4403-8F39-8E8C431DFB33}
2012-07-17 08:51 - 2012-07-17 08:51 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{A0E463C2-97A2-4FF9-BF5F-43972A805E31}
2012-07-16 19:55 - 2012-07-16 19:56 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{A7BC9FFE-7920-49D4-867B-885E9850D345}
2012-07-16 19:55 - 2012-07-16 19:55 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{DFB4018B-8B9C-466C-BCD5-1D84A764FCC3}
2012-07-16 19:55 - 2012-07-16 19:55 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{27229BEC-0A88-4965-A762-1E80B878537B}
2012-07-16 19:54 - 2012-07-16 19:55 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{C253362E-DBC8-4955-AA5C-C60D3810BCF8}
2012-07-16 07:54 - 2012-07-16 07:54 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{C2C40EAA-7C09-4AFA-A266-2F40E06C05A5}
2012-07-16 07:53 - 2012-07-16 07:54 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{816687AF-2C15-4B97-A38E-05B368202469}
2012-07-15 11:44 - 2012-07-15 11:44 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{10BF033B-91A4-4295-B37D-1D40593A7D48}
2012-07-15 11:44 - 2012-07-15 11:44 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{03EA176A-78DD-4C2E-BF47-C21EFCDDC595}
2012-07-14 19:47 - 2012-07-14 19:48 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{A3ABDDB3-F58D-4071-8440-3967532EA70E}
2012-07-14 19:47 - 2012-07-14 19:47 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{108C6DAB-9548-42E8-872A-A02C40EF0002}
2012-07-14 07:46 - 2012-07-14 07:46 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{64D37D1F-FD21-4077-858D-833C663B8FEC}
2012-07-14 07:45 - 2012-07-14 07:46 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{D47F65E8-BB6A-4B4F-98FE-116CE744EF4F}
2012-07-13 09:47 - 2012-07-13 09:47 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{928CBBD6-43FD-4018-9758-341F18D331C6}
2012-07-13 09:47 - 2012-07-13 09:47 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{4E9124D1-5A10-43F1-966F-E48710449005}
2012-07-13 09:47 - 2012-07-13 09:47 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{08F7B07D-312A-4A6B-BA32-5B933AA235A9}
2012-07-13 09:46 - 2012-07-13 09:47 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{579C3464-05E0-4D11-B41B-407FEE0DF599}
2012-07-13 09:46 - 2012-07-13 09:46 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{EE19A99A-2C32-4A71-A5BC-12ABE02DBE06}
2012-07-13 09:46 - 2012-07-13 09:46 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{DEB8C10B-1DE9-4ACE-B3F3-3229E13CE2D4}
2012-07-12 21:46 - 2012-07-12 21:46 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{16886974-E4BE-407B-A2BC-32EE589CC0BA}
2012-07-12 21:45 - 2012-07-12 21:46 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{D0487309-D376-48DC-B5A5-F44243B86369}
2012-07-12 21:45 - 2012-07-12 21:45 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{8F5700AD-B086-46D8-B17B-D16684BB98D4}
2012-07-12 21:45 - 2012-07-12 21:45 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{891B0C74-C9C9-4762-8A18-E90ABD5CB789}
2012-07-12 21:45 - 2012-07-12 21:45 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{284F3E1D-812A-40B2-8301-BFD3B94B96E1}
2012-07-12 09:44 - 2012-07-12 09:44 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{898490F0-4EB9-4C82-9EC5-F9346F0E3F99}
2012-07-12 09:43 - 2012-07-12 09:44 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{431189A2-AD9B-41DD-A14D-3A107375F2F8}
2012-07-12 09:43 - 2012-07-12 09:43 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{C975EF65-997A-427D-B392-B8C47FC244F0}
2012-07-11 21:38 - 2012-07-11 21:38 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{FD925332-0998-4C93-8780-58695303E36A}
2012-07-11 21:38 - 2012-07-11 21:38 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{21325585-5A14-4309-9B0D-D2D0D278B599}
2012-07-11 09:37 - 2012-07-11 09:37 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{8E1AF527-BE9B-4984-B426-BFE3851C38A3}
2012-07-11 09:36 - 2012-07-11 09:37 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{9091EA8F-49F3-492A-A9D9-6AE09AD23FFF}
2012-07-11 09:17 - 2012-07-11 09:17 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{D8F0FA49-5324-40C1-97F4-4D7D1B19CC24}
2012-07-11 09:13 - 2012-07-11 09:13 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{B93DE15F-E903-40E6-96A0-3C60794BD7D7}
2012-07-10 09:22 - 2012-07-10 09:22 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{AE8071E5-3B5A-4FB4-A465-E6C7353198F3}
2012-07-10 09:22 - 2012-07-10 09:22 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{8A0EF5CD-FFE5-4A70-B3F7-1959E13A805B}
2012-07-10 09:22 - 2012-07-10 09:22 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{58000694-92E2-4180-A981-EAB4804CF7B4}
2012-07-10 09:21 - 2012-07-10 09:22 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{8A7997AA-7BC5-4426-9660-17B66AE5E9C2}
2012-07-09 09:33 - 2012-07-09 09:34 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{691C702C-F4E9-4DDC-AEBA-37D9B0C6D76A}
2012-07-09 09:33 - 2012-07-09 09:33 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{B7547850-CB21-4DF1-893B-47B34F8BBA8F}
2012-07-08 09:44 - 2012-07-08 09:44 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{86EE1BF8-EB6F-4794-A310-80496803D99A}
2012-07-08 09:43 - 2012-07-08 09:44 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{E535DF2B-6EE3-43EB-BE90-6DA2FF12B728}
2012-07-07 21:43 - 2012-07-07 21:43 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{2A044888-09D8-4263-84FE-81398E07A3C1}
2012-07-07 21:42 - 2012-07-07 21:43 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{6B7CF296-19C1-4423-9100-DED39C36A942}
2012-07-07 09:42 - 2012-07-07 09:42 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{856E2AB0-7DB4-4B69-8E08-DE0A598F1CEC}
2012-07-07 09:41 - 2012-07-07 09:42 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{6C7B28FC-19BF-472A-A028-2299A9531255}
2012-07-07 09:41 - 2012-07-07 09:41 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{70DBCA52-AD96-4E14-B0B4-5AA9EBB85BCB}
2012-07-07 09:41 - 2012-07-07 09:41 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{50CE74D7-D9D2-4A3C-89AD-28A99023800E}
2012-07-06 21:40 - 2012-07-06 21:40 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{FBD6B1E4-97D6-448A-A1EF-A51F31162462}
2012-07-06 21:40 - 2012-07-06 21:40 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{E4728550-A2D5-4A4F-8D62-7C5CEFE99E6F}
2012-07-06 21:40 - 2012-07-06 21:40 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{DAF9239F-937B-4404-959F-026128D5636B}
2012-07-06 21:39 - 2012-07-06 21:40 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{1DE66ED9-8676-4B0D-A067-5CB52331089B}
2012-07-06 09:39 - 2012-07-06 09:39 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{F9438A94-38FD-49A0-97EE-4EBC46D9647C}
2012-07-06 09:39 - 2012-07-06 09:39 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{F6A79A69-6769-4B94-A604-5DCA5A1942A1}
2012-07-06 09:39 - 2012-07-06 09:39 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{F4A3F422-11E5-44B8-BD5D-D4CD90AE340E}
2012-07-06 09:39 - 2012-07-06 09:39 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{8BF93D1F-F6B7-4FC0-9C03-3C20965F1063}
2012-07-06 09:38 - 2012-07-06 09:39 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{25928ED9-984D-4017-88FE-E6C0BFC98220}
2012-07-05 21:38 - 2012-07-05 21:38 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{F585C2B8-F5CB-4B4E-BE76-B85E052F825D}
2012-07-05 21:37 - 2012-07-05 21:38 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{1C1215C1-B9C4-4A18-A5F3-42F5DBFF74AA}
2012-07-05 09:37 - 2012-07-05 09:37 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{2DB899E3-A4C8-4D37-80B3-02AA55EF3692}
2012-07-05 09:36 - 2012-07-05 09:37 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{8A0E37A4-AA46-40AC-A7BA-A36A1AF07B7A}
2012-07-05 09:36 - 2012-07-05 09:36 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{C9661677-7F53-412D-9658-8CC1B5FB5151}
2012-07-05 09:36 - 2012-07-05 09:36 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{BDE15075-2325-4C95-8519-436789E60A7F}
2012-07-05 09:36 - 2012-07-05 09:36 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{7AA7DBA3-F393-40F5-B78E-19F430119AFE}
2012-07-05 09:35 - 2012-07-05 09:36 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{D93B59F7-B060-4128-9E94-3BCF54B641CC}
2012-07-04 09:40 - 2012-07-04 09:41 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{C062D17B-0B52-4A21-908D-14E53D9F4C6A}
2012-07-04 09:40 - 2012-07-04 09:40 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{AFFF109C-E6A3-4AB2-B040-CB5F04CC9098}
2012-07-04 09:40 - 2012-07-04 09:40 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{770DC9B1-5C32-4E9A-BE32-EF66D9BFBA5A}
2012-07-04 09:40 - 2012-07-04 09:40 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{32145213-FF8C-49A8-B9F8-2F4396B81CB1}
2012-07-04 09:39 - 2012-07-04 09:40 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{89CF39E0-BEAF-4081-A8E3-9B3F8E92C843}
2012-07-03 21:39 - 2012-07-03 21:39 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{ABDF4A0B-CC2D-48CD-BCDA-9DD8E358406E}
2012-07-03 21:39 - 2012-07-03 21:39 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{43AD5AF3-CC72-42EC-B5D6-45A67850B45E}
2012-07-03 21:39 - 2012-07-03 21:39 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{3E5631A4-0EC7-4285-A4FD-3346C9194783}
2012-07-03 21:38 - 2012-07-03 21:39 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{BD51D433-4E0C-479E-8419-A784CCF4C408}
2012-07-03 21:38 - 2012-07-03 21:38 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{2BD26DAA-468C-4510-BEC5-0A5E6C5C496C}
2012-07-03 09:38 - 2012-07-03 09:38 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{E16293D3-6E3C-4E6B-A57F-2591B5B97090}
2012-07-03 09:38 - 2012-07-03 09:38 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{39CAEBEF-3713-467A-A26B-DAC8DA2035C4}
2012-07-03 09:37 - 2012-07-03 09:38 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{A9FBF747-9FA2-4CE9-BF4C-4A2FFD6F9E4B}
2012-07-03 09:37 - 2012-07-03 09:37 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{8B590AB4-3CEF-441E-A7F3-9554E14108A6}
2012-07-03 09:37 - 2012-07-03 09:37 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{2915888D-9D31-44B1-92AA-5B2DC6E7DAB4}
2012-07-02 21:36 - 2012-07-02 21:37 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{CE82DA88-BF03-4A41-BEDB-D17B0AC37914}
2012-07-02 21:36 - 2012-07-02 21:36 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{A825D78D-F272-46FB-9CC3-DD270296A678}
2012-07-02 21:36 - 2012-07-02 21:36 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{7A50AF59-6F02-4670-BEF8-95A4357B0FD8}
2012-07-02 21:36 - 2012-07-02 21:36 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{2AF4FDAC-58D7-4988-8197-287147B49374}
2012-07-02 09:36 - 2012-07-02 09:36 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{BE0290B8-CEF1-4DDD-96EA-CC516CB4A6FC}
2012-07-02 09:35 - 2012-07-02 09:36 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{F3376D47-06BD-45C6-9A80-52763B57F9BF}
2012-07-02 09:35 - 2012-07-02 09:35 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{E56860A0-F8FF-4BD7-A9E2-E5B178844155}
2012-07-02 09:35 - 2012-07-02 09:35 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{6216B1D8-25BD-4F53-9B6D-960A83B78F73}
2012-07-01 21:35 - 2012-07-01 21:35 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{7BFB0DD0-BF60-46C9-9D75-A05E08C030DF}
2012-07-01 21:34 - 2012-07-01 21:35 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{8004790E-DC62-4EA7-9807-D3F293611AC8}
2012-07-01 21:34 - 2012-07-01 21:34 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{DEB85307-8ADB-4EC6-8152-08FBC1AFCC7C}
2012-07-01 21:34 - 2012-07-01 21:34 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{B1A63AB5-796E-451D-825B-036974374D00}
2012-07-01 09:33 - 2012-07-01 09:33 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{8CE67C39-079F-4D15-AE68-4B906AF6A53A}
2012-07-01 09:33 - 2012-07-01 09:33 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{7886E2F6-5346-4C3D-8C63-85A1261538AB}
2012-06-29 21:14 - 2012-06-29 21:14 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{AD2AD4A2-03BC-4C4F-A9FF-98CC19F223EE}
2012-06-29 21:11 - 2012-06-29 21:11 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{74B1322C-2427-4CB2-BB2A-7538DD8F26EC}
2012-06-29 08:38 - 2012-06-29 08:38 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{7DDFA95F-6E35-4A69-80C2-258FAEFA767F}
2012-06-29 08:38 - 2012-06-29 08:38 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{6311634A-DB2D-4BCF-9679-6EC14C5E5533}
2012-06-29 08:38 - 2012-06-29 08:38 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{616BC1E6-3A2D-441F-91A1-76EB6568AF15}
2012-06-29 08:37 - 2012-06-29 08:38 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{30868A99-ACDA-4861-B2E0-9A349957DCD1}
2012-06-29 08:33 - 2012-06-29 08:33 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{AD7781F3-8127-4CE5-897C-4CF2A05B8F0B}
2012-06-28 09:45 - 2012-06-28 09:45 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{940A6640-4DA6-47B6-8B70-F5BE7FDD34F5}
2012-06-28 09:45 - 2012-06-28 09:45 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{10313172-BEF0-4729-9D8C-D1D24F23B6A5}
2012-06-27 09:35 - 2012-06-27 09:35 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{F891F258-41E4-49F6-8D93-98D5693122F8}
2012-06-27 09:35 - 2012-06-27 09:35 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{C318CC76-4837-4F5D-96ED-6639BA3CABD2}
2012-06-26 11:20 - 2012-06-26 11:21 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{95BA926A-7E3B-40D1-83EC-378475A452B6}
2012-06-26 11:20 - 2012-06-26 11:20 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{E34F6293-699A-4879-9C07-2A0706DC6A42}
2012-06-26 11:20 - 2012-06-26 11:20 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{6149D465-4CCC-4E01-985A-903B53DF7942}
2012-06-26 11:20 - 2012-06-26 11:20 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{4CD12C78-BD15-43EE-939E-0C619DDFA732}
2012-06-26 11:20 - 2012-06-26 11:20 - 00000000 ____D C:\Users\Vera Cunha\AppData\Local\{3C16563E-C746-40C1-89E1-0EE7951ECEEC}
2012-06-26 03:00 - 2012-06-26 03:00 - 00001304 ____A C:\Users\Vera Cunha\Desktop\Dup Detector.lnk
2012-06-26 03:00 - 2012-06-26 03:00 - 00000000 ____D C:\Windows\Profiles\Vera Cunha
2012-06-26 03:00 - 2012-06-26 03:00 - 00000000 ____D C:\Program Files (x86)\Prismatic Software
2012-06-26 03:00 - 2012-06-26 02:59 - 00040960 ____A C:\Windows\DelPiv.exe


============ 3 Months Modified Files ========================

2012-07-26 02:37 - 2009-07-14 02:08 - 00000006 ___AH C:\Windows\Tasks\SA.DAT
2012-07-26 02:37 - 2009-07-14 01:51 - 00096214 ____A C:\Windows\setupact.log
2012-07-26 02:19 - 2011-03-28 17:42 - 00001076 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2012-07-25 19:06 - 2009-07-14 14:55 - 00668514 ____A C:\Windows\System32\prfh0416.dat
2012-07-25 19:06 - 2009-07-14 14:55 - 00130492 ____A C:\Windows\System32\prfc0416.dat
2012-07-25 19:06 - 2009-07-14 02:13 - 01531212 ____A C:\Windows\System32\PerfStringBackup.INI
2012-07-25 11:19 - 2011-03-28 17:42 - 00001072 ____A C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2012-07-25 08:17 - 2009-07-14 01:45 - 00014016 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2012-07-25 08:17 - 2009-07-14 01:45 - 00014016 ___AH C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2012-07-25 00:45 - 2009-07-14 02:10 - 01382350 ____A C:\Windows\WindowsUpdate.log
2012-07-24 14:56 - 2012-07-24 14:56 - 00000000 ____A C:\Users\Vera Cunha\defogger_reenable
2012-07-24 13:33 - 2012-07-24 13:33 - 00426184 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2012-07-24 13:33 - 2011-06-12 15:31 - 00070344 ____A (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2012-07-24 13:28 - 2012-07-24 13:28 - 00352256 ____A C:\Users\Vera Cunha\AppData\Local\tbipsc.exe
2012-07-19 09:42 - 2011-03-10 18:10 - 00001014 ____A C:\Users\Vera Cunha\Desktop\magicJack.lnk
2012-07-12 15:15 - 2011-05-23 09:18 - 00002342 ____A C:\Users\Todos os Usuários\Desktop\Google Chrome.lnk
2012-07-12 15:15 - 2011-05-23 09:18 - 00002342 ____A C:\Users\Public\Desktop\Google Chrome.lnk
2012-07-12 15:15 - 2011-05-23 09:18 - 00002342 ____A C:\Users\All Users\Desktop\Google Chrome.lnk
2012-07-04 07:34 - 2009-07-14 02:08 - 00032608 ____A C:\Windows\Tasks\SCHEDLGU.TXT
2012-06-27 22:00 - 2011-03-01 15:12 - 00034132 ____A C:\Windows\PFRO.log
2012-06-26 03:00 - 2012-06-26 03:00 - 00001304 ____A C:\Users\Vera Cunha\Desktop\Dup Detector.lnk
2012-06-26 02:59 - 2012-06-26 03:00 - 00040960 ____A C:\Windows\DelPiv.exe
2012-06-25 02:27 - 2012-06-25 02:27 - 00000044 ____A C:\Users\Vera Cunha\Desktop\Untitled.cha
2012-06-22 21:27 - 2012-03-20 20:13 - 00001065 ____A C:\Users\Todos os Usuários\Desktop\Garena Plus.lnk
2012-06-22 21:27 - 2012-03-20 20:13 - 00001065 ____A C:\Users\Public\Desktop\Garena Plus.lnk
2012-06-22 21:27 - 2012-03-20 20:13 - 00001065 ____A C:\Users\All Users\Desktop\Garena Plus.lnk
2012-06-22 21:26 - 2011-05-29 02:40 - 00045270 ____A C:\Users\Vera Cunha\AppData\Roaming\room_v3.dat
2012-06-21 18:17 - 2011-04-04 13:56 - 00082368 ____A C:\Users\Vera Cunha\AppData\Roaming\GDIPFONTCACHEV1.DAT
2012-06-21 10:01 - 2011-03-01 15:40 - 00345037 ____A C:\Windows\DirectX.log
2012-06-19 21:50 - 2011-03-04 17:03 - 00082368 ____A C:\Users\Vera Cunha\AppData\Local\GDIPFONTCACHEV1.DAT
2012-06-17 10:43 - 2009-07-14 01:45 - 00342608 ____A C:\Windows\System32\FNTCACHE.DAT
2012-06-16 18:36 - 2012-06-16 18:35 - 00001406 ____A C:\Users\Vera Cunha\Desktop\Aomx_Loader - Atalho.lnk
2012-06-16 18:11 - 2012-06-16 18:11 - 00033344 ____A (LogMeIn, Inc.) C:\Windows\System32\Drivers\hamachi.sys
2012-06-16 18:11 - 2012-06-16 18:11 - 00000947 ____A C:\Users\Todos os Usuários\Desktop\hamachi.lnk
2012-06-16 18:11 - 2012-06-16 18:11 - 00000947 ____A C:\Users\Public\Desktop\hamachi.lnk
2012-06-16 18:11 - 2012-06-16 18:11 - 00000947 ____A C:\Users\All Users\Desktop\hamachi.lnk
2012-06-13 11:19 - 2012-06-13 11:19 - 00137996 ____A C:\Users\Vera Cunha\Downloads\ImportExportTools-2.7.1.1.xpi
2012-06-13 11:06 - 2012-06-13 11:06 - 00002088 ____A C:\Users\Todos os Usuários\Desktop\Mozilla Thunderbird.lnk
2012-06-13 11:06 - 2012-06-13 11:06 - 00002088 ____A C:\Users\Public\Desktop\Mozilla Thunderbird.lnk
2012-06-13 11:06 - 2012-06-13 11:06 - 00002088 ____A C:\Users\All Users\Desktop\Mozilla Thunderbird.lnk
2012-06-13 11:05 - 2012-06-13 11:03 - 18356280 ____A (Mozilla) C:\Users\Vera Cunha\Downloads\Thunderbird Setup 13.0.exe
2012-06-13 11:00 - 2012-06-13 11:00 - 00179116 ____A C:\Users\Vera Cunha\Downloads\wmutil151.zip
2012-06-13 10:59 - 2012-06-13 10:59 - 02327255 ____A C:\Users\Vera Cunha\Downloads\Windows6.0-KB941090-v2-x64.msu
2012-06-13 10:58 - 2012-06-13 10:58 - 01528184 ____A (Microsoft Corporation) C:\Users\Vera Cunha\Downloads\GenuineCheck.exe
2012-06-03 22:51 - 2011-12-30 13:23 - 00001040 ____A C:\Users\Vera Cunha\Desktop\Dropbox.lnk
2012-05-29 09:39 - 2012-05-29 09:26 - 55018696 ____A (SmartCom) C:\Users\Vera Cunha\Downloads\Nokia_CS-10_Setup_R2[1][1].15.0.exe
2012-05-29 09:10 - 2012-05-29 09:10 - 00001144 ____A C:\Users\Todos os Usuários\Desktop\Nokia Internet Modem.lnk
2012-05-29 09:10 - 2012-05-29 09:10 - 00001144 ____A C:\Users\Public\Desktop\Nokia Internet Modem.lnk
2012-05-29 09:10 - 2012-05-29 09:10 - 00001144 ____A C:\Users\All Users\Desktop\Nokia Internet Modem.lnk
2012-05-28 08:56 - 2012-05-28 08:56 - 00000320 ____A C:\Users\Vera Cunha\AppData\Local\FSCache.dat
2012-05-08 00:46 - 2012-05-08 00:44 - 00001009 ____A C:\Users\Vera Cunha\Desktop\BSplayer.lnk
2012-05-08 00:44 - 2012-05-08 00:44 - 00001009 ____A C:\Users\vera pessoasl\Desktop\BSplayer.lnk
2012-05-03 01:38 - 2011-05-08 02:46 - 00000844 ____A C:\Users\Vera Cunha\Documents\Vitcunha's Music - Atalho.lnk
2012-04-29 04:08 - 2012-04-29 04:07 - 00001371 ____A C:\Users\Todos os Usuários\Desktop\World of Warcraft Beta.lnk
2012-04-29 04:08 - 2012-04-29 04:07 - 00001371 ____A C:\Users\Public\Desktop\World of Warcraft Beta.lnk
2012-04-29 04:08 - 2012-04-29 04:07 - 00001371 ____A C:\Users\All Users\Desktop\World of Warcraft Beta.lnk

ZeroAccess:
C:\Windows\Installer\{86f64cf2-6bb0-4186-ae52-26fadd963751}
C:\Windows\Installer\{86f64cf2-6bb0-4186-ae52-26fadd963751}\@
C:\Windows\Installer\{86f64cf2-6bb0-4186-ae52-26fadd963751}\L
C:\Windows\Installer\{86f64cf2-6bb0-4186-ae52-26fadd963751}\n
C:\Windows\Installer\{86f64cf2-6bb0-4186-ae52-26fadd963751}\U
C:\Windows\Installer\{86f64cf2-6bb0-4186-ae52-26fadd963751}\U\00000001.@
C:\Windows\Installer\{86f64cf2-6bb0-4186-ae52-26fadd963751}\U\800000cb.@

ZeroAccess:
C:\Users\Vera Cunha\AppData\Local\{86f64cf2-6bb0-4186-ae52-26fadd963751}
C:\Users\Vera Cunha\AppData\Local\{86f64cf2-6bb0-4186-ae52-26fadd963751}\@
C:\Users\Vera Cunha\AppData\Local\{86f64cf2-6bb0-4186-ae52-26fadd963751}\L
C:\Users\Vera Cunha\AppData\Local\{86f64cf2-6bb0-4186-ae52-26fadd963751}\n
C:\Users\Vera Cunha\AppData\Local\{86f64cf2-6bb0-4186-ae52-26fadd963751}\U

========================= Known DLLs (Whitelisted) ============


========================= Bamital & volsnap Check ============

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe 014A9CB92514E27C0107614DF764BC06 ZeroAccess <==== ATTENTION!.
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

========================= Memory info ======================

Percentage of memory in use: 15%
Total physical RAM: 3894.68 MB
Available physical RAM: 3282.41 MB
Total Pagefile: 3892.83 MB
Available Pagefile: 3280.54 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

======================= Partitions =========================

1 Drive c: (OS) (Fixed) (Total:285.72 GB) (Free:86.99 GB) NTFS
2 Drive d: (RECOVERY) (Fixed) (Total:12.25 GB) (Free:5.59 GB) NTFS ==>[System with boot components (obtained from reading drive)]
3 Drive e: () (Removable) (Total:1.87 GB) (Free:1.87 GB) FAT
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

N§ Disco Status Tam. Livre Din. GPT
-------- ------------- ------- ------- --- ---
Disco 0 Online 298 GB 2048 KB
Disco 1 Online 1920 MB 0 B

Saindo do Diskpart...


testsigning: ==> Check for possible unsigned rootkit driver <===== ATTENTION!


==========================================================

Last Boot: 2012-07-18 13:36

======================= End Of Log ==========================



Vítor

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,360 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:15 PM

Posted 26 July 2012 - 09:01 AM

Please do the following:


Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy. Right-click in the open notepad and select Paste). Save it on the flashdrive as fixlist.txt

start
C:\Windows\Installer\{86f64cf2-6bb0-4186-ae52-26fadd963751}
C:\Users\Vera Cunha\AppData\Local\{86f64cf2-6bb0-4186-ae52-26fadd963751}
testsigning: ==> Check for possible unsigned rootkit driver <===== ATTENTION!
replace: C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe C:\Windows\System32\services.exe
end

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system

Now please enter System Recovery Options then select Command Prompt

Run FRST (or FRST64 if you have the 64bit version) and press the Fix button just once and wait.
The tool will make a log on the flashdrive (Fixlog.txt) please post it to your reply.

Reboot Normally.


NEXT

Note: This file is hidden, so hidden files and folders needs to be shown:

submit a file to virustotal for analysis
  • Use the browse button on that page to navigate to the location of the file to be scanned.
  • In the right hand panel,
  • click on the file C:\Users\Vera Cunha\AppData\Local\tbipsc.exe
  • then click the open button.
  • The file will now be displayed in the submit box.
  • Scroll down a bit and click "send file", wait for the results
  • If you get a message saying File has already been analyzed: click Reanalyze file now
  • Once scanned, copy and paste the link to the results page in your next reply.


NEXT


Refer to the ComboFix User's Guide

  • Download ComboFix from the following location:

    Link

    * IMPORTANT !!! Place ComboFix.exe on your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  • Double click on ComboFix.exe & follow the prompts.
  • Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  • When finished, it shall produce a log for you. Post that log in your next reply

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.


    ---------------------------------------------------------------------------------------------
  • Ensure your AntiVirus and AntiSpyware applications are re-enabled.

    ---------------------------------------------------------------------------------------------

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#5 Vítor Cunha

Vítor Cunha
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 26 July 2012 - 12:21 PM

Dear CatByte,

I did the first step and here's the log. Please my read notes below the log.



Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 25-07-2012 01
Ran by SISTEMA at 2012-07-26 13:33:53 Run:1
Running from E:\

==============================================

C:\Windows\Installer\{86f64cf2-6bb0-4186-ae52-26fadd963751} moved successfully.
C:\Users\Vera Cunha\AppData\Local\{86f64cf2-6bb0-4186-ae52-26fadd963751} moved successfully.

A opera‡Æo foi conclu¡da com ˆxito.
C:\Windows\System32\services.exe moved successfully.
C:\Windows\winsxs\amd64_microsoft-windows-s..s-servicecontroller_31bf3856ad364e35_6.1.7600.16385_none_2b54b20ee6fa07b1\services.exe copied successfully to C:\Windows\System32\services.exe

==== End of Fixlog ====


I couldn't follow step #02, there was no such tbipsc.exe file. At least not anymore.
EDIT: i had the "see hidden folders" and "show system hidden files" options enabled
Didn't proceed to step #03 .


Extra info: i noticed the pc had been restarted (had told mother not to do it) the night after my first post
Next day, When windows loaded, i noticed mcafee's protection was disabled, and i couldn't activate it. I clicked to activate, it went green/protected for a couple of seconds and turned back. Not sure if needed or useful but stayed disconnected. Did the steps on your first post. I cannot recall if after the first post i had the protection up all the time again.
Today, after applying the "fix" with FRST (you said on your second post), i noticed mcafee was simply enabled, it popped one of those files (if not mistaken, 80000000.@) and not anymore. Protection is still enabled now.

What do you suggest? Thanks in advance.

Edited by Vítor Cunha, 26 July 2012 - 12:23 PM.


#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,360 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:15 PM

Posted 26 July 2012 - 12:52 PM

this infection does interfere with AV services

please run ComboFix and then we will see about McAfee after that
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#7 Vítor Cunha

Vítor Cunha
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 26 July 2012 - 10:23 PM

Dear CatByte

Here is my ComboFix log:


ComboFix 12-07-27.02 - Vera Cunha 26/07/2012 18:59:01.1.4 - x64
Microsoft Windows 7 Home Basic 6.1.7600.0.1252.55.1046.18.3895.2168 [GMT -3:00]
Executando de: c:\users\Vera Cunha\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Enabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
ADS - drivers: deleted 212 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Vera Cunha\AppData\Roaming\Microsoft\Windows\Recent\Transhotel_TOR_System.url
.
.
(((((((((((((((( Arquivos/Ficheiros criados de 2012-06-26 to 2012-07-26 ))))))))))))))))))))))))))))
.
.
2012-07-26 22:32 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-07-26 22:32 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-07-26 22:32 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2012-07-26 22:32 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-07-26 22:31 . 2012-06-02 18:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-07-26 22:31 . 2012-06-02 18:15 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-07-26 22:26 . 2012-07-26 22:26 0 ----a-w- c:\windows\SysWow64\shoB32E.tmp
2012-07-26 22:19 . 2012-07-26 22:19 -------- d-----w- c:\users\vera pessoasl\AppData\Local\temp
2012-07-26 22:19 . 2012-07-26 22:19 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-26 21:29 . 2012-07-26 21:29 -------- d-----w- c:\users\vera pessoasl\AppData\Local\Diagnostics
2012-07-26 18:27 . 2012-07-26 18:27 -------- d-----w- c:\users\vera pessoasl\AppData\Local\Apps
2012-07-26 18:10 . 2012-07-26 18:10 -------- d-----w- c:\users\vera pessoasl\AppData\Roaming\Windows Live Writer
2012-07-26 18:10 . 2012-07-26 18:10 -------- d-----w- c:\users\vera pessoasl\AppData\Local\Windows Live Writer
2012-07-26 05:40 . 2012-07-26 05:41 -------- d-----w- C:\FRST
2012-07-24 21:59 . 2012-07-24 21:59 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-07-24 16:45 . 2009-07-14 01:39 328704 ----a-w- c:\windows\system32\zz-services.tmp
2012-07-24 16:33 . 2012-07-24 16:33 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
.
.
.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-24 16:33 . 2011-06-12 18:31 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-26 05:59 . 2012-06-26 06:00 40960 ----a-w- c:\windows\DelPiv.exe
2012-06-21 13:02 . 2012-06-21 13:02 19736 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-06-16 21:11 . 2012-06-16 21:11 33344 ----a-w- c:\windows\system32\drivers\hamachi.sys
2012-05-31 14:09 . 2012-05-31 14:09 163048 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10141.bin
.
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por padrão não são apresentadas.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\Vera Cunha\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\Vera Cunha\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\Vera Cunha\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\users\Vera Cunha\AppData\Roaming\mjusbsp\cdloader2.exe" [2012-02-01 50592]
"Nokia Internet Modem"="c:\program files (x86)\Nokia\Nokia Internet Modem\WellPhone2.exe" [2009-07-29 1962648]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-03-22 1675160]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
"PlusService"="c:\program files (x86)\Yuna Software\Messenger Plus!\PlusService.exe" [2011-05-26 800768]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-09-30 252296]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"="c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [2011-09-21 560128]
.
c:\users\Vera Cunha\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Dropbox.lnk - c:\users\Vera Cunha\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-12-29 1082656]
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
Microsoft Office.lnk - c:\program files (x86)\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399008}"= "c:\program files (x86)\GbPlugin\gbiehuni.dll" [2012-02-01 601592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginUni]
2012-02-01 14:41 601592 ----a-w- c:\program files (x86)\GbPlugin\gbiehuni.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\gbpkm.sys [x]
R1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [2007-02-16 22528]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-28 136176]
R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-09-04 219632]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-03-30 53800]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-03-30 35104]
R3 dump_wmimmc;dump_wmimmc;c:\program files (x86)\Gravity\RagnarokOnline\GameGuard\dump_wmimmc.sys [x]
R3 GGSAFERDriver;GGSAFER Driver;c:\program files (x86)\Garena\safedrv.sys [x]
R3 gupdatem;Serviço do Google Update (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-28 136176]
R3 McAWFwk;McAfee Activation Service;c:\progra~1\mcafee\msc\mcawfwk.exe [2010-08-30 220528]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2012-02-22 100912]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-09-04 1116656]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-11-11 232480]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-01-12 325152]
R3 TurboBoost;TurboBoost;c:\program files\Intel\TurboBoost\TurboBoost.exe [2009-11-02 126352]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-02-18 51712]
R3 WSDPrintDevice;Suporte de Impressão WSD via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 23040]
R4 McOobeSv;McAfee OOBE Service;c:\program files\Common Files\mcafee\McSvcHost\McSvHost.exe [2011-01-27 249936]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2012-02-22 289664]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-19 55856]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2012-02-22 75936]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_58afa5ca50c7b5e7\AESTSr64.exe [2009-03-03 89600]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-02-28 821664]
S2 GbpSv;Gbp Service;c:\progra~2\GbPlugin\GbpSv.exe [2012-02-01 203256]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\mcafee\McSvcHost\McSvHost.exe [2011-01-27 249936]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2012-03-20 210584]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2012-03-20 162192]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-04-24 483688]
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-08-18 1692480]
S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys [2009-11-02 13784]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-03-03 2320920]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2012-02-22 65264]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2010-08-12 175168]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 158976]
S3 IntcDAud;Áudio do vídeo Intel®;c:\windows\system32\DRIVERS\IntcDAud.sys [2011-08-23 317440]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2012-02-22 487296]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-04-13 45432]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2010-04-24 721768]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2010-04-24 269672]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2010-04-24 25960]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2010-04-24 22376]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-04-24 209768]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]
.
.
--- =Outros Serviços/Drivers Na Memória ---
.
*NewlyCreated* - WS2IFSL
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Conteúdo da pasta 'Tarefas Agendadas'
.
2012-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-28 20:41]
.
2012-07-26 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-28 20:41]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 97792 ----a-w- c:\users\Vera Cunha\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 97792 ----a-w- c:\users\Vera Cunha\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 97792 ----a-w- c:\users\Vera Cunha\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 97792 ----a-w- c:\users\Vera Cunha\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-01-21 487424]
"Broadcom Wireless Manager UI"="c:\program files\Dell\DW WLAN Card\WLTRAY.exe" [2009-12-17 5470208]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-04-13 2399632]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-01-23 167704]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-01-23 392984]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-01-23 417560]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x0
.
------- Scan Suplementar -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xportar para o Microsoft Excel - c:\progra~2\MICROS~1\Office10\EXCEL.EXE/3000
IE: Enviar imagem para Dispositivo &Bluetooth... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Enviar página para Dispositivo &Bluetooth ... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: celebrationtt.com\www
Trusted Zone: com.br\www.bb
Trusted Zone: com.br\www14.bancobrasil
Trusted Zone: com.br\www2.bancobrasil
Trusted Zone: sahacampos.com.br
DPF: {2D36AF92-04D3-11D8-B719-0000865F231B} - hxxps://my.sabre.com/jars/TMinReqX.dll
FF - ProfilePath - c:\users\Vera Cunha\AppData\Roaming\Mozilla\Firefox\Profiles\oxxpm67a.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: network.proxy.type - 0
FF - prefs.js: network.proxy.http -
FF - prefs.js: network.proxy.http_port - 0
FF - prefs.js: network.proxy.type - 0
.
- - - - ORFÃOS REMOVIDOS - - - -
.
Toolbar-Locked - (no file)
Notify-GoToAssist - (no file)
Notify-igfxcui - (no file)
Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-SynTPEnh - c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe
AddRemove-Adobe Shockwave Player - c:\windows\system32\Adobe\Shockwave 11\uninstaller.exe
AddRemove-Warcraft III Reign of Chaos & The Frozen Throne - f:\files\Jogos\Warcraft III\Warcraft III Reign of Chaos & The Frozen Throne\uninstall.exe
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Outros Processos em Execução ------------------------
.
c:\program files (x86)\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files (x86)\Bonjour\mDNSResponder.exe
c:\program files (x86)\Intel\Intel® Management Engine Components\LMS\LMS.exe
c:\program files (x86)\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files (x86)\Dell DataSafe Local Backup\TOASTER.EXE
c:\program files (x86)\Dell DataSafe Local Backup\COMPONENTS\SCHEDULER\STSERVICE.EXE
c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqbam08.exe
c:\program files (x86)\HP\Digital Imaging\bin\hpqgpc01.exe
.
**************************************************************************
.
Tempo para conclusão: 2012-07-26 20:59:08 - Máquina reiniciou
ComboFix-quarantined-files.txt 2012-07-26 23:59
.
Pré-execução: 73.876.733.952 bytes disponíveis
Pós execução: 88.680.460.288 bytes disponíveis
.
- - End Of File - - 6FE9C2CF5FFF6B306471745B116402BE

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,360 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:15 PM

Posted 26 July 2012 - 10:55 PM

Please do the following:

Please download Malwarebytes' Anti-Malware
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#9 Vítor Cunha

Vítor Cunha
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 27 July 2012 - 12:43 AM

ESET is taking long, so i'll get some sleep. In the meantime here is the MBAM log:


Malwarebytes Anti-Malware (Trial) 1.62.0.1300
www.malwarebytes.org

Database version: v2012.07.27.01

Windows 7 x64 NTFS
Internet Explorer 8.0.7600.16385
Vera Cunha :: VERACUNHA-PC [administrator]

Protection: Enabled

27/07/2012 01:45:55
mbam-log-2012-07-27 (01-45-55).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 217765
Time elapsed: 11 minute(s), 31 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 1
C:\Windows\Microsoft.NET\Framework\v2.0.50727\diasymreader.dll (Trojan.FakeMS) -> Quarantined and deleted successfully.

(end)


Will come up with the other log in approx. 7h. Thanks in advance.

#10 Vítor Cunha

Vítor Cunha
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 27 July 2012 - 07:22 AM

ESET's Log

C:\FRST\Quarantine\services.exe Win64/Patched.B.Gen trojan
C:\FRST\Quarantine\{86f64cf2-6bb0-4186-ae52-26fadd963751}\U\80000000.@ Win64/Sirefef.AL trojan
C:\Program Files (x86)\Dell DataSafe Local Backup\hstart.exe a variant of Win32/HiddenStart.A application
C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\hstart.exe a variant of Win32/HiddenStart.A application
C:\Users\Vera Cunha\Desktop\Arquivos\aTube_Catcher_Setup.exe Win32/OpenCandy application
C:\Users\Vera Cunha\Documents\CuteWriter.exe Win32/OpenCandy application
C:\Users\Vera Cunha\Documents\MsgPlusLive-483.exe a variant of Win32/Adware.CiDHelp application
C:\Users\Vera Cunha\Documents\Meus Documentos\CuteWriter.exe Win32/OpenCandy application
C:\Users\Vera Cunha\Documents\Meus Documentos\MsgPlusLive-483.exe a variant of Win32/Adware.CiDHelp application
C:\Users\Vera Cunha\Documents\Meus Documentos\TRAVEL NOW\PEN DRIVE\autorun.inf INF/Autorun.T worm
C:\Users\Vera Cunha\Documents\TRAVEL NOW\PEN DRIVE\autorun.inf INF/Autorun.T worm


Also had the message:

"Malwarebytes Anti-Malware has detected a malicious process attempting to start and has blocked the execution attempt. Please select an option below.
C:\PROGRAM FILES (X86)\AUDIOTRANSCODER\PLUGINS\FFMPEG.EXE
TROJAN AGENT

-Disable Protection
-Ignore
-Quarantine

----//----

I clicked on Quarantine.

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,360 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:15 PM

Posted 27 July 2012 - 08:36 AM

please run the following:

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

File::
C:\Users\Vera Cunha\Desktop\Arquivos\aTube_Catcher_Setup.exe 
C:\Users\Vera Cunha\Documents\CuteWriter.exe 
C:\Users\Vera Cunha\Documents\MsgPlusLive-483.exe 
C:\Users\Vera Cunha\Documents\Meus Documentos\CuteWriter.exe 
C:\Users\Vera Cunha\Documents\Meus Documentos\MsgPlusLive-483.exe 
C:\Users\Vera Cunha\Documents\Meus Documentos\TRAVEL NOW\PEN DRIVE\autorun.inf 
C:\Users\Vera Cunha\Documents\TRAVEL NOW\PEN DRIVE\autorun.inf 

ClearJavaCache::

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT

  • Please download MiniToolBox and save it to your desktop and run it.

    Checkmark following checkboxes:
  • Flush DNS
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List installed programs.

Click Go and post the result (Result.txt) that pops up. A copy of result.txt will be saved in the same directory the tool is run.
NEXT

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#12 Vítor Cunha

Vítor Cunha
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 27 July 2012 - 11:11 AM

Dear CatByte,

The logs:


ComboFix 12-07-27.03 - Vera Cunha 27/07/2012 12:24:08.2.4 - x64
Microsoft Windows 7 Home Basic 6.1.7600.0.1252.55.1046.18.3895.2050 [GMT -3:00]
Executando de: c:\users\Vera Cunha\Desktop\ComboFix.exe
Comandos utilizados :: c:\users\Vera Cunha\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {86355677-4064-3EA7-ABB3-1B136EB04637}
FW: McAfee Firewall *Disabled* {BE0ED752-0A0B-3FFF-80EC-B2269063014C}
SP: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {3D54B793-665E-3129-9103-206115370C8A}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
FILE ::
"c:\users\Vera Cunha\Desktop\Arquivos\aTube_Catcher_Setup.exe"
"c:\users\Vera Cunha\Documents\CuteWriter.exe"
"c:\users\Vera Cunha\Documents\Meus Documentos\CuteWriter.exe"
"c:\users\Vera Cunha\Documents\Meus Documentos\MsgPlusLive-483.exe"
"c:\users\Vera Cunha\Documents\Meus Documentos\TRAVEL NOW\PEN DRIVE\autorun.inf"
"c:\users\Vera Cunha\Documents\MsgPlusLive-483.exe"
"c:\users\Vera Cunha\Documents\TRAVEL NOW\PEN DRIVE\autorun.inf"
.
ADS - drivers: deleted 212 bytes in 1 streams.
.
((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Vera Cunha\Desktop\Arquivos\aTube_Catcher_Setup.exe
c:\users\Vera Cunha\Documents\CuteWriter.exe
c:\users\Vera Cunha\Documents\Meus Documentos\CuteWriter.exe
c:\users\Vera Cunha\Documents\Meus Documentos\MsgPlusLive-483.exe
c:\users\Vera Cunha\Documents\Meus Documentos\TRAVEL NOW\PEN DRIVE\autorun.inf
c:\users\Vera Cunha\Documents\MsgPlusLive-483.exe
c:\users\Vera Cunha\Documents\TRAVEL NOW\PEN DRIVE\autorun.inf
.
.
(((((((((((((((( Arquivos/Ficheiros criados de 2012-06-27 to 2012-07-27 ))))))))))))))))))))))))))))
.
.
2012-07-27 15:34 . 2012-07-27 15:34 -------- d-----w- c:\users\vera pessoasl\AppData\Local\temp
2012-07-27 15:34 . 2012-07-27 15:34 -------- d-----w- c:\users\Default\AppData\Local\temp
2012-07-27 05:26 . 2012-07-27 05:26 -------- d-----w- c:\program files (x86)\ESET
2012-07-27 04:44 . 2012-07-27 04:44 -------- d-----w- c:\users\Vera Cunha\AppData\Roaming\Malwarebytes
2012-07-27 04:43 . 2012-07-27 04:43 -------- d-----w- c:\programdata\Malwarebytes
2012-07-27 04:43 . 2012-07-03 16:46 24904 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-07-27 04:43 . 2012-07-27 04:43 -------- d-----w- c:\program files (x86)\Malwarebytes' Anti-Malware
2012-07-26 22:32 . 2012-06-02 22:19 2428952 ----a-w- c:\windows\system32\wuaueng.dll
2012-07-26 22:32 . 2012-06-02 22:19 57880 ----a-w- c:\windows\system32\wuauclt.exe
2012-07-26 22:32 . 2012-06-02 22:19 44056 ----a-w- c:\windows\system32\wups2.dll
2012-07-26 22:32 . 2012-06-02 22:15 2622464 ----a-w- c:\windows\system32\wucltux.dll
2012-07-26 22:31 . 2012-06-02 22:19 38424 ----a-w- c:\windows\system32\wups.dll
2012-07-26 22:31 . 2012-06-02 22:19 701976 ----a-w- c:\windows\system32\wuapi.dll
2012-07-26 22:31 . 2012-06-02 22:15 99840 ----a-w- c:\windows\system32\wudriver.dll
2012-07-26 22:31 . 2012-06-02 18:19 186752 ----a-w- c:\windows\system32\wuwebv.dll
2012-07-26 22:31 . 2012-06-02 18:15 36864 ----a-w- c:\windows\system32\wuapp.exe
2012-07-26 22:26 . 2012-07-26 22:26 0 ----a-w- c:\windows\SysWow64\shoB32E.tmp
2012-07-26 21:29 . 2012-07-26 21:29 -------- d-----w- c:\users\vera pessoasl\AppData\Local\Diagnostics
2012-07-26 18:27 . 2012-07-26 18:27 -------- d-----w- c:\users\vera pessoasl\AppData\Local\Apps
2012-07-26 18:10 . 2012-07-26 18:10 -------- d-----w- c:\users\vera pessoasl\AppData\Roaming\Windows Live Writer
2012-07-26 18:10 . 2012-07-26 18:10 -------- d-----w- c:\users\vera pessoasl\AppData\Local\Windows Live Writer
2012-07-26 05:40 . 2012-07-26 05:41 -------- d-----w- C:\FRST
2012-07-24 21:59 . 2012-07-24 21:59 -------- d-sh--w- c:\windows\system32\%APPDATA%
2012-07-24 16:45 . 2009-07-14 01:39 328704 ----a-w- c:\windows\system32\zz-services.tmp
2012-07-24 16:33 . 2012-07-24 16:33 426184 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
.
.
.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-24 16:33 . 2011-06-12 18:31 70344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2012-06-26 05:59 . 2012-06-26 06:00 40960 ----a-w- c:\windows\DelPiv.exe
2012-06-21 13:02 . 2012-06-21 13:02 19736 ----a-w- c:\programdata\Microsoft\IdentityCRL\production\ppcrlconfig600.dll
2012-06-16 21:11 . 2012-06-16 21:11 33344 ----a-w- c:\windows\system32\drivers\hamachi.sys
2012-05-31 14:09 . 2012-05-31 14:09 163048 ----a-w- c:\programdata\Microsoft\Windows\Sqm\Manifest\Sqm10141.bin
.
.
((((((((((((((((((((((((((((( SnapShot@2012-07-26_23.27.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2012-07-27 05:05 . 2012-07-27 05:05 13366 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
- 2012-07-26 16:30 . 2012-07-26 16:30 13366 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\SoftGrid Client\Icon Cache\icon_ex.dat
- 2009-07-14 04:54 . 2012-07-26 22:27 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:54 . 2012-07-27 05:06 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-07-26 22:27 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-07-27 05:06 32768 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:54 . 2012-07-27 05:06 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-07-14 04:54 . 2012-07-26 22:27 16384 c:\windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 05:10 . 2012-07-27 05:13 29778 c:\windows\system32\wdi\BootPerformanceDiagnostics_SystemData.bin
- 2011-03-06 19:48 . 2012-07-26 16:39 18618 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2075956414-652828455-2486635925-1000_UserData.bin
+ 2011-03-06 19:48 . 2012-07-27 05:13 18618 c:\windows\system32\wdi\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2075956414-652828455-2486635925-1000_UserData.bin
- 2011-03-04 20:03 . 2012-07-26 22:38 81920 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-03-04 20:03 . 2012-07-27 13:15 81920 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-07-14 04:54 . 2012-07-26 22:38 81920 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-07-14 04:54 . 2012-07-27 13:15 81920 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-03-11 00:08 . 2012-07-26 22:29 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-03-11 00:08 . 2012-07-27 05:09 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-07-14 04:46 . 2012-07-27 05:09 63160 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\Cache\cache.dat
+ 2011-03-11 00:08 . 2012-07-27 05:09 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-03-11 00:08 . 2012-07-26 22:29 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2011-03-11 00:08 . 2012-07-26 22:29 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2011-03-11 00:08 . 2012-07-27 05:09 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-03-04 22:11 . 2012-07-26 23:06 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-03-04 22:11 . 2012-07-27 15:12 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2011-03-04 22:11 . 2012-07-27 15:12 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2011-03-04 22:11 . 2012-07-26 23:06 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2012-07-26 22:27 . 2012-07-26 22:27 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-07-27 05:06 . 2012-07-27 05:06 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2012-07-27 05:06 . 2012-07-27 05:06 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2012-07-26 22:27 . 2012-07-26 22:27 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2009-07-14 05:12 . 2012-07-26 22:38 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-14 05:12 . 2012-07-27 13:15 262144 c:\windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Windows\IETldCache\index.dat
+ 2009-07-14 05:01 . 2012-07-27 05:05 305700 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2009-07-14 05:01 . 2012-07-26 22:26 305700 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-System.dat
- 2011-03-04 20:03 . 2012-07-26 22:38 1392640 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2011-03-04 20:03 . 2012-07-27 13:15 1392640 c:\windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-07-14 04:45 . 2012-07-27 05:09 3376835 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
- 2009-07-14 04:45 . 2012-05-03 14:05 3376835 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareProtectionPlatform\tokens.dat
- 2011-03-06 02:25 . 2012-07-26 22:26 42437912 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2075956414-652828455-2486635925-1000-8192.dat
+ 2011-03-06 02:25 . 2012-07-27 05:05 42437912 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache-S-1-5-21-2075956414-652828455-2486635925-1000-8192.dat
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por padrão não são apresentadas.
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\Vera Cunha\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\Vera Cunha\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 94208 ----a-w- c:\users\Vera Cunha\AppData\Roaming\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\users\Vera Cunha\AppData\Roaming\mjusbsp\cdloader2.exe" [2012-02-01 50592]
"Nokia Internet Modem"="c:\program files (x86)\Nokia\Nokia Internet Modem\WellPhone2.exe" [2009-07-29 1962648]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2012-03-22 1675160]
"HP Software Update"="c:\program files (x86)\HP\HP Software Update\HPWuSchd2.exe" [2009-11-18 54576]
"PlusService"="c:\program files (x86)\Yuna Software\Messenger Plus!\PlusService.exe" [2011-05-26 800768]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2011-09-30 252296]
"Malwarebytes' Anti-Malware"="c:\program files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-07-03 462920]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce]
"c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe"="c:\program files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpdate.exe" [2011-09-21 560128]
.
c:\users\Vera Cunha\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files (x86)\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
Dropbox.lnk - c:\users\Vera Cunha\AppData\Roaming\Dropbox\bin\Dropbox.exe [2012-5-24 27112840]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-12-29 1082656]
HP Digital Imaging Monitor.lnk - c:\program files (x86)\HP\Digital Imaging\bin\hpqtra08.exe [2009-11-18 275072]
Microsoft Office.lnk - c:\program files (x86)\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[hkey_local_machine\software\Wow6432Node\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399008}"= "c:\program files (x86)\GbPlugin\gbiehuni.dll" [2012-02-01 601592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginUni]
2012-02-01 14:41 601592 ----a-w- c:\program files (x86)\GbPlugin\gbiehuni.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
[BU]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\igfxcui]
[BU]
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\gbpkm.sys [x]
R1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [2007-02-16 22528]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R2 gupdate;Google Update Service (gupdate);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-28 136176]
R2 RoxWatch12;Roxio Hard Drive Watcher 12;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe [2010-09-04 219632]
R3 btusbflt;Bluetooth USB Filter;c:\windows\system32\drivers\btusbflt.sys [2010-03-30 53800]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [2010-03-30 35104]
R3 dump_wmimmc;dump_wmimmc;c:\program files (x86)\Gravity\RagnarokOnline\GameGuard\dump_wmimmc.sys [x]
R3 GGSAFERDriver;GGSAFER Driver;c:\program files (x86)\Garena\safedrv.sys [x]
R3 gupdatem;Serviço do Google Update (gupdatem);c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-28 136176]
R3 McAWFwk;McAfee Activation Service;c:\progra~1\mcafee\msc\mcawfwk.exe [2010-08-30 220528]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2012-02-22 100912]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [x]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-10 4925184]
R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [2010-09-04 1116656]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys [2009-11-11 232480]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [2010-01-12 325152]
R3 TurboBoost;TurboBoost;c:\program files\Intel\TurboBoost\TurboBoost.exe [2009-11-02 126352]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys [2011-02-18 51712]
R3 WSDPrintDevice;Suporte de Impressão WSD via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2009-07-14 23040]
R4 McOobeSv;McAfee OOBE Service;c:\program files\Common Files\mcafee\McSvcHost\McSvHost.exe [2011-01-27 249936]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 57184]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys [2012-02-22 289664]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys [2010-03-19 55856]
S1 mfenlfk;McAfee NDIS Light Filter;c:\windows\system32\DRIVERS\mfenlfk.sys [2012-02-22 75936]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-14 59904]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_58afa5ca50c7b5e7\AESTSr64.exe [2009-03-03 89600]
S2 cvhsvc;Client Virtualization Handler;c:\program files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [2010-02-28 821664]
S2 GbpSv;Gbp Service;c:\progra~2\GbPlugin\GbpSv.exe [2012-02-01 203256]
S2 MBAMService;MBAMService;c:\program files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe [2012-07-03 655944]
S2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [2011-01-27 249936]
S2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\mcafee\McSvcHost\McSvHost.exe [2011-01-27 249936]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [2012-03-20 210584]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2012-03-20 162192]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
S2 sftlist;Application Virtualization Client;c:\program files (x86)\Microsoft Application Virtualization Client\sftlist.exe [2010-04-24 483688]
S2 SftService;SoftThinks Agent Service;c:\program files (x86)\Dell DataSafe Local Backup\sftservice.EXE [2011-08-18 1692480]
S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys [2009-11-02 13784]
S2 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [2010-03-03 2320920]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2012-02-22 65264]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2010-08-12 175168]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys [2009-09-17 56344]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys [2010-02-27 158976]
S3 IntcDAud;Áudio do vídeo Intel®;c:\windows\system32\DRIVERS\IntcDAud.sys [2011-08-23 317440]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-07-03 24904]
S3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2012-02-22 487296]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [2011-04-13 45432]
S3 Sftfs;Sftfs;c:\windows\system32\DRIVERS\Sftfslh.sys [2010-04-24 721768]
S3 Sftplay;Sftplay;c:\windows\system32\DRIVERS\Sftplaylh.sys [2010-04-24 269672]
S3 Sftredir;Sftredir;c:\windows\system32\DRIVERS\Sftredirlh.sys [2010-04-24 25960]
S3 Sftvol;Sftvol;c:\windows\system32\DRIVERS\Sftvollh.sys [2010-04-24 22376]
S3 sftvsa;Application Virtualization Service Agent;c:\program files (x86)\Microsoft Application Virtualization Client\sftvsa.exe [2010-04-24 209768]
S3 vwifimp;Microsoft Virtual WiFi Miniport Service;c:\windows\system32\DRIVERS\vwifimp.sys [2009-07-14 17920]
.
.
--- =Outros Serviços/Drivers Na Memória ---
.
*Deregistered* - mfeavfk01
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Conteúdo da pasta 'Tarefas Agendadas'
.
2012-07-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-28 20:41]
.
2012-07-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files (x86)\Google\Update\GoogleUpdate.exe [2011-03-28 20:41]
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 97792 ----a-w- c:\users\Vera Cunha\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 97792 ----a-w- c:\users\Vera Cunha\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 97792 ----a-w- c:\users\Vera Cunha\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-12-05 19:17 97792 ----a-w- c:\users\Vera Cunha\AppData\Roaming\Dropbox\bin\DropboxExt64.14.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files (x86)\Synaptics\SynTP\SynTPEnh.exe" [BU]
"SysTrayApp"="c:\program files\IDT\WDM\sttray64.exe" [2010-01-21 487424]
"Broadcom Wireless Manager UI"="c:\program files\Dell\DW WLAN Card\WLTRAY.exe" [2009-12-17 5470208]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-04-13 2399632]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2012-01-23 167704]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2012-01-23 392984]
"Persistence"="c:\windows\system32\igfxpers.exe" [2012-01-23 417560]
.
------- Scan Suplementar -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = about:blank
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: E&xportar para o Microsoft Excel - c:\progra~2\MICROS~1\Office10\EXCEL.EXE/3000
IE: Enviar imagem para Dispositivo &Bluetooth... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Enviar página para Dispositivo &Bluetooth ... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: celebrationtt.com\www
Trusted Zone: com.br\www.bb
Trusted Zone: com.br\www14.bancobrasil
Trusted Zone: com.br\www2.bancobrasil
Trusted Zone: sahacampos.com.br
TCP: DhcpNameServer = 192.168.1.1
DPF: {2D36AF92-04D3-11D8-B719-0000865F231B} - hxxps://my.sabre.com/jars/TMinReqX.dll
FF - ProfilePath - c:\users\Vera Cunha\AppData\Roaming\Mozilla\Firefox\Profiles\oxxpm67a.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig
FF - prefs.js: network.proxy.type - 0
.
- - - - ORFÃOS REMOVIDOS - - - -
.
Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
.
.
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_11_3_300_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.11"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_11_3_300_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee]
"SymbolicLinkValue"=hex(6):5c,00,72,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,6d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,6f,00,66,00,\
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Tempo para conclusão: 2012-07-27 12:37:00
ComboFix-quarantined-files.txt 2012-07-27 15:37
ComboFix2.txt 2012-07-26 23:59
.
Pré-execução: 89.416.376.320 bytes disponíveis
Pós execução: 89.330.343.936 bytes disponíveis
.
- - End Of File - - 18C716AD42222E9ED8C608B1A2E3E6FC




















MiniToolBox by Farbar Version: 23-07-2012
Ran by Vera Cunha (administrator) on 27-07-2012 at 13:06:22
Microsoft Windows 7 Home Basic (X64)
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Configura‡Æo de IP do Windows

Libera‡Æo do Cache do DNS Resolver bem-sucedida.

========================= IE Proxy Settings: ==============================

Proxy is not enabled.
No Proxy Server is set.

========================= FF Proxy Settings: ==============================

"network.proxy.type", 0
========================= Hosts content: =================================

127.0.0.1 localhost


=========================== Installed Programs ============================

64 Bit HP CIO Components Installer (Version: 7.2.8)
Adobe AIR (Version: 2.6.0.19140)
Adobe Audition 1.5 (Version: 1.5)
Adobe Bridge 1.0 (Version: 1.0.1.1)
Adobe Common File Installer (Version: 1.00.002)
Adobe Flash Player 11 ActiveX (Version: 11.3.300.257)
Adobe Flash Player 11 Plugin 64-bit (Version: 11.1.102.55)
Adobe Help Center 2.0 (Version: 2.0.0)
Adobe Photoshop CS2 (Version: 9.0)
Adobe Reader 9.1.2 - Português (Version: 9.1.2)
Adobe Shockwave Player 11.6 (Version: 11.6.1.629)
Adobe Stock Photos 1.0 (Version: 1.0.2)
Advanced Audio FX Engine (Version: 1.12.05)
Age of Mythology
Age of Mythology - The Titans Expansion
AoA Audio Extractor
Apple Application Support (Version: 1.5.0)
Apple Mobile Device Support (Version: 3.4.0.25)
Apple Software Update (Version: 2.1.2.120)
Arquivo do WinRAR
µTorrent (Version: 2.2.0)
aTube Catcher (Version: 2.7.778)
Audacity 1.3.13 (Unicode)
Audio Transcoder (Version: 2.7)
Bonjour (Version: 2.0.4.0)
BS.Player FREE (Version: 2.57.1051)
BSPlayer
BufferChm (Version: 140.0.212.000)
Cisco EAP-FAST Module (Version: 2.2.14)
Cisco LEAP Module (Version: 1.0.19)
Cisco PEAP Module (Version: 1.1.6)
Controle ActiveX do Windows Live Mesh para Conexões Remotas (Version: 15.4.5722.2)
Curse Client (Version: 4.0.1.180)
CutePDF Writer 2.8
CyberLink PowerDVD 9.5 (Version: 9.5.1.3225)
D110 (Version: 140.0.142.000)
D3DX10 (Version: 15.4.2368.0902)
Dell DataSafe Local Backup - Support Software (Version: 9.4.60)
Dell DataSafe Local Backup (Version: 9.4.60)
Dell DataSafe Online (Version: 1.2.0011)
Dell Edoc Viewer (Version: 1.0.0)
Dell Getting Started Guide (Version: 1.00.0000)
Dell PhotoStage (Version: 1.5.0.19)
Dell VideoStage (Version: 1.1.0.1011)
Dell Webcam Central (Version: 2.00.35)
Destinations (Version: 140.0.77.000)
DeviceDiscovery (Version: 140.0.212.000)
DirectX 9 Runtime (Version: 1.00.0000)
Dolby Axon - 1.4.0.1 (Version: 1.4.0.1)
Dropbox (Version: 1.4.7)
Dup Detector
DW WLAN Card Utility (Version: 5.60.48.18)
EasyBits GO
ESET Online Scanner v3
Exact Audio Copy 1.0beta2 (Version: 1.0beta2)
FLAC Player 1.0.1
Garena 2010 (Version: 2010)
Garena Plus (Version: 2011)
Google Chrome (Version: 20.0.1132.57)
Google Earth Plug-in (Version: 6.1.0.5001)
Google Update Helper (Version: 1.3.21.115)
GoToAssist 8.0.0.514
GPBaseService2 (Version: 140.0.211.000)
Guitar Pro 5.2
Hamachi 1.0.3.0
HP Customer Participation Program 14.0 (Version: 14.0)
HP Imaging Device Functions 14.0 (Version: 14.0)
HP Photosmart D110 All-In-One Driver Software 14.0 Rel. 7 (Version: 14.0)
HP Product Detection (Version: 10.7.9.0)
HP Smart Web Printing 4.60 (Version: 4.60)
HP Solution Center 14.0 (Version: 14.0)
HP Update (Version: 5.002.002.002)
HPAppStudio (Version: 140.0.95.000)
HPDiagnosticAlert (Version: 1.00.0000)
HPPhotoGadget (Version: 140.0.524.000)
HPProductAssistant (Version: 140.0.212.000)
HPSSupply (Version: 140.0.211.000)
I8kfanGUI V3.1 (x64) (Version: 3.1)
Intel® Management Engine Components (Version: 6.0.0.1179)
Intel® Processor Graphics (Version: 8.15.10.2622)
iTunes (Version: 10.2.0.34)
Java Auto Updater (Version: 2.1.5.3)
Java SE Development Kit 7 Update 4 (64-bit) (Version: 1.7.0.40)
Java SE Development Kit 7 Update 4 (Version: 1.7.0.40)
Java™ 7 Update 4 (64-bit) (Version: 7.0.40)
Java™ 7 Update 4 (Version: 7.0.40)
JavaFX 2.1.0 (64-bit) (Version: 2.1.0)
JavaFX 2.1.0 (Version: 2.1.0)
JavaFX 2.1.0 SDK (64-bit) (Version: 2.1.0)
JavaFX 2.1.0 SDK (Version: 2.1.0)
Junk Mail filter update (Version: 15.4.3502.0922)
K-Lite Mega Codec Pack 7.0.0 (Version: 7.0.0)
League of Legends (Version: 1.3)
magicJack (Version: 2.0.6073.4413)
Malwarebytes Anti-Malware version 1.62.0.1300 (Version: 1.62.0.1300)
MarketResearch (Version: 140.0.212.000)
McAfee SecurityCenter (Version: 11.0.678)
Mesh Runtime (Version: 15.4.5722.2)
Messenger Companion (Version: 15.4.3502.0922)
Messenger Plus! 5 (Version: 1.0.1.102)
Microsoft .NET Framework 4 Client Profile (Version: 4.0.30319)
Microsoft .NET Framework 4 Client Profile PTB Language Pack (Version: 4.0.30319)
Microsoft Application Error Reporting (Version: 12.0.6015.5000)
Microsoft IntelliPoint 8.1 (Version: 8.15.406.0)
Microsoft Office 2010 (Version: 14.0.4763.1000)
Microsoft Office com Clique para Executar 2010 (Version: 14.0.4763.1000)
Microsoft Office Starter 2010 - Português (Brasil) (Version: 14.0.4763.1000)
Microsoft Office XP Professional com FrontPage (Version: 10.0.2627.7)
Microsoft Silverlight (Version: 4.0.60129.0)
Microsoft SQL Server 2005 Compact Edition [ENU] (Version: 3.1.0000)
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (Version: 8.0.50727.4053)
Microsoft Visual C++ 2005 Redistributable - KB2467175 (Version: 8.0.51011)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.56336)
Microsoft Visual C++ 2005 Redistributable (Version: 8.0.58299)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.50727.42)
Microsoft Visual C++ 2005 Redistributable (x64) (Version: 8.0.56336)
Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148 (Version: 9.0.30729.4148)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (Version: 9.0.30729)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (Version: 9.0.30729)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 (Version: 10.0.30319)
Monitor da tecnologia Intel® Turbo Boost (Version: 1.0.186.6)
Mozilla Firefox 11.0 (x86 pt-BR) (Version: 11.0)
Mozilla Thunderbird 13.0.1 (x86 pt-BR) (Version: 13.0.1)
MSVCRT (Version: 15.4.2862.0708)
MSVCRT_amd64 (Version: 15.4.2862.0708)
MSXML 4.0 SP2 (KB954430) (Version: 4.20.9870.0)
MSXML 4.0 SP2 (KB973688) (Version: 4.20.9876.0)
MSXML4 Parser (Version: 1.0.0)
Network64 (Version: 140.0.212.000)
Network64 (Version: 140.0.221.000)
Nokia Internet Modem (Version: 3.8.69.40)
Pacote de Idiomas do Microsoft .NET Framework 4 Client Profile - Português (Brasil) (Version: 4.0.30319)
Palco de Música (Version: 1.3.24.0)
Palco Dell (Version: 1.4.173.0)
Pando Media Booster (Version: 2.3.5.2)
PhotoShowExpress (Version: 2.0.028)
PS_AIO_07_D110_SW_Min (Version: 140.0.142.000)
Quickset64 (Version: 10.5.0)
QuickTime (Version: 7.69.80.9)
QuickTransfer (Version: 140.0.98.000)
RagnarokOnline (Version: 13.3)
RaidCall (Version: 6.0.8-1.0.552.46)
RBVirtualFolder64Inst (Version: 1.00.0000)
RealNetworks - Microsoft Visual C++ 2008 Runtime (Version: 9.0)
RealPlayer
RealUpgrade 1.1 (Version: 1.1.0)
Roxio Activation Module (Version: 1.0)
Roxio BackOnTrack (Version: 1.3.3)
Roxio Burn (Version: 1.6)
Roxio Creator Starter (Version: 1.0.311)
Roxio Creator Starter (Version: 12.1.40.0)
Roxio Creator Starter (Version: 5.0.0)
Roxio Express Labeler 3 (Version: 3.2.2)
Roxio File Backup (Version: 1.3.2)
Scan (Version: 140.0.77.000)
Shop for HP Supplies (Version: 14.0)
Skype Toolbars (Version: 5.3.7555)
Skype™ 5.5 (Version: 5.5.124)
SmartWebPrinting (Version: 140.0.186.000)
Software WIDCOMM Bluetooth (Version: 6.2.1.1100)
SolutionCenter (Version: 140.0.211.000)
Sonic CinePlayer Decoder Pack (Version: 4.3.0)
Spybot - Search & Destroy (Version: 1.6.2)
Status (Version: 140.0.212.000)
swMSM (Version: 12.0.0.1)
Synaptics Pointing Device Driver (Version: 15.0.0.1)
TeamSpeak 2 RC2 (Version: 2.0.32.60)
TeamSpeak 3 Client
Toolbox (Version: 140.0.424.000)
TrayApp (Version: 140.0.212.000)
Update for Microsoft .NET Framework 4 Client Profile (KB2473228) (Version: 1)
Ventrilo Client for Windows x64 (Version: 3.0.8.0)
Visualizador do Microsoft PowerPoint (Version: 14.0.4763.1000)
Warcraft III Reign of Chaos & The Frozen Throne
WebReg (Version: 140.0.212.017)
Windows Live Communications Platform (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3502.0922)
Windows Live Essentials (Version: 15.4.3555.0308)
Windows Live Galeria de Fotos (Version: 15.4.3502.0922)
Windows Live ID Sign-in Assistant (Version: 7.250.4232.0)
Windows Live Installer (Version: 15.4.3502.0922)
Windows Live Language Selector (Version: 15.4.3555.0308)
Windows Live Mail (Version: 15.4.3502.0922)
Windows Live Mesh (Version: 15.4.3502.0922)
Windows Live Messenger (Version: 15.4.3538.0513)
Windows Live Messenger Companion Core (Version: 15.4.3502.0922)
Windows Live MIME IFilter (Version: 15.4.3502.0922)
Windows Live Movie Maker (Version: 15.4.3502.0922)
Windows Live Photo Common (Version: 15.4.3502.0922)
Windows Live Photo Gallery (Version: 15.4.3502.0922)
Windows Live PIMT Platform (Version: 15.4.3508.1109)
Windows Live Remote Client (Version: 15.4.5722.2)
Windows Live Remote Client Resources (Version: 15.4.5722.2)
Windows Live Remote Service (Version: 15.4.5722.2)
Windows Live Remote Service Resources (Version: 15.4.5722.2)
Windows Live SOXE (Version: 15.4.3502.0922)
Windows Live SOXE Definitions (Version: 15.4.3502.0922)
Windows Live UX Platform (Version: 15.4.3502.0922)
Windows Live UX Platform Language Pack (Version: 15.4.3508.1109)
Windows Live Writer (Version: 15.4.3502.0922)
Windows Live Writer Resources (Version: 15.4.3502.0922)
Windows Media Player Firefox Plugin (Version: 1.0.0.8)
World of Warcraft Beta (Version: )

**** End of log ****


















Farbar Service Scanner Version: 26-07-2012
Ran by Vera Cunha (administrator) on 27-07-2012 at 13:07:41
Running from "E:\"
Microsoft Windows 7 Home Basic (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo IP is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

Windows Update:
============
BITS Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of BITS. The value does not exist.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============

sharedaccess Service is not running. Checking service configuration:
The start type of sharedaccess service is set to Auto
The ImagePath of sharedaccess service is OK.
The ServiceDll of sharedaccess service is OK.


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll
[2009-07-13 20:21] - [2009-07-13 22:40] - 0182272 ____A (Microsoft Corporation) 676108C4E3AA6F6B34633748BD0BEBD9

C:\Windows\System32\mpssvc.dll
[2009-07-13 21:09] - [2009-07-13 22:41] - 0824832 ____A (Microsoft Corporation) AECAB449567D1846DAD63ECE49E893E3

C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll
[2009-07-13 20:36] - [2009-07-13 22:41] - 0170496 ____A (Microsoft Corporation) 765A27C3279CE11D14CB9E4F5869FCA5

C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****




Thanks in advance.

#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,360 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:15 PM

Posted 27 July 2012 - 11:39 AM

Please do the following:

Click WinKey + R to open a run box > type notepad into the open run box > OK > this will open Notepad

Click Format and make certain that Word Wrap is NOT checked.

Copy/Paste the text inside of the code box into the open Notepad


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS]
"DisplayName"="@%SystemRoot%\\system32\\qmgr.dll,-1000"
"ImagePath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
  74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,73,\
  00,76,00,63,00,68,00,6f,00,73,00,74,00,2e,00,65,00,78,00,65,00,20,00,2d,00,\
  6b,00,20,00,6e,00,65,00,74,00,73,00,76,00,63,00,73,00,00,00
"Description"="@%SystemRoot%\\system32\\qmgr.dll,-1001"
"ObjectName"="LocalSystem"
"ErrorControl"=dword:00000001
"Start"=dword:00000002
"DelayedAutoStart"=dword:00000001
"Type"=dword:00000020
"DependOnService"=hex(7):52,00,70,00,63,00,53,00,73,00,00,00,45,00,76,00,65,00,\
  6e,00,74,00,53,00,79,00,73,00,74,00,65,00,6d,00,00,00,00,00
"ServiceSidType"=dword:00000001
"RequiredPrivileges"=hex(7):53,00,65,00,43,00,72,00,65,00,61,00,74,00,65,00,47,\
  00,6c,00,6f,00,62,00,61,00,6c,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,\
  67,00,65,00,00,00,53,00,65,00,49,00,6d,00,70,00,65,00,72,00,73,00,6f,00,6e,\
  00,61,00,74,00,65,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,\
  00,00,53,00,65,00,54,00,63,00,62,00,50,00,72,00,69,00,76,00,69,00,6c,00,65,\
  00,67,00,65,00,00,00,53,00,65,00,41,00,73,00,73,00,69,00,67,00,6e,00,50,00,\
  72,00,69,00,6d,00,61,00,72,00,79,00,54,00,6f,00,6b,00,65,00,6e,00,50,00,72,\
  00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,53,00,65,00,49,00,6e,00,\
  63,00,72,00,65,00,61,00,73,00,65,00,51,00,75,00,6f,00,74,00,61,00,50,00,72,\
  00,69,00,76,00,69,00,6c,00,65,00,67,00,65,00,00,00,00,00
"FailureActions"=hex:80,51,01,00,00,00,00,00,00,00,00,00,03,00,00,00,14,00,00,\
  00,01,00,00,00,60,ea,00,00,01,00,00,00,c0,d4,01,00,00,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Parameters]
"ServiceDll"=hex(2):25,00,73,00,79,00,73,00,74,00,65,00,6d,00,72,00,6f,00,6f,\
  00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
  71,00,6d,00,67,00,72,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Performance]
"Library"="bitsperf.dll"
"Open"="PerfMon_Open"
"Collect"="PerfMon_Collect"
"Close"="PerfMon_Close"
"InstallType"=dword:00000001
"PerfIniFile"="bitsctrs.ini"
"Last Counter"=dword:00000fc8
"Last Help"=dword:00000fc9
"First Counter"=dword:00000fb8
"First Help"=dword:00000fb9
"Object List"="4024"
"1008"=hex(<img src='http://www.bleepingcomputer.com/forums/public/style_emoticons/<#EMO_DIR#>/cool.gif' class='bbc_emoticon' alt='B)' />:50,94,22,ad,0d,ad,cc,01
"PerfMMFileName"="Global\\MMF_BITS_s"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BITS\Security]
"Security"=hex:01,00,14,80,94,00,00,00,a4,00,00,00,14,00,00,00,34,00,00,00,02,\
  00,20,00,01,00,00,00,02,c0,18,00,00,00,0c,00,01,02,00,00,00,00,00,05,20,00,\
  00,00,20,02,00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,\
  00,00,00,00,05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,\
  20,00,00,00,20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,\
  00,00,00,00,00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,\
  00,00,01,02,00,00,00,00,00,05,20,00,00,00,20,02,00,00,01,02,00,00,00,00,00,\
  05,20,00,00,00,20,02,00,00


Now go to File > and click Save As,
From the drop down menu at the top of the box choose Desktop as the location to save this file.
Go down to the File Name box and type in fixme.reg as the file name, then choose All Files as the save as file type.
Then click the save button.

Once you have clicked the save button, close Notepad.

You should now see a file on your desktop that looks like this:

Posted Image

Locate the fixme.reg icon on your desktop and double click it, an information box will pop up asking if you want to merge the information in the file into the registry, click YES.

Once the file has run, the information will have merged with your registry so you can delete fixme.reg from your desktop as you won't be needing it any more.


Now reboot and retry the Windows updates


NEXT

Visit ADOBE and download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.


NEXT

Please advise how the computer is running now and if there are any outstanding issues
The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013

#14 Vítor Cunha

Vítor Cunha
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:06:15 PM

Posted 27 July 2012 - 12:55 PM

Dear CatByte,

Thank you so much for your support. Didn't know I could still ask for a safe, precise and efficient help like this nowadays.
I couldn't see any issues so far. The pc is running faster, I must say. The cooler seems to speeding up more often too.

I have some questions, if it's OK.
1- I had to tranfer my mother's emails to a dumped user account I had here due to some issues with Windows Live Mail I could only fix this way. Do any of these prevention steps NOT affect the other account?

2- Shall I keep any of these any of these tools as prevention tool?

3- If I'm not mistaken, when I ran ESET I was just told to save the log and send you... were those infected files it found also healed?


Do you need to inform you anything else? Or did these steps remove all threatening content.

I really, REALLY, am thankful for your support and help.

Will try to donate if mother agrees with it.

Vítor

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,360 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:05:15 PM

Posted 27 July 2012 - 01:17 PM

1- I had to tranfer my mother's emails to a dumped user account I had here due to some issues with Windows Live Mail I could only fix this way. Do any of these prevention steps NOT affect the other account?

all the accounts should be OK

2- Shall I keep any of these any of these tools as prevention tool?

no, we will clean up most of them at the end, keep MalwareBytes Antimalware, run it every once in a while

3- If I'm not mistaken, when I ran ESET I was just told to save the log and send you... were those infected files it found also healed?

the fact that the second time you ran it, it didn't find anything, leads me to believe that ESET removed the files it found the first time, quite often, it finds files in quarantine, do you remember if the files were either in FRST or Qoobox, I wouldn't be too concerned about not having the first log if the second scan was clean

please run one more diagnostic scan so that I can make sure there are no leftovers




Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    services.exe
    /md5stop
    %systemroot%\*. /rp /s
    DRIVES
    CREATERESTOREPOINT
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Post both logs

The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif
Microsoft MVP - 2010, 2011, 2012, 2013




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users