Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with gaopdx rootkit


  • This topic is locked This topic is locked
10 replies to this topic

#1 razikain

razikain

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 08 September 2009 - 01:24 PM

--- What happened before ---
Some months ago (around the beginning of the year) I got infected by gaopdx. Along with a bunch of malware that entered my computer with it, it blocked my internet access to security software websites (like spybot website, for example) and did some other things I don't remember right now. I used MBAM (luckily it was up to date) and removed most of the malware, but gaopdx remained. Then I asked a friend of mine for help, since he is way more experienced than me with solving this kind of problem. He used ComboFix, found some gaopdx related files and removed them, and my computer came back to normal. Unfortunately I don't have the log anymore.

--- What is happening now ---
Yesterday I ran MBAM and Spybot just to do a routine check . MBAM found nothing. It already had "C:\Windows\System32\gaopdxcounter (Trojan.Agent)" in quarantine (from the prior infection), so I removed it definitely. But Spybot found one registry problem, and it was gaopdx related. So I rebooted my computer in Safe Mode and began looking for gaopdx occurrences in the registry files. I found 2 of them, but I couldn't delete them. That worried me. So I dowloaded Gmer and ran it on Safe Mode. It detected rootkit activity related to gaopdx. I tried to remove it using Gmer itself, but after trying to remove the service but it said it couldn't be found. But after I rebooted my PC twice (one in normal mode and then safe mode again), I ran Gmer again and it didn't found anything suspicious. But the gaopdx registry files are still there, and I can't remove or modify them.

So what I'd like to know is if I'm still infected or if those registry files are just what is left from gaopdx removal and they mean no harm. Except from the fact I'm having some trouble to upload files, everything else is running without a problem.

Here is the DDS log.

DDS (Ver_09-07-30.01) - FAT32x86
Run by ANA at 11:47:05,06 on ter 08/09/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.1023.514 [GMT -3:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Arquivos de programas\McAfee.com\Agent\mcagent.exe
C:\Arquivos de programas\McAfee\SiteAdvisor\McSACore.exe
C:\ARQUIV~1\McAfee\MSC\mcmscsvc.exe
c:\ARQUIV~1\ARQUIV~1\mcafee\mna\mcnasvc.exe
c:\ARQUIV~1\ARQUIV~1\mcafee\mcproxy\mcproxy.exe
C:\ARQUIV~1\McAfee\VIRUSS~1\mcshield.exe
C:\Arquivos de programas\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\ARQUIV~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe
C:\Arquivos de programas\Windows Live\Contacts\wlcomm.exe
C:\Documents and Settings\ANA\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.neopets.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\arquivos de programas\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\arquiv~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\arquiv~1\mcafee\viruss~1\scriptsn.dll
BHO: Auxiliar de Conexão do Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\arquivos de programas\arquivos comuns\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\arquiv~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\arquivos de programas\java\jre6\bin\jp2ssv.dll
BHO: Microsoft Web Test Recorder 9.0 Helper: {e31ce47f-c268-41ba-897b-b415e613947d} - c:\arquivos de programas\microsoft visual studio 9.0\common7\ide\privateassemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO90.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\arquivos de programas\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\arquiv~1\mcafee\sitead~1\mcieplg.dll
EB: Web Test Recorder 9.0: {3c7adade-d1e8-45d2-bdcd-7f8d8b99b2a2} - mscoree.dll
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [mcagent_exe] "c:\arquivos de programas\mcafee.com\agent\mcagent.exe" /runkey
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\micros~2\office10\EXCEL.EXE/3000
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\arquivos de programas\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\arquiv~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxp://secure.gopetslive.com/dev/GoPetsWeb.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\arquiv~1\mcafee\sitead~1\McIEPlg.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ana\dadosd~1\mozilla\firefox\profiles\tlvkn5jf.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.consulttelecom.com/
FF - component: c:\arquivos de programas\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\arquivos de programas\mozilla firefox\plugins\npzylomgamesplayer.dll
FF - plugin: c:\arquivos de programas\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\arquivos de programas\virtools\3d life player\npvirtools.dll
FF - plugin: c:\documents and settings\all users\dados de aplicativos\id software\quakelive\npquakezero.dll
FF - plugin: c:\documents and settings\all users\dados de aplicativos\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\arquivos de programas\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\arquivos de programas\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\arquivos de programas\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-13 214024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\arquivos de programas\mcafee\siteadvisor\McSACore.exe [2008-10-1 210216]
R2 McProxy;McAfee Proxy Service;c:\arquiv~1\arquiv~1\mcafee\mcproxy\mcproxy.exe [2008-6-13 359952]
R2 McShield;McAfee Real-time Scanner;c:\arquiv~1\mcafee\viruss~1\mcshield.exe [2008-6-13 144704]
R3 McSysmon;McAfee SystemGuards;c:\arquiv~1\mcafee\viruss~1\mcsysmon.exe [2008-6-13 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-6-13 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-6-13 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-6-13 40552]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2008-9-18 472832]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-6-13 34248]
S3 ntkvpn;Loki VPN Driver Service;c:\windows\system32\drivers\ntkvpn.sys --> c:\windows\system32\drivers\ntkvpn.sys [?]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
S3 usb2vcom;USB to Serial Bridge Controller;c:\windows\system32\drivers\usb2vcom.sys [2009-5-31 30368]
S3 VSPerfDrv90;Performance Tools Driver 9.0;c:\arquivos de programas\microsoft visual studio 9.0\team tools\performance tools\VSPerfDrv90.sys [2007-9-4 55664]
S3 XDva182;XDva182; [x]
S3 XDva212;XDva212; [x]
S4 postgresql-8.4;PostgreSQL Server 8.4;C:/Arquivos de programas/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N "postgresql-8.4" -D "D:/SQL data" -w --> C:/Arquivos de programas/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N postgresql-8.4 [?]

=============== Created Last 30 ================

2009-09-08 00:04 <DIR> --d----- C:\Gmer
2009-09-03 22:26 4,096 a------- c:\windows\d3dx.dat
2009-09-03 22:25 <DIR> --d----- c:\windows\Kudos 2
2009-08-29 17:06 <DIR> --d----- C:\irvine
2009-08-28 20:01 <DIR> --d----- c:\docume~1\ana\dadosd~1\fizzy
2009-08-28 20:01 <DIR> --dsh--- c:\windows\ftpcache
2009-08-24 19:03 <DIR> --d----- c:\docume~1\ana\dadosd~1\codeblocks
2009-08-24 19:02 <DIR> --d----- c:\arquivos de programas\CodeBlocks
2009-08-22 20:47 <DIR> --d----- c:\docume~1\ana\dadosd~1\Downloaded Installations
2009-08-18 19:52 <DIR> --d----- c:\arquivos de programas\PostgreSQL
2009-08-18 10:01 <DIR> --dsh--- C:\FOUND.001
2009-08-13 21:57 <DIR> --d----- c:\arquivos de programas\Lavalys

==================== Find3M ====================

2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-01 19:45 413,696 a------- c:\windows\system32\wrap_oal.dll
2009-08-01 19:45 110,592 a------- c:\windows\system32\OpenAL32.dll
2009-07-24 14:34 271,360 a------- c:\windows\system32\drivers\atksgt.sys
2009-07-24 14:34 18,048 a------- c:\windows\system32\drivers\lirsgt.sys
2009-07-16 12:32 120,136 a------- c:\windows\system32\drivers\Mpfp.sys
2009-05-11 16:23 32 a----r-- c:\documents and settings\all users\hash.dat
2009-04-25 21:25 32,520 a------- c:\docume~1\ana\dadosd~1\GDIPFONTCACHEV1.DAT
2009-02-27 21:34 22,328 a------- c:\docume~1\ana\dadosd~1\PnkBstrK.sys

============= FINISH: 11:47:59,90 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,602 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:35 PM

Posted 23 September 2009 - 04:11 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#3 razikain

razikain
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 23 September 2009 - 10:29 AM

The problem still exists here. There are gaopdxserv.sys entries in the registry files and I can't remove or modify them, so I'd like to know if I'm still infected or these are just inoffensive remains of gaopdx rootkit, from the time I tried to remove it and apparently did it.

Here is the new DDS log:


DDS (Ver_09-07-30.01) - FAT32x86
Run by ANA at 12:04:50,81 on qua 23/09/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.1023.441 [GMT -3:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\McAfee\SiteAdvisor\McSACore.exe
C:\ARQUIV~1\McAfee\MSC\mcmscsvc.exe
c:\ARQUIV~1\ARQUIV~1\mcafee\mna\mcnasvc.exe
c:\ARQUIV~1\ARQUIV~1\mcafee\mcproxy\mcproxy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Arquivos de programas\McAfee.com\Agent\mcagent.exe
C:\ARQUIV~1\McAfee\VIRUSS~1\mcshield.exe
C:\Arquivos de programas\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\ARQUIV~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Documents and Settings\ANA\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.neopets.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\arquivos de programas\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\arquiv~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\arquiv~1\mcafee\viruss~1\scriptsn.dll
BHO: Auxiliar de Conexão do Windows Live: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\arquivos de programas\arquivos comuns\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\arquiv~1\mcafee\sitead~1\mcieplg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\arquivos de programas\java\jre6\bin\jp2ssv.dll
BHO: Microsoft Web Test Recorder 9.0 Helper: {e31ce47f-c268-41ba-897b-b415e613947d} - c:\arquivos de programas\microsoft visual studio 9.0\common7\ide\privateassemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO90.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\arquivos de programas\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\arquiv~1\mcafee\sitead~1\mcieplg.dll
EB: Web Test Recorder 9.0: {3c7adade-d1e8-45d2-bdcd-7f8d8b99b2a2} - mscoree.dll
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [mcagent_exe] "c:\arquivos de programas\mcafee.com\agent\mcagent.exe" /runkey
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\micros~2\office10\EXCEL.EXE/3000
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\arquivos de programas\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\arquiv~1\spybot~1\SDHelper.dll
DPF: Microsoft XML Parser for Java
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - hxxp://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-160-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} - hxxp://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxp://secure.gopetslive.com/dev/GoPetsWeb.cab
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\arquiv~1\mcafee\sitead~1\McIEPlg.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\ana\dadosd~1\mozilla\firefox\profiles\tlvkn5jf.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.consulttelecom.com/
FF - component: c:\arquivos de programas\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\arquivos de programas\mozilla firefox\plugins\npzylomgamesplayer.dll
FF - plugin: c:\arquivos de programas\viewpoint\viewpoint media player\npViewpoint.dll
FF - plugin: c:\arquivos de programas\virtools\3d life player\npvirtools.dll
FF - plugin: c:\documents and settings\all users\dados de aplicativos\id software\quakelive\npquakezero.dll
FF - plugin: c:\documents and settings\all users\dados de aplicativos\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\arquivos de programas\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\arquivos de programas\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\arquivos de programas\mozilla firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-6-13 214024]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\arquivos de programas\mcafee\siteadvisor\McSACore.exe [2008-10-1 210216]
R2 McProxy;McAfee Proxy Service;c:\arquiv~1\arquiv~1\mcafee\mcproxy\mcproxy.exe [2008-6-13 359952]
R2 McShield;McAfee Real-time Scanner;c:\arquiv~1\mcafee\viruss~1\mcshield.exe [2008-6-13 144704]
R3 McSysmon;McAfee SystemGuards;c:\arquiv~1\mcafee\viruss~1\mcsysmon.exe [2008-6-13 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-6-13 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-6-13 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-6-13 40552]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2008-9-18 472832]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-6-13 34248]
S3 ntkvpn;Loki VPN Driver Service;c:\windows\system32\drivers\ntkvpn.sys --> c:\windows\system32\drivers\ntkvpn.sys [?]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
S3 usb2vcom;USB to Serial Bridge Controller;c:\windows\system32\drivers\usb2vcom.sys [2009-5-31 30368]
S3 VSPerfDrv90;Performance Tools Driver 9.0;c:\arquivos de programas\microsoft visual studio 9.0\team tools\performance tools\VSPerfDrv90.sys [2007-9-4 55664]
S3 XDva182;XDva182; [x]
S3 XDva212;XDva212; [x]
S4 postgresql-8.4;PostgreSQL Server 8.4;C:/Arquivos de programas/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N "postgresql-8.4" -D "D:/SQL data" -w --> C:/Arquivos de programas/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N postgresql-8.4 [?]

=============== Created Last 30 ================

2009-09-22 17:23 <DIR> --dsh--- C:\FOUND.000
2009-09-19 12:00 <DIR> --d----- c:\arquivos de programas\Paint.NET
2009-09-08 20:47 <DIR> --d----- c:\docume~1\ana\dadosd~1\Safer Networking
2009-09-08 20:47 <DIR> --d----- c:\arquivos de programas\Safer Networking
2009-09-08 00:04 <DIR> --d----- C:\Gmer
2009-09-03 22:26 4,096 a------- c:\windows\d3dx.dat
2009-09-03 22:25 <DIR> --d----- c:\windows\Kudos 2
2009-08-29 17:06 <DIR> --d----- C:\irvine
2009-08-28 20:01 <DIR> --d----- c:\docume~1\ana\dadosd~1\fizzy
2009-08-28 20:01 <DIR> --dsh--- c:\windows\ftpcache
2009-08-24 19:03 <DIR> --d----- c:\docume~1\ana\dadosd~1\codeblocks
2009-08-24 19:02 <DIR> --d----- c:\arquivos de programas\CodeBlocks

==================== Find3M ====================

2009-08-03 13:36 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 13:36 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-01 19:45 413,696 a------- c:\windows\system32\wrap_oal.dll
2009-08-01 19:45 110,592 a------- c:\windows\system32\OpenAL32.dll
2009-05-11 16:23 32 a----r-- c:\documents and settings\all users\hash.dat
2009-04-25 21:25 32,520 a------- c:\docume~1\ana\dadosd~1\GDIPFONTCACHEV1.DAT
2009-02-27 21:34 22,328 a------- c:\docume~1\ana\dadosd~1\PnkBstrK.sys

============= FINISH: 12:05:53,60 ===============

Attached Files



#4 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:35 AM

Posted 26 September 2009 - 01:26 AM

Hi razikain,



Welcome to BleepingComputer HijackThis Logs and Malware Removal, :(
My name is sundavis, I will be helping you to deal with your Malware problems today.


Step1

If you already have Combofix, please delete that copy and download it again as it's being updated regularly.

Please visit this webpage for download links, and instructions for running the tool:

Please rename ComboFix.exe to razikain.exe before saving it to your desktop.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Note: CombFix has recently been updated to include the option for installing the Recovery Console automatically. The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

1.Close/disable all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

2.Click Yes to allow Combofix to continue scanning for malware.

When done, a log will be produced (or locate it in C:\ComboFix.txt). Please post that log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.


Step2

I notice you have MBAM installed in your system, Please rerun it as instructed in the following. Update your virus definitions before proceeding. If you can't update the program, you can download the virus definitions from Here and install manually.
  • Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.or you can find from here:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • You can refer to this tutorial
Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.


Step3

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized
In your next reply, please post back:


1.ComboFix log
2.MBAM log
3.OTL ListIT.txt and Extra.txt. Thanks.

#5 razikain

razikain
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 27 September 2009 - 01:18 PM

As requested, here are the logs:

-----COMBOFIX LOG-----------
ComboFix 09-09-25.01 - ANA 27/09/2009 14:38.2.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.1023.575 [GMT -3:00]
Executando de: c:\documents and settings\ANA\Desktop\razikain.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Dados de aplicativos\Microsoft\MSDN\9.0\1033\ResourceCache.dll
c:\documents and settings\All Users\Dados de aplicativos\Microsoft\VisualStudio\9.0\1033\ResourceCache.dll
c:\documents and settings\All Users\Dados de aplicativos\Microsoft\VSA\9.0\1033\ResourceCache.dll
c:\documents and settings\ANA\Dados de aplicativos\Microsoft\Clip Organizer\mstore10.mgc
c:\documents and settings\ANA\Dados de aplicativos\Microsoft\Clip Organizer\Offic10.MGC
c:\windows\Installer\354d2b6.msi
c:\windows\Installer\354d2b7.msp
c:\windows\Installer\354d2b8.msp
c:\windows\Installer\354d2b9.msp
c:\windows\Installer\354d2ba.msp
c:\windows\Installer\354d2bb.msp
c:\windows\Installer\354d2bc.msp
c:\windows\Installer\354d2bd.msp
c:\windows\Installer\354d2be.msp
c:\windows\Installer\354d2bf.msp
c:\windows\system32\images
c:\windows\system32\images\toolbar\calendar.gif
c:\windows\system32\images\toolbar\crlogo.gif
c:\windows\system32\images\toolbar\export.gif
c:\windows\system32\images\toolbar\export_over.gif
c:\windows\system32\images\toolbar\exportd.gif
c:\windows\system32\images\toolbar\First.gif
c:\windows\system32\images\toolbar\first_over.gif
c:\windows\system32\images\toolbar\Firstd.gif
c:\windows\system32\images\toolbar\gotopage.gif
c:\windows\system32\images\toolbar\gotopage_over.gif
c:\windows\system32\images\toolbar\gotopaged.gif
c:\windows\system32\images\toolbar\grouptree.gif
c:\windows\system32\images\toolbar\grouptree_over.gif
c:\windows\system32\images\toolbar\grouptreed.gif
c:\windows\system32\images\toolbar\grouptreepressed.gif
c:\windows\system32\images\toolbar\Last.gif
c:\windows\system32\images\toolbar\last_over.gif
c:\windows\system32\images\toolbar\Lastd.gif
c:\windows\system32\images\toolbar\Next.gif
c:\windows\system32\images\toolbar\next_over.gif
c:\windows\system32\images\toolbar\Nextd.gif
c:\windows\system32\images\toolbar\Prev.gif
c:\windows\system32\images\toolbar\prev_over.gif
c:\windows\system32\images\toolbar\Prevd.gif
c:\windows\system32\images\toolbar\print.gif
c:\windows\system32\images\toolbar\print_over.gif
c:\windows\system32\images\toolbar\printd.gif
c:\windows\system32\images\toolbar\Refresh.gif
c:\windows\system32\images\toolbar\refresh_over.gif
c:\windows\system32\images\toolbar\refreshd.gif
c:\windows\system32\images\toolbar\Search.gif
c:\windows\system32\images\toolbar\search_over.gif
c:\windows\system32\images\toolbar\searchd.gif
c:\windows\system32\images\toolbar\up.gif
c:\windows\system32\images\toolbar\up_over.gif
c:\windows\system32\images\toolbar\upd.gif
c:\windows\system32\images\tree\begindots.gif
c:\windows\system32\images\tree\beginminus.gif
c:\windows\system32\images\tree\beginplus.gif
c:\windows\system32\images\tree\blank.gif
c:\windows\system32\images\tree\blankdots.gif
c:\windows\system32\images\tree\dots.gif
c:\windows\system32\images\tree\lastdots.gif
c:\windows\system32\images\tree\lastminus.gif
c:\windows\system32\images\tree\lastplus.gif
c:\windows\system32\images\tree\Magnify.gif
c:\windows\system32\images\tree\minus.gif
c:\windows\system32\images\tree\minusbox.gif
c:\windows\system32\images\tree\plus.gif
c:\windows\system32\images\tree\plusbox.gif
c:\windows\system32\images\tree\singleminus.gif
c:\windows\system32\images\tree\singleplus.gif

.
(((((((((((((((( Arquivos/Ficheiros criados de 2009-08-27 to 2009-09-27 ))))))))))))))))))))))))))))
.

2009-09-25 23:14 . 2009-09-25 23:14 -------- d-----w- c:\arquivos de programas\DNA
2009-09-24 21:09 . 2009-09-24 21:09 -------- d-----w- c:\documents and settings\ANA\Dados de aplicativos\Thinstall
2009-09-24 20:00 . 2009-09-24 20:00 -------- d-----w- C:\emu8086
2009-09-23 20:18 . 2009-09-23 20:18 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\PMB Files
2009-09-23 19:38 . 2009-09-23 19:38 -------- d-----w- c:\arquivos de programas\Pando Networks
2009-09-22 20:23 . 2009-09-22 20:23 -------- d-----w- C:\FOUND.000
2009-09-19 15:00 . 2009-09-19 15:00 -------- d-----w- c:\arquivos de programas\Paint.NET
2009-09-08 23:47 . 2009-09-08 23:47 -------- d-----w- c:\documents and settings\ANA\Dados de aplicativos\Safer Networking
2009-09-08 23:47 . 2009-09-08 23:47 -------- d-----w- c:\arquivos de programas\Safer Networking
2009-09-08 03:04 . 2009-09-08 03:04 -------- d-----w- C:\Gmer
2009-09-04 01:26 . 2009-09-04 01:26 4096 ----a-w- c:\windows\d3dx.dat
2009-09-04 01:25 . 2009-09-04 01:25 -------- d-----w- c:\windows\Kudos 2
2009-08-29 20:06 . 2009-08-29 20:06 -------- d-----w- C:\irvine
2009-08-28 23:01 . 2009-08-28 23:01 -------- d-----w- c:\documents and settings\ANA\Dados de aplicativos\fizzy
2009-08-28 23:01 . 2009-08-28 23:01 -------- d-sh--w- c:\windows\ftpcache

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-08 00:17 . 2008-07-02 01:16 78 ----a-w- c:\windows\popcinfo.dat
2009-08-24 22:03 . 2009-08-24 22:03 -------- d-----w- c:\documents and settings\ANA\Dados de aplicativos\codeblocks
2009-08-24 22:02 . 2009-08-24 22:02 -------- d-----w- c:\arquivos de programas\CodeBlocks
2009-08-22 23:47 . 2009-08-22 23:47 -------- d-----w- c:\documents and settings\ANA\Dados de aplicativos\Downloaded Installations
2009-08-18 22:52 . 2009-08-18 22:52 -------- d-----w- c:\arquivos de programas\PostgreSQL
2009-08-14 00:57 . 2009-08-14 00:57 -------- d-----w- c:\arquivos de programas\Lavalys
2009-08-03 16:36 . 2009-02-04 04:41 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 16:36 . 2009-02-04 04:41 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-01 22:45 . 2009-08-01 20:59 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-08-01 22:45 . 2009-08-01 20:59 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-08-01 20:59 . 2009-08-01 20:59 -------- d-----w- c:\arquivos de programas\OpenAL
2009-07-24 17:34 . 2009-07-24 17:34 271360 ----a-w- c:\windows\system32\drivers\atksgt.sys
2009-07-24 17:34 . 2009-07-24 17:34 18048 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2009-07-16 15:32 . 2008-06-13 19:58 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-07-08 16:44 . 2008-06-13 19:58 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-07-08 16:44 . 2008-06-13 19:58 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-07-08 16:44 . 2008-06-13 19:58 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-07-08 16:44 . 2008-06-13 19:58 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-07-08 16:43 . 2008-06-13 19:58 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"mcagent_exe"="c:\arquivos de programas\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-03 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SQLWriter"=2 (0x2)
"postgresql-8.4"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Arquivos de programas\\Messenger\\MSMSGS.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Arquivos de programas\\Java\\jdk1.6.0_07\\jre\\bin\\java.exe"=
"c:\\Arquivos de programas\\Java\\jre1.6.0_07\\bin\\JAVA.EXE"=
"c:\\Arquivos de programas\\Java\\jdk1.6.0_07\\bin\\java.exe"=
"c:\\Arquivos de programas\\Mozilla Firefox\\firefox.exe"=
"c:\\Arquivos de programas\\uTorrent\\uTorrent.exe"=
"c:\\Arquivos de programas\\eMule\\emule.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\Everton\\Jogos\\UnrealTournament\\System\\UnrealTournament.exe"=
"c:\\Arquivos de programas\\InterVideo\\DVD5\\WinDVD.exe"=
"c:\\Arquivos de programas\\Arquivos comuns\\McAfee\\MNA\\McNASvc.exe"=
"d:\\Everton\\Jogos\\DeSmuME\\desmume.exe"=
"c:\\Arquivos de programas\\Pando Networks\\Media Booster\\PMB.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"37500:TCP"= 37500:TCP:*:Disabled:eMule TCP
"64615:UDP"= 64615:UDP:*:Disabled:eMule UDP
"56396:TCP"= 56396:TCP:Pando Media Booster
"56396:UDP"= 56396:UDP:Pando Media Booster

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\arquivos de programas\McAfee\SiteAdvisor\McSACore.exe [1/10/2008 18:37 210216]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [18/9/2008 11:52 472832]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 ntkvpn;Loki VPN Driver Service;c:\windows\system32\DRIVERS\ntkvpn.sys --> c:\windows\system32\DRIVERS\ntkvpn.sys [?]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
S3 usb2vcom;USB to Serial Bridge Controller;c:\windows\system32\drivers\usb2vcom.sys [31/5/2009 22:59 30368]
S3 VSPerfDrv90;Performance Tools Driver 9.0;c:\arquivos de programas\Microsoft Visual Studio 9.0\Team Tools\Performance Tools\VSPerfDrv90.sys [4/9/2007 16:53 55664]
S3 XDva182;XDva182; [x]
S3 XDva212;XDva212; [x]
S4 postgresql-8.4;PostgreSQL Server 8.4;C:/Arquivos de programas/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N "postgresql-8.4" -D "D:/SQL data" -w --> C:/Arquivos de programas/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N postgresql-8.4 [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Conteúdo da pasta 'Tarefas Agendadas'

2009-08-01 c:\windows\Tasks\McQcTask.job
- c:\arquiv~1\mcafee\mqc\QcConsol.exe [2008-06-13 00:26]

2009-09-15 c:\windows\Tasks\McDefragTask.job
- c:\arquiv~1\mcafee\mqc\QcConsol.exe [2008-06-13 00:26]
.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.neopets.com/
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949}
DPF: Microsoft XML Parser for Java
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxp://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\documents and settings\ANA\Dados de aplicativos\Mozilla\Firefox\Profiles\tlvkn5jf.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.consulttelecom.com/
FF - component: c:\arquivos de programas\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\arquivos de programas\Mozilla Firefox\plugins\npPandoWebInst.dll
FF - plugin: c:\arquivos de programas\Mozilla Firefox\plugins\npzylomgamesplayer.dll
FF - plugin: c:\arquivos de programas\Virtools\3D Life Player\npvirtools.dll
FF - plugin: c:\documents and settings\All Users\Dados de aplicativos\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\All Users\Dados de aplicativos\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll

---- FIREFOX POLICIES ----
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-27 14:41
Windows 5.1.2600 Service Pack 3 FAT NTAPI

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\postgresql-8.4]
"ImagePath"="C:/Arquivos de programas/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"D:/SQL data\" -w"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\postgresql-8.4]
"ImagePath"="C:/Arquivos de programas/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"D:/SQL data\" -w"
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

[HKEY_USERS\S-1-5-21-2961934205-3705214266-2768459241-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{93E722CE-A754-F9D8-F551-B5837CB7D7F2}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"gaobmokledjadp"=hex:63,61,6f,6e,6b,69,00,7e

[HKEY_USERS\S-1-5-21-2961934205-3705214266-2768459241-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:bc,b9,2a,1a,e5,30,5d,b0,95,d9,3c,f1,aa,cd,02,b8,c5,06,95,11,19,16,7d,
17,8e,de,7e,2e,d8,17,96,72,9f,18,31,e1,3c,7e,02,2c,57,1f,f6,13,74,27,7b,b2,\
"??"=hex:9b,d8,a6,5c,cb,f6,80,6f,e9,d8,66,55,b0,5c,92,f0

[HKEY_USERS\S-1-5-21-2961934205-3705214266-2768459241-1004\Software\SecuROM\License information*]
"datasecu"=hex:39,40,fd,a6,e5,54,68,9b,d7,56,8e,ed,eb,d8,07,1a,8c,ae,13,99,6e,
53,c0,a9,8f,41,7f,32,20,a2,a0,5f,a1,05,93,4f,c7,0d,60,b3,e5,f5,8c,1a,58,2f,\
"rkeysecu"=hex:3f,11,30,43,27,d1,bc,71,63,10,70,47,50,3d,4a,d7
.
Tempo para conclusão: 2009-09-27 14:43
ComboFix-quarantined-files.txt 2009-09-27 17:43

Pré-execução: 19 pasta(s) 14.864.973.824 bytes disponíveis
Pós execução: 23 pasta(s) 15.024.717.824 bytes disponíveis

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
247 --- E O F --- 2008-11-07 18:03

------END OF COMBOFIX LOG-------------

----MBAM LOG--------

Malwarebytes' Anti-Malware 1.41
Versão do banco de dados: 2865
Windows 5.1.2600 Service Pack 3

27/9/2009 15:04:13
mbam-log-2009-09-27 (15-04-13).txt

Tipo de Verificação: Rápida
Objetos verificados: 111527
Tempo decorrido: 8 minute(s), 30 second(s)

Processos da Memória infectados: 0
Módulos de Memória Infectados: 0
Chaves do Registro infectadas: 0
Valores do Registro infectados: 0
Ítens do Registro infectados: 0
Pastas infectadas: 0
Arquivos infectados: 0

Processos da Memória infectados:
(Nenhum ítem malicioso foi detectado)

Módulos de Memória Infectados:
(Nenhum ítem malicioso foi detectado)

Chaves do Registro infectadas:
(Nenhum ítem malicioso foi detectado)

Valores do Registro infectados:
(Nenhum ítem malicioso foi detectado)

Ítens do Registro infectados:
(Nenhum ítem malicioso foi detectado)

Pastas infectadas:
(Nenhum ítem malicioso foi detectado)

Arquivos infectados:
(Nenhum ítem malicioso foi detectado)

----END OF MBAM LOG----

---OTL LOG---

OTL logfile created on: 27/9/2009 15:06:56 - Run 1
OTL by OldTimer - Version 3.0.14.0 Folder = C:\Documents and Settings\ANA\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000416 | Country: Brasil | Language: PTB | Date Format: d/M/yyyy

1022,73 Mb Total Physical Memory | 478,66 Mb Available Physical Memory | 46,80% Memory free
2,03 Gb Paging File | 1,60 Gb Available in Paging File | 78,81% Paging File free
Paging file location(s): C:\pagefile.sys 1152 2304 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Arquivos de programas
Drive C: | 37,30 Gb Total Space | 14,00 Gb Free Space | 37,52% Space Free | Partition Type: FAT32
Drive D: | 74,53 Gb Total Space | 15,52 Gb Free Space | 20,82% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 4,18 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: UDF
Drive G: | 1,07 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: CDFS
Drive H: | 1023,09 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: UDF
I: Drive not present or media not loaded

Computer Name: PROMETHEUS
Current User Name: ANA
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2009/07/10 00:26:20 | 00,645,328 | ---- | M] (McAfee, Inc.) -- C:\Arquivos de programas\McAfee.com\Agent\mcagent.exe
PRC - [2009/02/11 11:06:36 | 00,210,216 | ---- | M] () -- C:\Arquivos de programas\McAfee\SiteAdvisor\McSACore.exe
PRC - [2009/07/10 00:26:20 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\Arquivos de programas\McAfee\MSC\mcmscsvc.exe
PRC - [2009/07/07 19:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Arquivos de programas\Arquivos comuns\McAfee\MNA\McNASvc.exe
PRC - [2009/07/08 11:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Arquivos de programas\Arquivos comuns\McAfee\McProxy\McProxy.exe
PRC - [2009/07/08 13:43:40 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Arquivos de programas\McAfee\VirusScan\Mcshield.exe
PRC - [2009/07/10 03:26:42 | 00,894,136 | ---- | M] (McAfee, Inc.) -- C:\Arquivos de programas\McAfee\MPF\MPFSrv.exe
PRC - [2008/05/03 05:46:00 | 00,159,812 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe
PRC - [2005/01/28 01:36:00 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wdfmgr.exe
PRC - [2008/04/13 22:21:00 | 01,035,776 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2009/07/08 13:11:52 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Arquivos de programas\McAfee\VirusScan\mcsysmon.exe
PRC - [2009/09/11 18:18:28 | 00,307,704 | ---- | M] (Mozilla Corporation) -- C:\Arquivos de programas\Mozilla Firefox\firefox.exe
PRC - [2009/09/27 15:05:48 | 00,514,560 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\ANA\Desktop\OTL.exe

========== Win32 Services (SafeList) ==========

SRV - [2007/10/24 01:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
SRV - [2007/10/24 01:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])
SRV - [2007/10/09 12:58:12 | 00,036,864 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])
SRV - [2008/04/13 22:20:38 | 00,038,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])
SRV - [2004/10/22 03:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
SRV - [2007/10/11 09:55:10 | 00,864,256 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [Unknown | Stopped])
SRV - [2009/05/31 20:44:56 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Arquivos de programas\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Disabled | Stopped])
SRV - [2009/02/11 11:06:36 | 00,210,216 | ---- | M] () -- C:\Arquivos de programas\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service [Auto | Running])
SRV - [2009/07/10 00:26:20 | 00,865,832 | ---- | M] (McAfee, Inc.) -- C:\Arquivos de programas\McAfee\MSC\mcmscsvc.exe -- (mcmscsvc [Auto | Running])
SRV - [2009/07/07 19:10:02 | 02,482,848 | ---- | M] (McAfee, Inc.) -- c:\Arquivos de programas\Arquivos comuns\McAfee\MNA\McNASvc.exe -- (McNASvc [Auto | Running])
SRV - [2009/07/08 15:15:04 | 00,365,072 | ---- | M] (McAfee, Inc.) -- C:\Arquivos de programas\McAfee\VirusScan\mcods.exe -- (McODS [On_Demand | Stopped])
SRV - [2009/07/08 11:54:34 | 00,359,952 | ---- | M] (McAfee, Inc.) -- c:\Arquivos de programas\Arquivos comuns\McAfee\McProxy\McProxy.exe -- (McProxy [Auto | Running])
SRV - [2009/07/08 13:43:40 | 00,144,704 | ---- | M] (McAfee, Inc.) -- C:\Arquivos de programas\McAfee\VirusScan\Mcshield.exe -- (McShield [Unknown | Running])
SRV - [2009/07/08 13:11:52 | 00,606,736 | ---- | M] (McAfee, Inc.) -- C:\Arquivos de programas\McAfee\VirusScan\mcsysmon.exe -- (McSysmon [On_Demand | Running])
SRV - [2009/07/10 03:26:42 | 00,894,136 | ---- | M] (McAfee, Inc.) -- C:\Arquivos de programas\McAfee\MPF\MPFSrv.exe -- (MpfService [Auto | Running])
SRV - [2007/02/10 11:29:54 | 29,178,224 | ---- | M] (Microsoft Corporation) -- C:\Arquivos de programas\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe -- (MSSQL$SQLEXPRESS [Disabled | Stopped])
SRV - [2005/10/14 08:50:20 | 00,045,272 | ---- | M] (Microsoft Corporation) -- C:\Arquivos de programas\Microsoft SQL Server\90\Shared\sqladhlp90.exe -- (MSSQLServerADHelper [Disabled | Stopped])
SRV - [2007/11/07 08:58:18 | 03,004,416 | ---- | M] (Microsoft Corporation) -- C:\Arquivos de programas\Microsoft Visual Studio 9.0\Common7\IDE\Remote Debugger\x86\msvsmon.exe -- (msvsmon90 [Disabled | Stopped])
SRV - [2006/11/08 16:35:36 | 00,043,520 | ---- | M] (Hewlett-Packard) -- C:\WINDOWS\System32\HPZinw12.dll -- (Net Driver HPZ12 [Auto | Running])
SRV - [2007/10/11 09:55:14 | 00,122,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])
SRV - File not found -- -- (NMIndexingService [Disabled | Stopped])
SRV - [2009/07/15 16:38:56 | 03,223,416 | ---- | M] (INCA Internet Co., Ltd.) -- C:\WINDOWS\System32\GameMon.des -- (npggsvc [On_Demand | Stopped])
SRV - File not found -- -- (npkcmsvc [Auto | Stopped])
SRV - [2008/05/03 05:46:00 | 00,159,812 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\nvsvc32.exe -- (NVSvc [Auto | Running])
SRV - [2006/10/26 14:03:08 | 00,145,184 | ---- | M] (Microsoft Corporation) -- C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])
SRV - [2006/11/08 16:35:38 | 00,053,248 | ---- | M] (Hewlett-Packard) -- C:\WINDOWS\System32\HPZipm12.dll -- (Pml Driver HPZ12 [Auto | Running])
SRV - [2009/06/27 18:24:48 | 00,066,048 | ---- | M] (PostgreSQL Global Development Group) -- C:\Arquivos de programas\PostgreSQL\8.4\bin\pg_ctl.exe -- (postgresql-8.4 [Disabled | Stopped])
SRV - [2007/02/10 11:29:48 | 00,242,544 | ---- | M] (Microsoft Corporation) -- C:\Arquivos de programas\Microsoft SQL Server\90\Shared\sqlbrowser.exe -- (SQLBrowser [Disabled | Stopped])
SRV - [2007/02/10 05:29:56 | 00,089,968 | ---- | M] (Microsoft Corporation) -- C:\Arquivos de programas\Microsoft SQL Server\90\Shared\sqlwriter.exe -- (SQLWriter [Disabled | Stopped])
SRV - [2005/01/28 01:36:00 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\System32\wdfmgr.exe -- (UMWdf [Auto | Running])
SRV - [2007/10/25 15:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation) -- C:\Arquivos de programas\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc [On_Demand | Stopped])

========== Driver Services (SafeList) ==========

DRV - [2006/10/16 00:58:36 | 00,472,832 | ---- | M] (D-Link Corporation) -- C:\WINDOWS\System32\DRIVERS\A3AB.sys -- (A3AB [On_Demand | Stopped])
DRV - [2002/04/01 14:15:00 | 00,004,816 | R--- | M] (Andrea Electronics Corporation) -- C:\WINDOWS\System32\drivers\aeaudio.sys -- (aeaudio [On_Demand | Running])
DRV - [2009/07/24 14:34:14 | 00,271,360 | ---- | M] () -- C:\WINDOWS\System32\DRIVERS\atksgt.sys -- (atksgt [Auto | Running])
DRV - [2008/06/28 09:04:20 | 00,223,128 | ---- | M] () -- C:\WINDOWS\System32\Drivers\dtscsi.sys -- (dtscsi [On_Demand | Running])
DRV - [2005/05/03 12:34:04 | 00,027,392 | ---- | M] (SlySoft, Inc.) -- C:\WINDOWS\System32\Drivers\ElbyCDFL.sys -- (ElbyCDFL [On_Demand | Running])
DRV - [2005/04/21 08:40:38 | 00,010,624 | ---- | M] (Elaborate Bytes AG) -- C:\WINDOWS\System32\Drivers\ElbyCDIO.sys -- (ElbyCDIO [Auto | Running])
DRV - [2007/03/08 01:20:48 | 00,049,920 | R--- | M] (HP) -- C:\WINDOWS\System32\DRIVERS\HPZid412.sys -- (HPZid412 [On_Demand | Stopped])
DRV - [2007/03/08 01:20:50 | 00,016,496 | R--- | M] (HP) -- C:\WINDOWS\System32\DRIVERS\HPZipr12.sys -- (HPZipr12 [On_Demand | Stopped])
DRV - [2007/03/08 01:20:50 | 00,021,568 | R--- | M] (HP) -- C:\WINDOWS\System32\DRIVERS\HPZius12.sys -- (HPZius12 [On_Demand | Stopped])
DRV - [2009/07/24 14:34:12 | 00,018,048 | ---- | M] () -- C:\WINDOWS\System32\DRIVERS\lirsgt.sys -- (lirsgt [Auto | Running])
DRV - [2009/07/08 13:44:20 | 00,079,816 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfeavfk.sys -- (mfeavfk [On_Demand | Running])
DRV - [2009/07/08 13:44:20 | 00,035,272 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfebopk.sys -- (mfebopk [On_Demand | Running])
DRV - [2009/07/08 13:44:20 | 00,214,024 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfehidk.sys -- (mfehidk [System | Running])
DRV - [2009/07/08 13:43:46 | 00,034,248 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mferkdk.sys -- (mferkdk [On_Demand | Stopped])
DRV - [2009/07/08 13:44:20 | 00,040,552 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\drivers\mfesmfk.sys -- (mfesmfk [On_Demand | Running])
DRV - [2009/07/16 12:32:26 | 00,120,136 | ---- | M] (McAfee, Inc.) -- C:\WINDOWS\System32\Drivers\Mpfp.sys -- (MPFP [System | Running])
DRV - [2008/05/03 05:46:00 | 06,554,496 | ---- | M] (NVIDIA Corporation) -- C:\WINDOWS\System32\DRIVERS\nv4_mini.sys -- (nv [On_Demand | Running])
DRV - [2001/10/28 18:07:22 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\System32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])
DRV - [2007/03/07 20:51:00 | 00,043,528 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\System32\Drivers\PxHelp20.sys -- (PxHelp20 [Boot | Running])
DRV - [2008/04/13 12:39:18 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\System32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])
DRV - [2007/07/07 08:11:38 | 00,076,288 | ---- | M] (Rainbow Technologies, Inc.) -- C:\WINDOWS\System32\Drivers\SENTINEL.SYS -- (Sentinel [Auto | Running])
DRV - [2008/04/13 09:35:40 | 00,032,768 | ---- | M] (SiS Corporation) -- C:\WINDOWS\System32\DRIVERS\sisnic.sys -- (SISNIC [On_Demand | Running])
DRV - [2003/12/09 15:43:36 | 00,045,568 | R--- | M] (Silicon Integrated Systems) -- C:\WINDOWS\system32\DRIVERS\SiSRaid.sys -- (SiSRaid [Boot | Running])
DRV - [2003/08/29 15:09:00 | 00,578,304 | R--- | M] (Analog Devices, Inc.) -- C:\WINDOWS\System32\drivers\smwdm.sys -- (smwdm [On_Demand | Running])
DRV - [2008/06/28 09:02:32 | 00,643,072 | ---- | M] () -- C:\WINDOWS\System32\Drivers\sptd.sys -- (sptd [Boot | Running])
DRV - [2006/07/16 22:53:20 | 00,030,368 | R--- | M] () -- C:\WINDOWS\System32\Drivers\usb2vcom.sys -- (usb2vcom [On_Demand | Stopped])
DRV - [2007/09/04 16:53:34 | 00,055,664 | ---- | M] (Microsoft Corporation) -- C:\Arquivos de programas\Microsoft Visual Studio 9.0\Team Tools\Performance Tools\VSPerfDrv90.sys -- (VSPerfDrv90 [On_Demand | Stopped])

========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...ER}&ar=home
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2961934205-3705214266-2768459241-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
IE - HKU\S-1-5-21-2961934205-3705214266-2768459241-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.neopets.com/
IE - HKU\S-1-5-21-2961934205-3705214266-2768459241-1004\S-1-5-21-2961934205-3705214266-2768459241-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.consulttelecom.com/"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}:6.0.07
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:2.9
FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.14
FF - prefs.js..network.proxy.backup.ftp: ""
FF - prefs.js..network.proxy.backup.ftp_port: 0
FF - prefs.js..network.proxy.backup.gopher: ""
FF - prefs.js..network.proxy.backup.gopher_port: 0
FF - prefs.js..network.proxy.backup.socks: ""
FF - prefs.js..network.proxy.backup.socks_port: 0
FF - prefs.js..network.proxy.backup.ssl: ""
FF - prefs.js..network.proxy.backup.ssl_port: 0
FF - prefs.js..network.proxy.ftp: "coral.ufscar.br"
FF - prefs.js..network.proxy.ftp_port: 3128
FF - prefs.js..network.proxy.gopher: "coral.ufscar.br"
FF - prefs.js..network.proxy.gopher_port: 3128
FF - prefs.js..network.proxy.http: "coral.ufscar.br"
FF - prefs.js..network.proxy.http_port: 3128
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "coral.ufscar.br"
FF - prefs.js..network.proxy.socks_port: 3128
FF - prefs.js..network.proxy.ssl: "coral.ufscar.br"
FF - prefs.js..network.proxy.ssl_port: 3128

FF - HKLM\software\mozilla\Firefox\Extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Arquivos de programas\McAfee\SiteAdvisor [2008/10/01 18:37:08 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\jqs@sun.com: C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ff [2009/05/31 20:44:58 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.14\extensions\\Components: C:\Arquivos de programas\Mozilla Firefox\components [2008/06/27 22:21:12 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.14\extensions\\Plugins: C:\Arquivos de programas\Mozilla Firefox\plugins [2008/06/27 22:21:12 | 00,000,000 | ---D | M]

[2009/01/27 14:06:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\ANA\Dados de aplicativos\mozilla\Extensions
[2009/01/27 14:06:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\ANA\Dados de aplicativos\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2009/01/27 14:06:32 | 00,000,000 | ---D | M] -- C:\Documents and Settings\ANA\Dados de aplicativos\mozilla\Firefox\Profiles\tlvkn5jf.default\extensions
[2008/06/27 22:21:12 | 00,000,000 | ---D | M] -- C:\Arquivos de programas\mozilla firefox\extensions
[2009/01/27 14:06:22 | 00,000,000 | ---D | M] -- C:\Arquivos de programas\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2008/09/28 14:16:26 | 00,000,000 | ---D | M] -- C:\Arquivos de programas\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
[2009/05/31 20:45:48 | 00,000,000 | ---D | M] -- C:\Arquivos de programas\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2009/09/11 18:18:28 | 00,023,032 | ---- | M] (Mozilla Foundation) -- C:\Arquivos de programas\mozilla firefox\components\browserdirprovider.dll
[2009/09/11 18:18:28 | 00,134,648 | ---- | M] (Mozilla Foundation) -- C:\Arquivos de programas\mozilla firefox\components\brwsrcmp.dll
[2008/06/30 18:33:54 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Arquivos de programas\mozilla firefox\plugins\npqtplugin.dll
[2008/06/30 18:33:54 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Arquivos de programas\mozilla firefox\plugins\npqtplugin2.dll
[2008/06/30 18:33:54 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Arquivos de programas\mozilla firefox\plugins\npqtplugin3.dll
[2008/06/30 18:33:54 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Arquivos de programas\mozilla firefox\plugins\npqtplugin4.dll
[2008/06/30 18:33:54 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Arquivos de programas\mozilla firefox\plugins\npqtplugin5.dll
[2008/06/30 18:33:54 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Arquivos de programas\mozilla firefox\plugins\npqtplugin6.dll
[2008/06/30 18:33:54 | 00,143,360 | ---- | M] (Apple Inc.) -- C:\Arquivos de programas\mozilla firefox\plugins\npqtplugin7.dll
[2006/09/26 13:03:14 | 00,098,304 | ---- | M] (Zylom) -- C:\Arquivos de programas\mozilla firefox\plugins\npzylomgamesplayer.dll
[2008/10/12 18:23:40 | 00,081,920 | ---- | M] (RealNetworks, Inc.) -- C:\Arquivos de programas\mozilla firefox\plugins\nprpjplug.dll
[2008/10/12 18:23:44 | 00,144,984 | ---- | M] (RealNetworks, Inc.) -- C:\Arquivos de programas\mozilla firefox\plugins\nppl3260.dll
[2008/10/12 18:23:54 | 00,024,576 | ---- | M] (RealNetworks, Inc.) -- C:\Arquivos de programas\mozilla firefox\plugins\nprjplug.dll
[2008/11/24 14:35:00 | 00,114,688 | ---- | M] (Adobe Systems, Inc.) -- C:\Arquivos de programas\mozilla firefox\plugins\np32dsw.dll
[2009/05/31 20:44:56 | 00,410,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Arquivos de programas\mozilla firefox\plugins\npdeploytk.dll
[2009/09/11 18:18:30 | 00,065,528 | ---- | M] (mozilla.org) -- C:\Arquivos de programas\mozilla firefox\plugins\npnul32.dll
[2009/09/23 17:16:44 | 00,238,776 | ---- | M] (Pando Networks) -- C:\Arquivos de programas\mozilla firefox\plugins\npPandoWebInst.dll
[2009/02/06 02:37:02 | 00,001,027 | ---- | M] () -- C:\Arquivos de programas\mozilla firefox\searchplugins\buscape.xml
[2009/02/06 02:37:02 | 00,001,706 | ---- | M] () -- C:\Arquivos de programas\mozilla firefox\searchplugins\google.xml
[2009/02/06 02:37:02 | 00,001,135 | ---- | M] () -- C:\Arquivos de programas\mozilla firefox\searchplugins\mercadolivre.xml
[2009/02/06 02:37:02 | 00,001,168 | ---- | M] () -- C:\Arquivos de programas\mozilla firefox\searchplugins\wikipedia-br.xml
[2009/02/06 02:37:02 | 00,000,648 | ---- | M] () -- C:\Arquivos de programas\mozilla firefox\searchplugins\yahoo-br.xml

O1 HOSTS File: (327052 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 11214 more lines...
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (scriptproxy) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\Arquivos de programas\McAfee\VirusScan\scriptsn.dll (McAfee, Inc.)
O2 - BHO: (Auxiliar de Conexão do Windows Live) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Arquivos de programas\McAfee\SiteAdvisor\McIEPlg.dll ()
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (Microsoft Web Test Recorder 9.0 Helper) - {E31CE47F-C268-41ba-897B-B415E613947D} - C:\Arquivos de programas\Microsoft Visual Studio 9.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO90.dll (Microsoft Corporation)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Arquivos de programas\McAfee\SiteAdvisor\McIEPlg.dll ()
O4 - HKLM..\Run: [mcagent_exe] C:\Arquivos de programas\McAfee.com\Agent\mcagent.exe (McAfee, Inc.)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Arquivos de programas\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2961934205-3705214266-2768459241-1004\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-2961934205-3705214266-2768459241-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-2961934205-3705214266-2768459241-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0
O7 - HKU\S-1-5-21-2961934205-3705214266-2768459241-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-2961934205-3705214266-2768459241-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-2961934205-3705214266-2768459241-1004_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xportar para o Microsoft Excel - C:\Arquivos de programas\Microsoft Office\Office10\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - Reg Error: Value error. File not found
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\WINDOWS\System32\rsvpsp.dll (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 59 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\.DEFAULT\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-18\..Trusted Domains: 57 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-19\..Trusted Domains: 43 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-20\..Trusted Domains: 43 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-2961934205-3705214266-2768459241-1004\..Trusted Domains: 64 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwa...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab (Checkers Class)
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} http://gfx2.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab (MSN Photo Upload Tool)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_07)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} http://messenger.zone.msn.com/binary/MineS...er.cab56986.cab (Minesweeper Flags Class)
O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} http://secure.gopetslive.com/dev/GoPetsWeb.cab (GoPetsWeb Control)
O16 - DPF: Microsoft XML Parser for Java Reg Error: Value error. (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 10.1.106.1 172.16.61.251 172.16.61.252
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Arquivos de programas\Arquivos comuns\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Arquivos de programas\Arquivos comuns\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Arquivos de programas\Arquivos comuns\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Arquivos de programas\Arquivos comuns\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Arquivos de programas\Arquivos comuns\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Arquivos de programas\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Arquivos de programas\Arquivos comuns\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Arquivos de programas\Arquivos comuns\System\OLE DB\msdaipp.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Arquivos de programas\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Arquivos de programas\McAfee\SiteAdvisor\McIEPlg.dll ()
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\Explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (Minha página inicial atual) - About:Home
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/06/13 15:26:38 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]
O32 - AutoRun File - [2005/11/21 14:26:21 | 00,000,057 | R--- | M] () - F:\autorun.inf -- [ UDF ]
O32 - AutoRun File - [2006/09/26 20:01:19 | 00,000,030 | R--- | M] () - G:\autorun.inf -- [ CDFS ]
O32 - AutoRun File - [2006/11/02 05:59:40 | 00,000,030 | R--- | M] () - H:\autorun.inf -- [ UDF ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found

========== Files/Folders - Created Within 30 Days ==========

[2009/09/27 15:05:37 | 00,514,560 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\ANA\Desktop\OTL.exe
[2009/09/27 14:37:19 | 00,000,211 | ---- | C] () -- C:\Boot.bak
[2009/09/27 14:37:17 | 00,261,856 | ---- | C] () -- C:\cmldr
[2009/09/27 14:37:17 | 00,000,000 | RHSD | C] -- C:\cmdcons
[2009/09/27 14:34:25 | 00,229,888 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2009/09/27 14:34:25 | 00,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2009/09/27 14:34:25 | 00,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2009/09/27 14:34:25 | 00,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2009/09/27 14:34:25 | 00,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2009/09/27 14:34:25 | 00,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2009/09/27 14:34:25 | 00,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2009/09/27 14:34:25 | 00,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2009/09/27 14:34:10 | 00,000,000 | ---D | C] -- C:\razikain
[2009/09/27 14:33:59 | 00,000,000 | ---D | C] -- C:\Qoobox
[2009/09/26 21:52:07 | 00,054,784 | ---- | C] () -- C:\Documents and Settings\ANA\Desktop\Cálculo dos Pontos de Função.ppt
[2009/09/26 11:16:59 | 03,223,416 | ---- | C] (INCA Internet Co., Ltd.) -- C:\WINDOWS\System32\GameMon.des
[2009/09/25 22:32:29 | 00,120,715 | ---- | C] () -- C:\Documents and Settings\ANA\Desktop\Problema Eletronico.rar
[2009/09/25 20:14:16 | 00,000,000 | ---D | C] -- C:\Arquivos de programas\DNA
[2009/09/24 18:09:22 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documentos\Downloaded Data Sheets
[2009/09/24 18:09:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\ANA\Dados de aplicativos\Thinstall
[2009/09/24 18:09:20 | 00,000,000 | ---D | C] -- C:\Documents and Settings\ANA\Configurações locais\Dados de aplicativos\Thinstall
[2009/09/24 17:01:19 | 00,000,006 | ---- | C] () -- C:\emu8086.io
[2009/09/24 17:00:15 | 00,001,274 | ---- | C] () -- C:\Documents and Settings\ANA\Desktop\emu8086.lnk
[2009/09/24 17:00:11 | 00,389,120 | ---- | C] (WinMain Software (http://www.winmain.com)) -- C:\WINDOWS\System32\cmax20.ocx
[2009/09/24 17:00:06 | 00,000,000 | ---D | C] -- C:\emu8086
[2009/09/23 17:18:12 | 00,000,000 | ---D | C] -- C:\Documents and Settings\ANA\Configurações locais\Dados de aplicativos\PMB Files
[2009/09/23 17:18:09 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Dados de aplicativos\PMB Files
[2009/09/23 16:38:53 | 00,000,000 | ---D | C] -- C:\Arquivos de programas\Pando Networks
[2009/09/23 12:08:41 | 00,003,158 | ---- | C] () -- C:\Documents and Settings\ANA\Desktop\Attach.zip
[2009/09/22 17:23:44 | 00,000,000 | ---D | C] -- C:\FOUND.000
[2009/09/21 01:00:22 | 00,074,240 | ---- | C] () -- C:\Documents and Settings\ANA\Desktop\Planejamento.doc
[2009/09/20 15:06:05 | 02,509,824 | ---- | C] () -- C:\Documents and Settings\ANA\Desktop\Apresentação.ppt
[2009/09/20 15:06:05 | 00,355,840 | ---- | C] () -- C:\Documents and Settings\ANA\Desktop\Documento.doc
[2009/09/20 15:00:49 | 01,962,230 | ---- | C] () -- C:\Documents and Settings\ANA\Desktop\Trabalho.rar
[2009/09/20 14:34:23 | 00,011,834 | ---- | C] () -- C:\Documents and Settings\ANA\Meus documentos\Backup\Ana\Meus documentos\assassin avatar close.JPG
[2009/09/20 14:25:55 | 00,007,772 | ---- | C] () -- C:\Documents and Settings\ANA\Meus documentos\Backup\Ana\Meus documentos\assassin avatar short.JPG
[2009/09/20 14:24:09 | 00,011,011 | ---- | C] () -- C:\Documents and Settings\ANA\Meus documentos\Backup\Ana\Meus documentos\assassin avatar long.JPG
[2009/09/19 12:00:12 | 00,000,000 | ---D | C] -- C:\Arquivos de programas\Paint.NET
[2009/09/19 12:00:07 | 00,000,000 | ---D | C] -- C:\Documents and Settings\ANA\Configurações locais\Dados de aplicativos\Paint.NET
[2009/09/19 09:19:55 | 00,030,094 | ---- | C] () -- C:\Documents and Settings\ANA\Meus documentos\Backup\Ana\Meus documentos\Awesome_Face_bigger.png
[2009/09/16 20:28:38 | 00,059,207 | ---- | C] () -- C:\Documents and Settings\ANA\Meus documentos\Backup\Ana\Meus documentos\PEDO SANTA.JPG
[2009/09/14 22:36:10 | 00,014,293 | ---- | C] () -- C:\Documents and Settings\ANA\Meus documentos\Backup\Ana\Meus documentos\task_manager.gif
[2009/09/13 21:50:34 | 00,607,744 | ---- | C] () -- C:\Documents and Settings\ANA\Desktop\20090914 - Escopo - Diagrama de Classes - Modelo de Processo.ppt
[2009/09/13 20:31:47 | 00,037,888 | ---- | C] () -- C:\Documents and Settings\ANA\Desktop\tabelas.xls
[2009/09/13 18:47:54 | 03,590,674 | ---- | C] () -- C:\Documents and Settings\ANA\Desktop\Diagrama de Casos de Uso.bmp
[2009/09/13 18:02:35 | 00,141,841 | ---- | C] () -- C:\Documents and Settings\ANA\Meus documentos\Backup\Ana\Meus documentos\ch10.pdf
[2009/09/13 17:05:10 | 02,072,064 | ---- | C] () -- C:\Documents and Settings\ANA\Desktop\MEDClin - Documento de Requisitos - Final.doc
[2009/09/13 17:03:00 | 00,948,736 | ---- | C] () -- C:\Documents and Settings\ANA\Desktop\ISI-TB-2009-AVALIACAO-4-GRUPO-05.ppt
[2009/09/08 20:47:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\ANA\Dados de aplicativos\Safer Networking
[2009/09/08 20:47:36 | 00,000,000 | ---D | C] -- C:\Arquivos de programas\Safer Networking
[2009/09/08 18:28:56 | 00,167,163 | ---- | C] () -- C:\Documents and Settings\ANA\Meus documentos\Backup\Ana\Meus documentos\HUGE facepalm.jpg
[2009/09/08 16:12:48 | 00,148,864 | ---- | C] () -- C:\Documents and Settings\ANA\Desktop\Problema Eletronico.zip
[2009/09/08 15:48:37 | 00,000,000 | ---D | C] -- C:\Documents and Settings\ANA\Desktop\Problema Eletronico
[2009/09/08 00:04:47 | 00,000,000 | ---D | C] -- C:\Gmer
[2009/09/07 20:38:18 | 00,079,589 | ---- | C] () -- C:\Documents and Settings\ANA\Meus documentos\Backup\Ana\Meus documentos\lucifer.jpg
[2009/09/05 22:07:53 | 00,000,000 | ---D | C] -- C:\Documents and Settings\ANA\Meus documentos\Backup\Ana\Meus documentos\ORI
[2009/09/04 21:31:21 | 00,020,093 | ---- | C] () -- C:\Documents and Settings\ANA\Desktop\ASCII.pdf
[2009/09/03 22:26:43 | 00,004,096 | ---- | C] () -- C:\WINDOWS\d3dx.dat
[2009/09/03 22:25:19 | 00,000,000 | ---D | C] -- C:\WINDOWS\Kudos 2
[2009/09/01 00:18:13 | 00,025,856 | ---- | C] () -- C:\Documents and Settings\ANA\Meus documentos\Backup\Ana\Meus documentos\CSDLulz.png
[2009/08/30 15:36:20 | 00,207,639 | ---- | C] () -- C:\Documents and Settings\ANA\Meus documentos\Backup\Ana\Meus documentos\CONCORRENTE.JPG
[2009/08/30 15:32:40 | 00,086,017 | ---- | C] () -- C:\Documents and Settings\ANA\Meus documentos\Backup\Ana\Meus documentos\ESPIRAL.JPEG
[2009/08/30 15:29:23 | 00,019,622 | ---- | C] () -- C:\Documents and Settings\ANA\Meus documentos\Backup\Ana\Meus documentos\ESPIRAL.gif
[2009/08/30 15:25:11 | 00,063,900 | ---- | C] () -- C:\Documents and Settings\ANA\Meus documentos\Backup\Ana\Meus documentos\PROTOTIPAGEM.JPG
[2009/08/30 15:22:25 | 00,147,270 | ---- | C] () -- C:\Documents and Settings\ANA\Meus documentos\Backup\Ana\Meus documentos\MODELO RAD.JPG
[2009/08/30 15:19:44 | 00,062,907 | ---- | C] () -- C:\Documents and Settings\ANA\Meus documentos\Backup\Ana\Meus documentos\MODELO INCREMENTAL.JPG
[2009/08/30 15:17:29 | 00,052,261 | ---- | C] () -- C:\Documents and Settings\ANA\Meus documentos\Backup\Ana\Meus documentos\MODELO CASCATA.JPG
[2009/08/30 15:15:07 | 00,064,082 | ---- | C] () -- C:\Documents and Settings\ANA\Meus documentos\Backup\Ana\Meus documentos\PROCESSO UNIFICADO.JPG
[2009/08/30 15:08:55 | 00,000,000 | ---D | C] -- C:\Documents and Settings\ANA\Desktop\Trab Eng Software
[2009/08/30 15:03:22 | 00,192,092 | ---- | C] () -- C:\Documents and Settings\ANA\Meus documentos\Backup\Ana\Meus documentos\FASES PROCESSO UNIFICADO.JPG
[2009/08/29 21:42:31 | 00,026,112 | ---- | C] () -- C:\Documents and Settings\ANA\Desktop\comparação.doc
[2009/08/29 17:06:26 | 00,000,000 | ---D | C] -- C:\irvine
[2009/08/28 20:01:11 | 00,000,000 | ---D | C] -- C:\Documents and Settings\ANA\Dados de aplicativos\fizzy
[2009/08/28 20:01:04 | 00,000,000 | -HSD | C] -- C:\WINDOWS\ftpcache
[2009/07/24 14:34:12 | 00,271,360 | ---- | C] () -- C:\WINDOWS\System32\drivers\atksgt.sys
[2009/07/24 14:34:11 | 00,018,048 | ---- | C] () -- C:\WINDOWS\System32\drivers\lirsgt.sys
[2009/05/31 22:59:32 | 00,030,368 | R--- | C] () -- C:\WINDOWS\System32\drivers\usb2vcom.sys
[2009/03/25 09:54:51 | 01,032,582 | ---- | C] () -- C:\WINDOWS\System32\alleg42.dll
[2009/03/14 21:13:22 | 00,000,083 | ---- | C] () -- C:\WINDOWS\wwp.INI
[2008/12/16 14:00:48 | 00,116,224 | ---- | C] () -- C:\WINDOWS\System32\pdfcmnnt.dll
[2008/12/04 14:04:23 | 00,339,968 | ---- | C] () -- C:\WINDOWS\System32\pythoncom25.dll
[2008/12/04 14:04:23 | 00,114,688 | ---- | C] () -- C:\WINDOWS\System32\pywintypes25.dll
[2008/11/30 21:15:17 | 00,000,023 | ---- | C] () -- C:\WINDOWS\BlendSettings.ini
[2008/11/18 21:33:19 | 00,000,033 | ---- | C] () -- C:\WINDOWS\GunzLauncher.INI
[2008/10/09 20:41:48 | 00,000,058 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2008/09/28 00:30:55 | 00,043,520 | ---- | C] () -- C:\WINDOWS\System32\CmdLineExt03.dll
[2008/09/26 22:19:34 | 00,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2008/08/12 10:26:09 | 00,000,000 | ---- | C] () -- C:\WINDOWS\hpqEmlSz.INI
[2008/06/28 09:04:19 | 00,223,128 | ---- | C] () -- C:\WINDOWS\System32\drivers\dtscsi.sys
[2008/06/28 09:02:31 | 00,643,072 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd.sys
[2008/06/28 09:02:31 | 00,096,384 | ---- | C] () -- C:\WINDOWS\System32\drivers\sptd7213.sys
[2008/06/28 00:33:30 | 00,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/06/13 16:15:54 | 00,135,168 | R--- | C] () -- C:\WINDOWS\System32\property.dll
[2008/06/13 16:05:29 | 00,000,566 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2008/06/13 15:47:02 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2008/06/13 15:13:07 | 00,000,494 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2008/06/13 15:12:51 | 00,000,950 | ---- | C] () -- C:\WINDOWS\win.ini
[2008/06/13 15:12:51 | 00,000,227 | ---- | C] () -- C:\WINDOWS\system.ini
[2007/07/23 09:03:32 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2007/07/23 09:03:32 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2007/07/23 09:03:32 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2007/07/23 09:03:30 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2007/07/23 09:03:30 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2007/07/23 09:03:30 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2007/07/23 09:03:30 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2007/07/23 09:03:30 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2007/07/23 09:03:30 | 00,053,248 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2006/01/16 23:19:48 | 01,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/01/16 23:19:48 | 01,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/01/16 23:19:44 | 00,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/01/16 23:19:36 | 00,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/01/16 23:19:34 | 01,486,848 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/01/16 23:19:34 | 00,573,440 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2005/08/30 00:00:00 | 00,781,312 | ---- | C] () -- C:\WINDOWS\System32\RGSS102J.dll
[2005/08/30 00:00:00 | 00,778,752 | ---- | C] () -- C:\WINDOWS\System32\RGSS102E.dll
[2005/08/30 00:00:00 | 00,771,584 | ---- | C] () -- C:\WINDOWS\System32\RGSS100J.dll
[2004/03/30 04:15:02 | 00,051,200 | ---- | C] () -- C:\WINDOWS\System32\ThriXXX010205PNG.dll
[2004/03/30 04:15:01 | 00,056,832 | ---- | C] () -- C:\WINDOWS\System32\ThriXXX015003JP2.dll
[2004/03/30 04:15:01 | 00,023,040 | ---- | C] () -- C:\WINDOWS\System32\ThriXXX010104Z.dll
[2003/05/23 07:08:52 | 00,107,008 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll
[2003/05/23 07:08:52 | 00,020,992 | ---- | C] () -- C:\WINDOWS\System32\ogg.dll

========== Files - Modified Within 30 Days ==========

[2009/09/27 15:05:48 | 00,514,560 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\ANA\Desktop\OTL.exe
[2009/09/27 14:43:38 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/09/27 14:41:50 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/09/27 14:37:20 | 00,000,281 | RHS- | M] () -- C:\boot.ini
[2009/09/27 09:22:44 | 00,065,065 | ---- | M] () -- C:\WINDOWS\System32\Config.MPF
[2009/09/27 09:22:34 | 00,002,262 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/09/27 09:22:06 | 00,031,267 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2009/09/27 09:21:58 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/09/27 09:21:56 | 10,724,84352 | -HS- | M] () -- C:\hiberfil.sys
[2009/09/27 03:32:12 | 08,600,370 | -H-- | M] () -- C:\Documents and Settings\ANA\Configurações locais\Dados de aplicativos\IconCache.db
[2009/09/27 02:38:38 | 00,020,992 | ---- | M] () -- C:\Documents and Settings\ANA\Configurações locais\Dados de aplicativos\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/09/27 02:21:48 | 00,000,023 | ---- | M] () -- C:\WINDOWS\BlendSettings.ini
[2009/09/26 22:44:30 | 00,054,784 | ---- | M] () -- C:\Documents and Settings\ANA\Desktop\Cálculo dos Pontos de Função.ppt
[2009/09/26 16:01:12 | 00,037,888 | ---- | M] () -- C:\Documents and Settings\ANA\Desktop\tabelas.xls
[2009/09/25 22:32:30 | 00,120,715 | ---- | M] () -- C:\Documents and Settings\ANA\Desktop\Problema Eletronico.rar
[2009/09/24 17:02:20 | 00,000,006 | ---- | M] () -- C:\emu8086.io
[2009/09/24 17:00:18 | 00,001,274 | ---- | M] () -- C:\Documents and Settings\ANA\Desktop\emu8086.lnk
[2009/09/23 12:08:42 | 00,003,158 | ---- | M] () -- C:\Documents and Settings\ANA\Desktop\Attach.zip
[2009/09/21 01:00:16 | 00,074,240 | ---- | M] () -- C:\Documents and Settings\ANA\Desktop\Planejamento.doc
[2009/09/20 15:01:22 | 01,962,230 | ---- | M] () -- C:\Documents and Settings\ANA\Desktop\Trabalho.rar
[2009/09/20 14:34:24 | 00,011,834 | ---- | M] () -- C:\Documents and Settings\ANA\Meus documentos\Backup\Ana\Meus documentos\assassin avatar close.JPG
[2009/09/20 14:25:56 | 00,007,772 | ---- | M] () -- C:\Documents and Settings\ANA\Meus documentos\Backup\Ana\Meus documentos\assassin avatar short.JPG
[2009/09/20 14:24:10 | 00,011,011 | ---- | M] () -- C:\Documents and Settings\ANA\Meus documentos\Backup\Ana\Meus documentos\assassin avatar long.JPG
[2009/09/19 09:19:58 | 00,030,094 | ---- | M] () -- C:\Documents and Settings\ANA\Meus documentos\Backup\Ana\Meus documentos\Awesome_Face_bigger.png
[2009/09/16 20:28:40 | 00,059,207 | ---- | M] () -- C:\Documents and Settings\ANA\Meus documentos\Backup\Ana\Meus documentos\PEDO SANTA.JPG
[2009/09/15 01:38:14 | 00,000,350 | ---- | M] () -- C:\WINDOWS\tasks\McDefragTask.job
[2009/09/14 22:36:12 | 00,014,293 | ---- | M] () -- C:\Documents and Settings\ANA\Meus documentos\Backup\Ana\Meus documentos\task_manager.gif
[2009/09/14 02:12:38 | 00,229,888 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/09/13 23:30:00 | 00,607,744 | ---- | M] () -- C:\Documents and Settings\ANA\Desktop\20090914 - Escopo - Diagrama de Classes - Modelo de Processo.ppt
[2009/09/13 18:47:56 | 03,590,674 | ---- | M] () -- C:\Documents and Settings\ANA\Desktop\Diagrama de Casos de Uso.bmp
[2009/09/13 18:02:36 | 00,141,841 | ---- | M] () -- C:\Documents and Settings\ANA\Meus documentos\Backup\Ana\Meus documentos\ch10.pdf
[2009/09/13 17:06:00 | 02,072,064 | ---- | M] () -- C:\Documents and Settings\ANA\Desktop\MEDClin - Documento de Requisitos - Final.doc
[2009/09/13 17:03:22 | 00,948,736 | ---- | M] () -- C:\Documents and Settings\ANA\Desktop\ISI-TB-2009-AVALIACAO-4-GRUPO-05.ppt
[2009/09/10 14:54:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009/09/10 14:53:50 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2009/09/08 21:21:58 | 00,000,950 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/09/08 21:21:58 | 00,000,211 | ---- | M] () -- C:\Boot.bak
[2009/09/08 18:28:58 | 00,167,163 | ---- | M] () -- C:\Documents and Settings\ANA\Meus documentos\Backup\Ana\Meus documentos\HUGE facepalm.jpg
[2009/09/08 16:12:50 | 00,148,864 | ---- | M] () -- C:\Documents and Settings\ANA\Desktop\Problema Eletronico.zip
[2009/09/07 21:17:48 | 00,000,078 | ---- | M] () -- C:\WINDOWS\popcinfo.dat
[2009/09/07 20:38:20 | 00,079,589 | ---- | M] () -- C:\Documents and Settings\ANA\Meus documentos\Backup\Ana\Meus documentos\lucifer.jpg
[2009/09/07 19:06:00 | 00,355,840 | ---- | M] () -- C:\Documents and Settings\ANA\Desktop\Documento.doc
[2009/09/07 19:05:46 | 02,509,824 | ---- | M] () -- C:\Documents and Settings\ANA\Desktop\Apresentação.ppt
[2009/09/04 21:31:14 | 00,020,093 | ---- | M] () -- C:\Documents and Settings\ANA\Desktop\ASCII.pdf
[2009/09/03 22:26:44 | 00,004,096 | ---- | M] () -- C:\WINDOWS\d3dx.dat
[2009/09/01 00:18:16 | 00,025,856 | ---- | M] () -- C:\Documents and Settings\ANA\Meus documentos\Backup\Ana\Meus documentos\CSDLulz.png
[2009/08/30 15:36:22 | 00,207,639 | ---- | M] () -- C:\Documents and Settings\ANA\Meus documentos\Backup\Ana\Meus documentos\CONCORRENTE.JPG
[2009/08/30 15:32:42 | 00,086,017 | ---- | M] () -- C:\Documents and Settings\ANA\Meus documentos\Backup\Ana\Meus documentos\ESPIRAL.JPEG
[2009/08/30 15:29:24 | 00,019,622 | ---- | M] () -- C:\Documents and Settings\ANA\Meus documentos\Backup\Ana\Meus documentos\ESPIRAL.gif
[2009/08/30 15:25:12 | 00,063,900 | ---- | M] () -- C:\Documents and Settings\ANA\Meus documentos\Backup\Ana\Meus documentos\PROTOTIPAGEM.JPG
[2009/08/30 15:22:26 | 00,147,270 | ---- | M] () -- C:\Documents and Settings\ANA\Meus documentos\Backup\Ana\Meus documentos\MODELO RAD.JPG
[2009/08/30 15:19:46 | 00,062,907 | ---- | M] () -- C:\Documents and Settings\ANA\Meus documentos\Backup\Ana\Meus documentos\MODELO INCREMENTAL.JPG
[2009/08/30 15:17:32 | 00,052,261 | ---- | M] () -- C:\Documents and Settings\ANA\Meus documentos\Backup\Ana\Meus documentos\MODELO CASCATA.JPG
[2009/08/30 15:15:08 | 00,064,082 | ---- | M] () -- C:\Documents and Settings\ANA\Meus documentos\Backup\Ana\Meus documentos\PROCESSO UNIFICADO.JPG
[2009/08/30 15:03:24 | 00,192,092 | ---- | M] () -- C:\Documents and Settings\ANA\Meus documentos\Backup\Ana\Meus documentos\FASES PROCESSO UNIFICADO.JPG
[2009/08/30 14:14:44 | 00,026,112 | ---- | M] () -- C:\Documents and Settings\ANA\Desktop\comparação.doc
< End of report >

---END OF OTL LOG---

---EXTRA OTL LOG---

OTL Extras logfile created on: 27/9/2009 15:06:56 - Run 1
OTL by OldTimer - Version 3.0.14.0 Folder = C:\Documents and Settings\ANA\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.5512)
Locale: 00000416 | Country: Brasil | Language: PTB | Date Format: d/M/yyyy

1022,73 Mb Total Physical Memory | 478,66 Mb Available Physical Memory | 46,80% Memory free
2,03 Gb Paging File | 1,60 Gb Available in Paging File | 78,81% Paging File free
Paging file location(s): C:\pagefile.sys 1152 2304 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Arquivos de programas
Drive C: | 37,30 Gb Total Space | 14,00 Gb Free Space | 37,52% Space Free | Partition Type: FAT32
Drive D: | 74,53 Gb Total Space | 15,52 Gb Free Space | 20,82% Space Free | Partition Type: NTFS
E: Drive not present or media not loaded
Drive F: | 4,18 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: UDF
Drive G: | 1,07 Gb Total Space | 0,00 Gb Free Space | 0,00% Space Free | Partition Type: CDFS
Drive H: | 1023,09 Mb Total Space | 0,00 Mb Free Space | 0,00% Space Free | Partition Type: UDF
I: Drive not present or media not loaded

Computer Name: PROMETHEUS
Current User Name: ANA
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- C:\WINDOWS\hh.exe (Microsoft Corporation)
.html [@ = htmlfile] -- C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-2961934205-3705214266-2768459241-1004\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Arquivos de programas\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1 (Microsoft Corporation)
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- "C:\Arquivos de programas\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- "C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Arquivos de programas\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Directory [AddToPlaylistVLC] -- C:\Arquivos de programas\VideoLAN\VLC\vlc.exe --started-from-file --playlist-enqueue "%1" ()
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- C:\Arquivos de programas\VideoLAN\VLC\vlc.exe --started-from-file --no-playlist-enqueue "%1" ()
Directory [Winamp.Bookmark] -- "C:\Arquivos de programas\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Arquivos de programas\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Arquivos de programas\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"UpdatesDisableNotify" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"3389:TCP" = 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"56396:TCP" = 56396:TCP:*:Enabled:Pando Media Booster
"56396:UDP" = 56396:UDP:*:Enabled:Pando Media Booster

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
"3389:TCP" = 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"37500:TCP" = 37500:TCP:*:Disabled:eMule TCP
"64615:UDP" = 64615:UDP:*:Disabled:eMule UDP
"56396:TCP" = 56396:TCP:*:Enabled:Pando Media Booster
"56396:UDP" = 56396:UDP:*:Enabled:Pando Media Booster

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Arquivos de programas\Windows Live\Messenger\wlcsdk.exe" = C:\Arquivos de programas\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" = C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)
"C:\Arquivos de programas\Pando Networks\Media Booster\PMB.exe" = C:\Arquivos de programas\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Arquivos de programas\Messenger\MSMSGS.EXE" = C:\Arquivos de programas\Messenger\MSMSGS.EXE:*:Enabled:Windows Messenger -- (Microsoft Corporation)
"C:\WINDOWS\Network Diagnostic\xpnetdiag.exe" = C:\WINDOWS\Network Diagnostic\xpnetdiag.exe:*:Disabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Arquivos de programas\Java\jdk1.6.0_07\jre\bin\java.exe" = C:\Arquivos de programas\Java\jdk1.6.0_07\jre\bin\java.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Arquivos de programas\Java\jre1.6.0_07\bin\JAVA.EXE" = C:\Arquivos de programas\Java\jre1.6.0_07\bin\JAVA.EXE:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Arquivos de programas\Java\jdk1.6.0_07\bin\java.exe" = C:\Arquivos de programas\Java\jdk1.6.0_07\bin\java.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Arquivos de programas\Mozilla Firefox\firefox.exe" = C:\Arquivos de programas\Mozilla Firefox\firefox.exe:*:Enabled:Firefox -- (Mozilla Corporation)
"C:\Arquivos de programas\uTorrent\uTorrent.exe" = C:\Arquivos de programas\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Arquivos de programas\eMule\emule.exe" = C:\Arquivos de programas\eMule\emule.exe:*:Enabled:eMule -- (http://www.emule-project.net)
"C:\Arquivos de programas\Windows Live\Messenger\wlcsdk.exe" = C:\Arquivos de programas\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" = C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)
"D:\Everton\Jogos\UnrealTournament\System\UnrealTournament.exe" = D:\Everton\Jogos\UnrealTournament\System\UnrealTournament.exe:*:Enabled:UnrealTournament -- ()
"C:\Arquivos de programas\InterVideo\DVD5\WinDVD.exe" = C:\Arquivos de programas\InterVideo\DVD5\WinDVD.exe:*:Disabled:WinDVD -- (InterVideo Inc.)
"C:\Arquivos de programas\Arquivos comuns\McAfee\MNA\McNASvc.exe" = C:\Arquivos de programas\Arquivos comuns\McAfee\MNA\McNASvc.exe:*:Enabled:McAfee Network Agent -- (McAfee, Inc.)
"D:\Everton\Jogos\DeSmuME\desmume.exe" = D:\Everton\Jogos\DeSmuME\desmume.exe:*:Disabled:desmume -- ()
"C:\Arquivos de programas\Pando Networks\Media Booster\PMB.exe" = C:\Arquivos de programas\Pando Networks\Media Booster\PMB.exe:*:Enabled:Pando Media Booster -- ()


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}" = PDFCreator
"{02DFF6B1-1654-411C-8D7B-FD6052EF016F}" = Apple Software Update
"{05EC21B8-4593-3037-A781-A6B5AFFCB19D}" = Microsoft Windows SDK for Visual Studio 2008 .NET Framework Tools
"{08CA9554-B5FE-4313-938F-D4A417B81175}" = QuickTime
"{0B533F34-22BA-4301-BAF8-EA1CEDB06F9E}" = Quake Live Mozilla Plugin
"{14C87AA7-08E6-419F-A165-998EBE5023D7}" = Oblivion - Knights of the Nine
"{16D919E6-F019-4E15-BFBE-4A85EF19DA57}" = Oblivion - Spell Tomes
"{1B399A41-C1D0-40A2-9E4F-095868EFAF01}" = InterVideo WinDVD Platinum 5
"{1BC4026B-1957-4514-9058-2B542557F143}" = Opera 9.63
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Ferramenta de Carregamento do Windows Live
"{212748BB-0DA5-46DE-82A1-403736DC9F27}" = MSVC80_x86
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{241F2BF7-69EB-42A4-9156-96B2426C7504}" = Microsoft SQL Server Compact 3.5 for Devices ENU
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java™ 6 Update 13
"{2750B389-A2D2-4953-99CA-27C1F2A8E6FD}" = Microsoft SQL Server 2005 Tools Express Edition
"{291B3A3B-F808-45B8-8113-DF232FCB6C82}" = Microsoft .NET Compact Framework 3.5
"{296B2D8E-CE82-92AF-B2E8-A646E7CB78A2}_is1" = RegAlyzer
"{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}" = Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
"{2BA00471-0328-3743-93BD-FA813353A783}" = Microsoft .NET Framework 3.0 Service Pack 1
"{2E5C075E-11AB-4BDD-918C-7B9A68953FF8}" = Microsoft SQL Server Compact 3.5 Design Tools ENU
"{2F2E3D62-8B8C-448F-8900-451325E50948}" = Oblivion - Wizard's Tower
"{2FC099BD-AC9B-33EB-809C-D332E1B27C40}" = Microsoft .NET Framework 3.5
"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java™ 6 Update 5
"{3248F0A8-6813-11D6-A77B-00B0D0160070}" = Java™ 6 Update 7
"{32A3A4F4-B792-11D6-A78A-00B0D0160070}" = Java™ SE Development Kit 6 Update 7
"{32BC546A-8AA3-4239-AE92-9CF3291C35A6}" = Windows Live Call
"{350C9416-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35CB6715-41F8-4F99-8881-6FC75BF054B0}" = Oblivion
"{388E4B09-3E71-4649-8921-F44A3A2954A7}" = Microsoft Visual Studio 2005 Tools for Office Runtime
"{3A762A82-618D-3CAA-B847-D074ABFA0B2E}" = MSDN Library for Visual Studio 2008 - ENU
"{3ABEBD00-299D-4DCA-967F-B912163AB5EA}" = Oblivion - Horse Armor Pack
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3B96F4EA-CD82-4C57-B86A-646A017CAF18}" = Windows Live Essentials
"{405FA152-1638-4FC1-9233-62DB6F2D4C98}" = Geneforge 5
"{43602F34-1AA3-44FB-AEB2-D08C2C73743F}" = Paint.NET v3.36
"{43DCF766-6838-4F9A-8C91-D92DA586DFA8}" = Microsoft Windows Journal Viewer
"{47273CEF-C70E-40E9-80DE-FA9BE55AD1BB}" = Avernum 5
"{4E868D3D-6EEB-4273-926C-2287236B5B79}" = 3DVIA player 4.1
"{51A9E3DD-37B8-47BB-8E67-5B76B3EFBC48}" = Assistente de Conexão do Windows Live
"{520F4B09-3A51-47A2-82B0-9FF1DC2D20FA}" = Oblivion - Vile Lair
"{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}" = Microsoft SQL Server Setup Support Files (English)
"{543E938C-BDC4-4933-A612-01293996845F}" = UnloadSupport
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{64c5b887-b5ee-42b8-8596-78905a6b5f1f}" = Microsoft Windows SDK for Visual Studio 2008 SDK Reference Assemblies and IntelliSense
"{6753B40C-0FBD-3BED-8A9D-0ACAC2DCD85D}" = Microsoft Document Explorer 2008
"{6C9F6D23-E9AD-43C9-B43A-011562AAF876}" = Windows Mobile 5.0 SDK R2 for Pocket PC
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{7EACD785-823D-4D1B-9A5E-85FACAF5DFB3}_is1" = Oxin's Style! 3D Sexvilla 2.055.001
"{80C06CCD-7D07-3DB6-86CD-B57B3F0614D8}" = Microsoft Visual Studio Team System 2008 Team Suite - ENU
"{842FAF7C-50EF-4463-9B8F-6222E1384D7D}" = Microsoft Windows SDK for Visual Studio 2008 Headers and Libraries
"{8795CBED-55E2-4693-9F14-84EC446935BE}" = SpeechRedist
"{8FB53850-246A-3507-8ADE-0060093FFEA6}" = Visual Studio Tools for the Office system 3.0 Runtime
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-0021-0000-0000-0000000FF1CE}" = Microsoft Office Visual Web Developer 2007
"{90120000-0021-0409-0000-0000000FF1CE}" = Microsoft Office Visual Web Developer MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90280416-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional com FrontPage
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9656F3AC-6BA9-43F0-ABED-F214B5DAB27B}" = Windows Mobile 5.0 SDK R2 for Smartphone
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{9A33B83D-FFC4-44CF-BEEF-632DECEF2FCD}" = Microsoft SQL Server Database Publishing Wizard 1.2
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}" = MSXML 6.0 Parser
"{AA467959-A1D6-4F45-90CD-11DC57733F32}" = Crystal Reports Basic for Visual Studio 2008
"{AC76BA86-7AD7-1046-7B44-000000000001}" = Adobe Reader 6.0 - Português
"{AF7FC1CA-79DF-43c3-90A3-33EFEB9294CE}" = AIO_Scan
"{B268E9A1-04A9-40D0-9866-846BE2B74BA7}" = Microsoft Windows SDK for Visual Studio 2008 Win32 Tools
"{B32E7732-B2FB-3FD0-81AC-6025B1104C66}" = Microsoft Device Emulator version 3.0 - ENU
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1
"{BCC899FE-2DAA-460C-A5FB-60291E73D9C3}" = Microsoft SQL Server Compact 3.5 ENU
"{C48AD49C-9BBF-4056-B756-846C8548507E}_is1" = Oxin's Style! Hentai3D 2.056.001
"{C8DD4EAD-674B-461B-94D5-4C80CCFB8401}" = Windows Live Messenger
"{CAA376AF-0DE8-4FCA-942E-C6AC579B94B3}" = Microsoft Windows SDK for Visual Studio 2008 Tools
"{CD49361E-3FE6-457E-90A1-9C59E29B5D02}" = Java DB 10.3.1.4
"{DEDF2885-0086-4534-9912-F9B97377ED07}" = AGEIA GAME System Software
"{DFB3FAE4-41BC-4851-A397-4C955997FB04}" = ps_aio_corporate
"{E2662C24-B31E-4349-A084-32EB76E8B760}" = BufferChm
"{E28750A2-45F2-4b63-99F7-9F81A94B1E2D}" = PS_AIO_Software_min
"{E9C18EBD-85BE-47D0-AA73-3FEDCC976B04}" = Toolbox
"{E9F44C98-B8B6-480F-AF7B-E42A0A46F4E3}" = Microsoft SQL Server VSS Writer
"{EB3F5C2A-0754-38B8-8722-7B537006BF46}" = Microsoft Visual Studio 2008 Performance Collection Tools - ENU
"{EC425CFC-EE78-4A91-AA25-3BFA65B75364}" = Oblivion - Orrery
"{EDDF99D9-9FE3-4871-A7DB-D1522C51EE9A}" = Microsoft .NET Compact Framework 2.0 SP2
"{EF295F5C-7B57-47AA-8889-6B3E8E214E89}" = Oblivion - Mehrunes Razor
"{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}" = 32 Bit HP CIO Components Installer
"{F9B3DD02-B0B3-42E9-8650-030DFF0D133D}" = Microsoft SQL Server Native Client
"{FFFFFD17-B460-41EB-93F1-C48ABAD63828}" = Oblivion - Thieves Den
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11
"Advanced SystemCare 3_is1" = Advanced SystemCare 3
"Aquaria" = Aquaria
"CDisplay_is1" = CDisplay 1.8
"CloneCD" = CloneCD
"CoreAAC Audio Decoder" = CoreAAC Audio Decoder (remove only)
"Dev-C++" = Dev-C++ 5 beta 9 release (4.9.9.2)
"DjVuLibre+DjView" = DjVuLibre+DjView
"DSMT6" = MathType 6
"emu8086 microprocessor emulator_is1" = emu8086 microprocessor emulator
"eMule" = eMule
"EVEREST Ultimate Edition_is1" = EVEREST Ultimate Edition v5.02
"GraphicsGale FreeEdition_is1" = GraphicsGale FreeEdition version 1.93.06
"JUDE Community_is1" = JUDE Community 5.5
"L&H Power Translator Pro 7.0" = L&H Power Translator Pro 7.0
"Magic ISO Maker v5.5 (build 0265)" = Magic ISO Maker v5.5 (build 0265)
"Magic Match Adventures[h33t][oi812heet]" = Magic Match Adventures[h33t][oi812heet]
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Messenger Plus! Live" = Messenger Plus! Live
"MGI_PHOTOSUITE_SE_V10" = MGI PhotoSuite SE
"Microsoft .NET Framework 3.5" = Microsoft .NET Framework 3.5
"Microsoft Document Explorer 2008" = Microsoft Document Explorer 2008
"Microsoft SQL Server 2005" = Microsoft SQL Server 2005
"Microsoft Visual Studio 2005 Tools for Office Runtime" = Ferramentas do Visual Studio 2005 para Office Second Edition Runtime
"Microsoft Visual Studio Team System 2008 Team Suite - ENU" = Microsoft Visual Studio Team System 2008 Team Suite - ENU
"Mozilla Firefox (3.0.14)" = Mozilla Firefox (3.0.14)
"MSC" = McAfee SecurityCenter
"MSDN Library for Visual Studio 2008 - ENU" = MSDN Library for Visual Studio 2008 - ENU
"MV RegClean 5.5_is1" = MV RegClean 5.5
"MV RegClean 5.9_is1" = MV RegClean 5.9
"Notepad++" = Notepad++
"NVIDIA Drivers" = NVIDIA Drivers
"Oblivion mod manager_is1" = Oblivion mod manager 1.1.12
"OpenAL" = OpenAL
"Peggle" = Peggle (remove only)
"Peggle Nights Deluxe 1.00" = Peggle Nights Deluxe 1.00
"PostgreSQL 8.4" = PostgreSQL 8.4
"Puzzle Quest Galactrix1.00" = Puzzle Quest Galactrix
"Puzzle Quest1.01" = Puzzle Quest
"Rainbow Sentinel Driver" = Sentinel System Driver
"RealPlayer 6.0" = RealPlayer
"SSIII Solo Ultratus" = SSIII Solo Ultratus 1.2
"Unofficial Official Mods Patch_is1" = Unofficial Official Mods Patch v15
"Visual Studio Tools for the Office system 3.0 Runtime" = Visual Studio Tools for the Office system 3.0 Runtime
"VisualWebDeveloper" = Microsoft Visual Studio Web Authoring Component
"VLC media player" = VLC media player 0.9.8a
"Winamp" = Winamp (remove only)
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = Arquivo do WinRAR
"WinZip" = WinZip
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-2961934205-3705214266-2768459241-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"CodeBlocks" = CodeBlocks
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/9/2009 17:05:37 | Computer Name = PROMETHEUS | Source = crypt32 | ID = 131083
Description = Falha ao extrair lista de raízes de terceiros do CAB de atualização
automática em: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
com erro: Os dados são inválidos.

Error - 8/9/2009 19:54:35 | Computer Name = PROMETHEUS | Source = McLogEvent | ID = 5051
Description = Um segmento no processo C:\ARQUIV~1\McAfee\VIRUSS~1\mcshield.exe demorou
mais do que 90000 minutos para concluir uma solicitação. O processo será concluído.
ID
do segmento: 2740 (0xab4) Endereço do segmento: 0x02306510 Mensagem do segmento:
Build VSCORE.14.0.0.433 / 5301.4018 Object being scanned = \Device\HarddiskVolume1\Documents
and Settings\ANA\Configurações locais\Dados de aplicativos\Microsoft\Windows Live
Contacts\{195aab7d-e6c4-43d5-9370-66180d59f713}\DBStore\edb.chk by C:\Arquivos
de programas\Windows Live\Contacts\wlcomm.exe 4(3750)(0) 4(3328)(0) 7200(1828)(0)

7595(1828)(0) 7005(1828)(0) 7004(1828)(0) 5006(1266)(0) 5004(1266)(0)

Error - 11/9/2009 17:15:15 | Computer Name = PROMETHEUS | Source = crypt32 | ID = 131083
Description = Falha ao extrair lista de raízes de terceiros do CAB de atualização
automática em: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
com erro: Os dados são inválidos.

Error - 11/9/2009 17:15:15 | Computer Name = PROMETHEUS | Source = crypt32 | ID = 131083
Description = Falha ao extrair lista de raízes de terceiros do CAB de atualização
automática em: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
com erro: Os dados são inválidos.

Error - 11/9/2009 17:15:15 | Computer Name = PROMETHEUS | Source = crypt32 | ID = 131083
Description = Falha ao extrair lista de raízes de terceiros do CAB de atualização
automática em: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
com erro: Os dados são inválidos.

Error - 11/9/2009 19:25:41 | Computer Name = PROMETHEUS | Source = crypt32 | ID = 131083
Description = Falha ao extrair lista de raízes de terceiros do CAB de atualização
automática em: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
com erro: Os dados são inválidos.

Error - 11/9/2009 20:04:09 | Computer Name = PROMETHEUS | Source = crypt32 | ID = 131083
Description = Falha ao extrair lista de raízes de terceiros do CAB de atualização
automática em: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
com erro: Os dados são inválidos.

Error - 13/9/2009 10:16:24 | Computer Name = PROMETHEUS | Source = ESENT | ID = 454
Description = wlcomm (2984) Falha na recuperação/restauração do banco de dados com
erro inesperado -545.

Error - 24/9/2009 15:48:54 | Computer Name = PROMETHEUS | Source = VsJITDebugger | ID = 4096
Description = An unhandled win32 exception occurred in process #2596. Just-In-Time
debugging this exception failed with the following error: The process ID is invalid.

Check
the documentation index for 'Just-in-time debugging, errors' for more information.

Error - 26/9/2009 00:11:40 | Computer Name = PROMETHEUS | Source = McLogEvent | ID = 5051
Description = Um segmento no processo C:\ARQUIV~1\McAfee\VIRUSS~1\mcshield.exe demorou
mais do que 90000 minutos para concluir uma solicitação. O processo será concluído.
ID
do segmento: 2320 (0x910) Endereço do segmento: 0x7C90E4F4 Mensagem do segmento:
Build VSCORE.14.0.0.433 / 5301.4018 Object being scanned = \Device\HarddiskVolume1\Documents
and Settings\ANA\Desktop\LaTale_FullClient_20090710.exe by C:\WINDOWS\Explorer.EXE

4(0)(0) 4(0)(0) 7200(0)(0) 7595(0)(0) 7005(0)(0) 7004(0)(0) 5006(0)(0) 5004(0)(0)


[ System Events ]
Error - 23/9/2009 10:22:58 | Computer Name = PROMETHEUS | Source = Service Control Manager | ID = 7000
Description = Não foi possível iniciar o serviço npkcrypt devido ao seguinte erro:
%%2

Error - 24/9/2009 11:38:13 | Computer Name = PROMETHEUS | Source = Service Control Manager | ID = 7000
Description = Não foi possível iniciar o serviço npkcrypt devido ao seguinte erro:
%%2

Error - 25/9/2009 09:05:03 | Computer Name = PROMETHEUS | Source = Service Control Manager | ID = 7000
Description = Não foi possível iniciar o serviço npkcrypt devido ao seguinte erro:
%%2

Error - 25/9/2009 09:05:26 | Computer Name = PROMETHEUS | Source = DCOM | ID = 10010
Description = O servidor {C7E39D60-7A9F-42BF-ABB1-03DC0FA4F493} não se registrou
com o DCOM dentro do tempo limite requerido.

Error - 26/9/2009 00:11:48 | Computer Name = PROMETHEUS | Source = Service Control Manager | ID = 7031
Description = O serviço McAfee Real-time Scanner foi finalizado inesperadamente.
Isto aconteceu 1 vez(es). A seguinte ação corretiva será tomada em 60000 milissegundos:
Reiniciar o serviço.

Error - 26/9/2009 07:29:13 | Computer Name = PROMETHEUS | Source = Service Control Manager | ID = 7000
Description = Não foi possível iniciar o serviço npkcrypt devido ao seguinte erro:
%%2

Error - 26/9/2009 16:14:04 | Computer Name = PROMETHEUS | Source = Service Control Manager | ID = 7000
Description = Não foi possível iniciar o serviço npkcrypt devido ao seguinte erro:
%%2

Error - 27/9/2009 08:22:32 | Computer Name = PROMETHEUS | Source = Service Control Manager | ID = 7000
Description = Não foi possível iniciar o serviço npkcrypt devido ao seguinte erro:
%%2

Error - 27/9/2009 13:38:06 | Computer Name = PROMETHEUS | Source = Service Control Manager | ID = 7009
Description = Tempo limite (30000 milissegundos) de espera para que o serviço PEVSystemStart
se conecte.

Error - 27/9/2009 13:41:44 | Computer Name = PROMETHEUS | Source = Service Control Manager | ID = 7009
Description = Tempo limite (30000 milissegundos) de espera para que o serviço PEVSystemStart
se conecte.


< End of report >

---END OF EXTRA OTL LOG---

#6 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:35 AM

Posted 27 September 2009 - 04:54 PM

Hi razikain,


There are gaopdxserv.sys entries in the registry files and I can't remove or modify them

If the main instance of offending file is gone, the orphaned entries are harmless and normal. Sometimes, we can live with that though. Don't be panic :(

I'd like to see what happened in your first run of Combofix. Click Start>Run and copy/paste the following bolded text into the Run box and click OK:

C:\Qoobox\ComboFix2.txt


Step1
  • Close any open browsers
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Go to Here for your reference.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text inside the code box below:
RegNull::
[HKEY_USERS\S-1-5-21-2961934205-3705214266-2768459241-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{93E722CE-A754-F9D8-F551-B5837CB7D7F2}*]

DDS::
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File


Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop

Posted Image

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



Step2

Older versions Java have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 16...allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) the following Java Runtime Environment (JRE or J2SE) in the name, and the following update:

    Java DB 10.3.1.4
    Java™ 6 Update 13
    Java™ 6 Update 5
    Java™ 6 Update 7
    Java™ SE Development Kit 6 Update 7


  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u16-windows-i586-p.exe to install the newest version.


Step3

Let's clean some temp files. Please do the following:

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.


If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.

NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.



Step4

Please perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner.
  • Please go to Kaspersky Online Scanner and perform an online antivirus scan.
  • Click Accept button on the "Requirements and limitations".
  • When Java warning " The applcation digital signature has been verified. Do you want to run the application " appears, Click on "Run" button.
  • It will be Downloading and installing the program and Updating the database.
  • When Updating the database have finished, click on Settings.
  • Make sure all boxes are checked. then click on the Save button.
  • Click on My Computer under Scan menu. It will start scanning, so be patient and let it run.
  • Once the scan is completed, Click on View Scan Report.
  • You may see a list of infected items over there. Click on Save Report As.
  • Click "Desktop" , Name the file as "KAS", Change the Files of type to Text file (.txt) and Click on Save button.
  • Please post the contents in your next reply.
  • You can refer to this animation
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.


Please post back the logs in your next reply.


1.ComboFix2.txt and Fresh ComboFix log
2.Kas Online Report

Tell me how your pc is running now.

#7 razikain

razikain
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 02 October 2009 - 04:31 PM

If the main instance of offending file is gone, the orphaned entries are harmless and normal. Sometimes, we can live with that though. Don't be panic :(


That was what I was worried the most. Except for those registry entries, my computer is running okay since the first time I used ComboFix to remove them.
I posted here to make 100% sure I'm not in danger. :(
Also, I don't have the first ComboFix log anymore. Sorry.
And I couldn't update my JRE to version 16. Everytime I clicked the download button it never finished loading, so I just updated to version 15.

Anyway, here are the other logs you requested. Sorry for the delay:

-------COMBOFIX LOG------------

ComboFix 09-10-01.05 - ANA 02/10/2009 17:33.4.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.1023.649 [GMT -3:00]
Executando de: c:\documents and settings\ANA\Desktop\ComboFix.exe
Comandos utilizados :: c:\documents and settings\ANA\Desktop\CFScript.txt
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

(((((((((((((((( Arquivos/Ficheiros criados de 2009-09-02 to 2009-10-02 ))))))))))))))))))))))))))))
.

2009-09-27 17:34 . 2009-09-27 17:34 -------- d-----w- C:\razikain
2009-09-25 23:14 . 2009-09-25 23:14 -------- d-----w- c:\arquivos de programas\DNA
2009-09-24 21:09 . 2009-09-24 21:09 -------- d-----w- c:\documents and settings\ANA\Dados de aplicativos\Thinstall
2009-09-24 20:00 . 2009-09-24 20:00 -------- d-----w- C:\emu8086
2009-09-23 19:38 . 2009-09-23 19:38 -------- d-----w- c:\arquivos de programas\Pando Networks
2009-09-22 20:23 . 2009-09-22 20:23 -------- d-----w- C:\FOUND.000
2009-09-19 15:00 . 2009-09-19 15:00 -------- d-----w- c:\arquivos de programas\Paint.NET
2009-09-08 23:47 . 2009-09-08 23:47 -------- d-----w- c:\documents and settings\ANA\Dados de aplicativos\Safer Networking
2009-09-08 23:47 . 2009-09-08 23:47 -------- d-----w- c:\arquivos de programas\Safer Networking
2009-09-08 03:04 . 2009-09-08 03:04 -------- d-----w- C:\Gmer
2009-09-04 01:26 . 2009-09-04 01:26 4096 ----a-w- c:\windows\d3dx.dat
2009-09-04 01:25 . 2009-09-04 01:25 -------- d-----w- c:\windows\Kudos 2

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-10 17:54 . 2009-02-04 04:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 17:53 . 2009-02-04 04:41 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-08 00:17 . 2008-07-02 01:16 78 ----a-w- c:\windows\popcinfo.dat
2009-08-28 23:01 . 2009-08-28 23:01 -------- d-----w- c:\documents and settings\ANA\Dados de aplicativos\fizzy
2009-08-24 22:03 . 2009-08-24 22:03 -------- d-----w- c:\documents and settings\ANA\Dados de aplicativos\codeblocks
2009-08-24 22:02 . 2009-08-24 22:02 -------- d-----w- c:\arquivos de programas\CodeBlocks
2009-08-22 23:47 . 2009-08-22 23:47 -------- d-----w- c:\documents and settings\ANA\Dados de aplicativos\Downloaded Installations
2009-08-18 22:52 . 2009-08-18 22:52 -------- d-----w- c:\arquivos de programas\PostgreSQL
2009-08-14 00:57 . 2009-08-14 00:57 -------- d-----w- c:\arquivos de programas\Lavalys
2009-08-01 22:45 . 2009-08-01 20:59 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2009-08-01 22:45 . 2009-08-01 20:59 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2009-07-25 08:23 . 2009-05-31 23:45 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-24 17:34 . 2009-07-24 17:34 271360 ----a-w- c:\windows\system32\drivers\atksgt.sys
2009-07-24 17:34 . 2009-07-24 17:34 18048 ----a-w- c:\windows\system32\drivers\lirsgt.sys
2009-07-16 15:32 . 2008-06-13 19:58 120136 ----a-w- c:\windows\system32\drivers\Mpfp.sys
2009-07-08 16:44 . 2008-06-13 19:58 40552 ----a-w- c:\windows\system32\drivers\mfesmfk.sys
2009-07-08 16:44 . 2008-06-13 19:58 79816 ----a-w- c:\windows\system32\drivers\mfeavfk.sys
2009-07-08 16:44 . 2008-06-13 19:58 35272 ----a-w- c:\windows\system32\drivers\mfebopk.sys
2009-07-08 16:44 . 2008-06-13 19:58 214024 ----a-w- c:\windows\system32\drivers\mfehidk.sys
2009-07-08 16:43 . 2008-06-13 19:58 34248 ----a-w- c:\windows\system32\drivers\mferkdk.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-09-27_17.41.48 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-13 18:30 . 2009-09-27 17:13 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-09-28 02:59 . 2009-10-02 16:29 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-09-28 02:59 . 2009-10-02 16:29 32768 c:\windows\system32\config\systemprofile\Configurações locais\Temporary Internet Files\Content.IE5\index.dat
+ 2008-06-13 18:30 . 2009-10-02 16:29 32768 c:\windows\system32\config\systemprofile\Configurações locais\Histórico\History.IE5\index.dat
- 2008-06-13 18:30 . 2009-09-27 17:13 32768 c:\windows\system32\config\systemprofile\Configurações locais\Histórico\History.IE5\index.dat
+ 2009-09-27 23:56 . 2009-07-25 08:23 149280 c:\windows\system32\javaws.exe
+ 2009-09-27 23:56 . 2009-07-25 08:23 145184 c:\windows\system32\javaw.exe
+ 2009-09-27 23:56 . 2009-07-25 08:23 145184 c:\windows\system32\java.exe
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-03 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-03 13529088]
"mcagent_exe"="c:\arquivos de programas\McAfee.com\Agent\mcagent.exe" [2009-07-10 645328]
"SunJavaUpdateSched"="c:\arquivos de programas\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-03 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SQLWriter"=2 (0x2)
"postgresql-8.4"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"npggsvc"=3 (0x3)
"ERSvc"=2 (0x2)
"wuauserv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Arquivos de programas\\Messenger\\MSMSGS.EXE"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Arquivos de programas\\Mozilla Firefox\\firefox.exe"=
"c:\\Arquivos de programas\\uTorrent\\uTorrent.exe"=
"c:\\Arquivos de programas\\eMule\\emule.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\Everton\\Jogos\\UnrealTournament\\System\\UnrealTournament.exe"=
"c:\\Arquivos de programas\\InterVideo\\DVD5\\WinDVD.exe"=
"c:\\Arquivos de programas\\Arquivos comuns\\McAfee\\MNA\\McNASvc.exe"=
"d:\\Everton\\Jogos\\DeSmuME\\desmume.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"37500:TCP"= 37500:TCP:*:Disabled:eMule TCP
"64615:UDP"= 64615:UDP:*:Disabled:eMule UDP

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\arquivos de programas\McAfee\SiteAdvisor\McSACore.exe [1/10/2008 18:37 210216]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [18/9/2008 11:52 472832]
S3 ntkvpn;Loki VPN Driver Service;c:\windows\system32\DRIVERS\ntkvpn.sys --> c:\windows\system32\DRIVERS\ntkvpn.sys [?]
S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]
S3 usb2vcom;USB to Serial Bridge Controller;c:\windows\system32\drivers\usb2vcom.sys [31/5/2009 22:59 30368]
S3 VSPerfDrv90;Performance Tools Driver 9.0;c:\arquivos de programas\Microsoft Visual Studio 9.0\Team Tools\Performance Tools\VSPerfDrv90.sys [4/9/2007 16:53 55664]
S3 XDva182;XDva182; [x]
S3 XDva212;XDva212; [x]
S4 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S4 postgresql-8.4;PostgreSQL Server 8.4;C:/Arquivos de programas/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N "postgresql-8.4" -D "D:/SQL data" -w --> C:/Arquivos de programas/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N postgresql-8.4 [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Conteúdo da pasta 'Tarefas Agendadas'

2009-08-01 c:\windows\Tasks\McQcTask.job
- c:\arquiv~1\mcafee\mqc\QcConsol.exe [2008-06-13 00:26]

2009-09-15 c:\windows\Tasks\McDefragTask.job
- c:\arquiv~1\mcafee\mqc\QcConsol.exe [2008-06-13 00:26]
.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.neopets.com/
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949}
DPF: Microsoft XML Parser for Java
DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} - hxxp://secure.gopetslive.com/dev/GoPetsWeb.cab
FF - ProfilePath - c:\documents and settings\ANA\Dados de aplicativos\Mozilla\Firefox\Profiles\tlvkn5jf.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.consulttelecom.com/
FF - component: c:\arquivos de programas\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\arquivos de programas\Mozilla Firefox\plugins\npzylomgamesplayer.dll
FF - plugin: c:\arquivos de programas\Virtools\3D Life Player\npvirtools.dll
FF - plugin: c:\documents and settings\All Users\Dados de aplicativos\id Software\QuakeLive\npquakezero.dll
FF - plugin: c:\documents and settings\All Users\Dados de aplicativos\Zylom\ZylomGamesPlayer\npzylomgamesplayer.dll

---- FIREFOX POLICIES ----
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-02 17:38
Windows 5.1.2600 Service Pack 3 FAT NTAPI

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\postgresql-8.4]
"ImagePath"="C:/Arquivos de programas/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"D:/SQL data\" -w"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\postgresql-8.4]
"ImagePath"="C:/Arquivos de programas/PostgreSQL/8.4/bin/pg_ctl.exe runservice -N \"postgresql-8.4\" -D \"D:/SQL data\" -w"
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

[HKEY_USERS\S-1-5-21-2961934205-3705214266-2768459241-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:bc,b9,2a,1a,e5,30,5d,b0,95,d9,3c,f1,aa,cd,02,b8,c5,06,95,11,19,16,7d,
17,8e,de,7e,2e,d8,17,96,72,9f,18,31,e1,3c,7e,02,2c,57,1f,f6,13,74,27,7b,b2,\
"??"=hex:9b,d8,a6,5c,cb,f6,80,6f,e9,d8,66,55,b0,5c,92,f0

[HKEY_USERS\S-1-5-21-2961934205-3705214266-2768459241-1004\Software\SecuROM\License information*]
"datasecu"=hex:39,40,fd,a6,e5,54,68,9b,d7,56,8e,ed,eb,d8,07,1a,8c,ae,13,99,6e,
53,c0,a9,8f,41,7f,32,20,a2,a0,5f,a1,05,93,4f,c7,0d,60,b3,e5,f5,8c,1a,58,2f,\
"rkeysecu"=hex:3f,11,30,43,27,d1,bc,71,63,10,70,47,50,3d,4a,d7
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'explorer.exe'(2752)
c:\arquivos de programas\McAfee\SiteAdvisor\saHook.dll
.
Tempo para conclusão: 2009-10-02 17:40
ComboFix-quarantined-files.txt 2009-10-02 20:40
ComboFix2.txt 2009-09-28 00:06
ComboFix3.txt 2009-09-27 17:43

Pré-execução: 23 pasta(s) 15.315.304.448 bytes disponíveis
Pós execução: 24 pasta(s) 15.439.101.952 bytes disponíveis

Current=2 Default=2 Failed=3 LastKnownGood=4 Sets=1,2,3,4
178 --- E O F --- 2008-11-07 18:03

------END OF COMBOFIX LOG------------

------KAS ONLINE REPORT---------------

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, October 2, 2009
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, October 02, 2009 12:17:25
Records in database: 2889641
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Objects scanned: 113743
Threats found: 0
Infected objects found: 0
Suspicious objects found: 0
Scan duration: 03:09:08

No threats found. Scanned area is clean.

Selected area has been scanned.

---------END OF KAS ONLINE REPORT------------

#8 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:35 AM

Posted 02 October 2009 - 04:57 PM

Hi razikain,



And I couldn't update my JRE to version 16. Everytime I clicked the download button

Go to your Control Panel(using Classic View) and click the Java icon. (looks like a coffee cup) On update menu, make sure Check For Updates Automatically have been checked, then Click Update Now button. Hope this workaround can work for you.

Other than that, your logs appear clean now. :( If you have no remaining issue on your pc, let's do some tidy up and we can send you on your way.

Step1

Click START then RUN
Now copy/paste Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

Posted Image

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.


Step2

Start OTL from your desktop.
  • Double click OTL and let it run
  • Then Click the Cleanup button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.

Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

  • Update your antivirus programs

    Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system. You can use one of these sites to check if any updates are needed for your pc.
    Secunia Software Inspector
    F-secure Health Check

  • Update all these programs regularly - Make sure you update all the programs regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Please check out Tony Klein's article "How did I get infected in the first place?"
Read some information Here how to prevent Malware.


Glad to be of help. Safe surfing!!

#9 razikain

razikain
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:35 AM

Posted 02 October 2009 - 06:38 PM

I sincerely thank you for taking your time to help me. I have a simple question now regarding all the logs posted since the beginning of the thread: did any of them show any possible trace of infection or they were clean since the beginning?

#10 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:35 AM

Posted 02 October 2009 - 07:06 PM

Hi razikain,



did any of them show any possible trace of infection or they were clean since the beginning?


Yes, everything seems to be clean right from the start. You should be good to go now. :(

#11 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:35 AM

Posted 06 October 2009 - 02:14 AM

Since this issue appears resolved ... this Topic is closed.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users