View Full Version : Trojans mdelk.exe & wintems.exe, please need help!
HI,
I downloaded a program via Emule and before I execute it I scanned it by AVG and it said it was safe. For my surprise I saw the AVG icon disappear from the desktop. Right away I realized something was wrong as I saw a flash (like a program was executing), but nothing prompted me to install. Opening Windows Task Manager, I saw new processes (wintems.exe, 52531.exe, etc.).
My first instinct was to disable my internet, end the processes and do System Restore. I was unable to end wintems.exe (Error message of "The operation could not be completed. Access is denied.").
I enabled internet and found that what I have is Trj/Mitglieder.RV, W32/Bagle.RC.worm and W32/Bagle.QW.worm. It constantly downloads or creates files with names like 45000.exe, 52531.exe, 61671.exe, 66828.exe, 69546.exe, 126093.exe, 183390.exe, 189906.exe, 234125.exe, 238828.exe, to C:\WINDOWS\system32\drivers\down.
I tried re-installing AVG (failed) and Spybot (installed but program self deleted), and even ATF Cleaner doesn't execute.
I tried a lot of anti-virus online (since mine was unninstalled) and I guess I run out 'wintems.exe' from my PC, but the file
'mdelk.exe' still remains (in the folder 'WINDOWS\system32').
Please, HELP!
Thanks,
Kankiz.
HijackThis log is as follows...
Logfile of HijackThis v1.99.1
Scan saved at 17:08:08, on 18/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\GbPlugin\GbpSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Arquivos de programas\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Arquivos de programas\Wireless Combo\MulMouse.exe
C:\Arquivos de programas\Wireless Combo\MagicKey.exe
C:\Arquivos de programas\Wireless Combo\MagicWl.exe
C:\Arquivos de programas\Arquivos comuns\Acronis\Schedule2\schedul2.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Wireless Combo\OSD.EXE
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
D:\Meus Documentos\Programas\Diversos\Antivírus\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://br.yahoo.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GbPlugin\gbieh.dll
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\Arquivos de programas\GbPlugin\gbiehabn.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Pinnacle WebUpdater] "C:\Arquivos de programas\Pinnacle\Shared Files\Programs\WebUpdater\WebUpdater.exe" -s -f=UpdateVersion.xml -url=http://cdn.pinnaclesys.com/SupportFiles
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Arquivos de programas\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"
O4 - Global Startup: Activar programa de Leading Scroll.lnk = C:\Arquivos de programas\Wireless Combo\MulMouse.exe
O4 - Global Startup: Media Key.lnk = C:\Arquivos de programas\Wireless Combo\MagicKey.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginABN.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1DA91069-F0A3-45D2-9120-5039B282F347}: NameServer = 200.165.132.147,200.165.132.154
O20 - Winlogon Notify: GbPluginBb - C:\ARQUIV~1\GbPlugin\gbieh.dll
O20 - Winlogon Notify: __GbPluginBb - C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Arquivos de programas\Arquivos comuns\Acronis\Schedule2\schedul2.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: MSSQL$PINNACLESYS - Unknown owner - C:\Arquivos de programas\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlservr.exe" -sPINNACLESYS (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - C:\Arquivos de programas\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SQLAgent$PINNACLESYS - Unknown owner - C:\Arquivos de programas\Pinnacle\MediaServer\Microsoft SQL Server\MSSQL$PINNACLESYS\Binn\sqlagent.EXE" -i PINNACLESYS (file missing)
Rorschach112
2008-01-19, 03:11
Hello
Please download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) and save it to your Desktop.
Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
Please download and unzip Icesword (http://mail.ustc.edu.cn/~jfpan/download/IceSword122en.zip)to its own folder on your desktop
If you get a lot of "red entries" in an IceSword log, don't panic.
Step 1 : Close all windows and run IceSword. Click the Processes tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Write down the PathName of any processes in red color. Then click on LOG at the top left. It will prompt you to save the log, call this Processes and save it to your desktop.
Step 2 : Click the Win32 Services tab and look out for red colored entries in the services list. Write down the Module name of any services in red color, you will need to expand out the Module tab to see the full name. Then click on LOG. It will prompt you to save the log, call this Services and save it to your desktop.
Step 3 : Now, click the SSDT tab and check for red colored entries. If there are any, write down the KModule name.
Now post all of the data collected under the headings for :
Processes
Win32 Services
SSDT
Hi,
Here we go:
Deckard's System Scanner v20071014.68
Run by ROBERIO on 2008-01-19 14:28:29
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
-- Last 2 Restore Point(s) --
2: 2008-01-19 12:04:59 UTC - RP161 - Deckard's System Scanner Restore Point
1: 2008-01-18 12:57:14 UTC - RP160 - Ponto de verificação do sistema
Backed up registry hives.
Performed disk cleanup.
-- HijackThis (run as ROBERIO.exe) ---------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:33:04, on 19/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\GbPlugin\GbpSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Arquivos de programas\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Arquivos de programas\Wireless Combo\MulMouse.exe
C:\Arquivos de programas\Wireless Combo\MagicKey.exe
C:\Arquivos de programas\Wireless Combo\OSD.EXE
C:\Arquivos de programas\Wireless Combo\MagicWl.exe
C:\Arquivos de programas\Arquivos comuns\Acronis\Schedule2\schedul2.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\ROBERIO\Desktop\dss.exe
C:\ARQUIV~1\TRENDM~1\HIJACK~1\ROBERIO.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://br.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GbPlugin\gbieh.dll
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\Arquivos de programas\GbPlugin\gbiehabn.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Pinnacle WebUpdater] "C:\Arquivos de programas\Pinnacle\Shared Files\Programs\WebUpdater\WebUpdater.exe" -s -f=UpdateVersion.xml -url=http://cdn.pinnaclesys.com/SupportFiles
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Arquivos de programas\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Activar programa de Leading Scroll.lnk = C:\Arquivos de programas\Wireless Combo\MulMouse.exe
O4 - Global Startup: Media Key.lnk = C:\Arquivos de programas\Wireless Combo\MagicKey.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginABN.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1DA91069-F0A3-45D2-9120-5039B282F347}: NameServer = 200.165.132.147,200.165.132.154
O20 - Winlogon Notify: GbPluginBb - C:\ARQUIV~1\GbPlugin\gbieh.dll
O20 - Winlogon Notify: __GbPluginBb - C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Arquivos de programas\Arquivos comuns\Acronis\Schedule2\schedul2.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - C:\Arquivos de programas\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 6317 bytes
-- File Associations -----------------------------------------------------------
All associations okay.
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R1 AFS2K - c:\windows\system32\drivers\afs2k.sys <Not Verified; Oak Technology Inc.; AFS>
R1 kbfilter (Keyboard Filter Driver) - c:\windows\system32\drivers\kbfilter.sys <Not Verified; WayTech Development, Inc.; Keyboard filter driver>
R1 mapledxp - c:\windows\system32\drivers\mapledxp.sys <Not Verified; Jeff Hurchalla and Marble Sound; MarbleSound Maple Midi XP Driver SYS>
R1 moufiltr (Mouse Filter Driver) - c:\windows\system32\drivers\moufiltr.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R1 srosa (Megadrv3) - c:\windows\system32\drivers\srosa.sys
R1 UsbFltr (WayTechMUSBFilterDriver) - c:\windows\system32\drivers\usbfltr.sys <Not Verified; Waytech Development, Inc.; Ortek USB Keypad>
R2 ElbyCDIO (ElbyCDIO Driver) - c:\windows\system32\drivers\elbycdio.sys <Not Verified; Elaborate Bytes AG; CDRTools>
R3 ASAPIW2k - c:\windows\system32\drivers\asapiw2k.sys <Not Verified; VOB Computersysteme GmbH; asapi>
R3 DELTA (Service for Delta Driver (WDM)) - c:\windows\system32\drivers\delta.sys <Not Verified; Midiman/M-Audio; M-Audio Delta WDM Driver>
R3 ElbyDelay - c:\windows\system32\drivers\elbydelay.sys <Not Verified; Elaborate Bytes; CDRTools>
R3 mohfilt - c:\windows\system32\drivers\mohfilt.sys <Not Verified; Intel Corporation; Creatix V.9X data fax modem>
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
S3 catchme - c:\docume~1\roberio\config~1\temp\catchme.sys (file missing)
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
S3 PinnacleSys.MediaServer (Pinnacle Systems Media Service) - "c:\arquivos de programas\pinnacle\shared files\programs\mediaserver\pmshost.exe" <Not Verified; Pinnacle Systems; Media Server>
-- Device Manager: Disabled ----------------------------------------------------
No disabled devices found.
-- Files created between 2007-12-19 and 2008-01-19 -----------------------------
2008-01-18 17:46:48 0 d-------- C:\Arquivos de programas\Trend Micro
2008-01-18 17:13:56 0 dr-h----- C:\Documents and Settings\ROBERIO\Recent
2008-01-18 10:41:22 8576 --a------ C:\WINDOWS\system32\drivers\vfhfvquoiswm.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-01-18 09:50:21 8576 --a------ C:\WINDOWS\system32\drivers\oemjiubaxbrj.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-01-17 19:22:01 8576 --a------ C:\WINDOWS\system32\drivers\jocnmljhbhvi.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-01-16 18:14:43 70660 --a------ C:\WINDOWS\system32\mdelk.exe
2008-01-09 20:01:00 0 d-------- C:\WINDOWS\system32\drivers\down
-- Find3M Report ---------------------------------------------------------------
2008-01-18 02:29:18 0 d-------- C:\Arquivos de programas\Wireless Combo
2008-01-18 02:09:28 0 d-------- C:\Arquivos de programas\MFR6
2008-01-18 01:43:42 0 d-------- C:\Arquivos de programas\GbPlugin
2008-01-18 01:27:59 0 d-------- C:\Arquivos de programas\DAEMON Tools
2008-01-16 18:20:20 0 d-------- C:\Arquivos de programas\SpywareBlaster
2008-01-09 20:08:52 0 d-------- C:\Arquivos de programas\eMule
2008-01-09 16:58:40 0 d-------- C:\Documents and Settings\ROBERIO\Dados de aplicativos\BSplayer PRO
2008-01-09 16:58:29 0 d-------- C:\Arquivos de programas\Webteh
2007-12-20 14:35:19 5018 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-12-12 11:54:59 240 --a------ C:\WINDOWS\system32\RfmDat2.dat
2007-12-01 10:36:24 0 d-------- C:\Documents and Settings\ROBERIO\Dados de aplicativos\Adobe
2007-12-01 10:29:04 0 d-------- C:\Arquivos de programas\Arquivos comuns
2007-12-01 09:04:56 0 d-------- C:\Arquivos de programas\Sibelius Software
2007-11-29 22:32:20 0 d-------- C:\Documents and Settings\ROBERIO\Dados de aplicativos\uTorrent
2007-11-22 09:39:59 451670 --a------ C:\WINDOWS\system32\perfh016.dat
2007-11-22 09:39:59 78596 --a------ C:\WINDOWS\system32\perfc016.dat
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ptipbmf"="ptipbmf.dll" [20/06/2003 13:06 C:\WINDOWS\system32\ptipbmf.dll]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [22/10/2006 12:22]
"nwiz"="nwiz.exe" [22/10/2006 12:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [22/10/2006 12:22]
"SoundMan"="SOUNDMAN.EXE" [26/02/2004 06:53 C:\WINDOWS\SOUNDMAN.EXE]
"Pinnacle WebUpdater"="C:\Arquivos de programas\Pinnacle\Shared Files\Programs\WebUpdater\WebUpdater.exe" [26/03/2006 12:10]
"DAEMON Tools"="C:\Arquivos de programas\DAEMON Tools\daemon.exe" [10/12/2005 12:57]
"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 02:11]
C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\
Activar programa de Leading Scroll.lnk - C:\Arquivos de programas\Wireless Combo\MulMouse.exe [27/1/2007 14:33:31]
Media Key.lnk - C:\Arquivos de programas\Wireless Combo\MagicKey.exe [27/1/2007 14:33:32]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\ARQUIV~1\GbPlugin\gbieh.dll [03/12/2007 16:30 347976]
"{E37CB5F0-51F5-4395-A808-5FA49E399007}"= C:\Arquivos de programas\GbPlugin\gbiehabn.dll [15/08/2007 19:14 207280]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]
C:\ARQUIV~1\GbPlugin\gbieh.dll 03/12/2007 16:30 347976 C:\ARQUIV~1\GbPlugin\gbieh.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__GbPluginBb]
C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll 03/12/2007 16:30 347976 C:\Arquivos de programas\GbPlugin\gbieh.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap
SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
"C:\Arquivos de programas\Arquivos comuns\Acronis\Schedule2\schedhlp.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
C:\Arquivos de programas\Acronis\TrueImageHome\TimounterMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdVantage]
"C:\Arquivos de programas\AdVantage\AdVantage.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
C:\Arquivos de programas\SyncroSoft\Pos\H2O\cledx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
C:\WINDOWS\system32\hphmon05.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
C:\Arquivos de programas\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I downloaded pirated Software from P2P ]
C:\WINDOWS\system32\Sims 2 Pets.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"c:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" -startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Arquivos de programas\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Arquivos de programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Arquivos de programas\Java\jre1.5.0_11\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
rundll32.exe "C:\WINDOWS\khiiff.dll",forkonce
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tomar Agua]
D:\Meus Documentos\E-mail\Slides\Tomar_Agua.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
C:\Arquivos de programas\Acronis\TrueImageHome\TrueImageMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Arquivos de programas\Winamp\Winampa.exe"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ebad148-5a83-11dc-90e0-0013d42eb01f}]
AutoRun\command- E:\LaunchU3.exe -a
-- End of Deckard's System Scanner: finished at 2008-01-19 14:33:56 ------------
The next replies I'll post the 'extra' of Deckard's System Scanner and the other logs (too long!!).
Continue...
The first part (1/2) of "Extra":
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: Portuguese
CPU 0: Intel(R) Pentium(R) 4 CPU 3.00GHz
CPU 1: Intel(R) Pentium(R) 4 CPU 3.00GHz
Percentage of Memory in Use: 19%
Physical Memory (total/avail): 2047.22 MiB / 1649.23 MiB
Pagefile Memory (total/avail): 3432.51 MiB / 3203.94 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1935.83 MiB
A: is Removable (No Media)
C: is Fixed (NTFS) - 37.5 GiB total, 14.64 GiB free.
D: is Fixed (NTFS) - 335.11 GiB total, 29.77 GiB free.
G: is CDROM (No Media)
H: is CDROM (No Media)
I: is Removable (No Media)
J: is CDROM (No Media)
\\.\PHYSICALDRIVE0 - Promise 2+0 Stripe/RAID0 SCSI Disk Device - 372.62 GiB - 2 partitions
\PARTITION0 (bootable) - Sistema de arquivos instalável - 37.5 GiB - C:
\PARTITION1 - Estendido c/Int. estendida 13 - 335.11 GiB - D:
\\.\PHYSICALDRIVE1 - HP photosmart 7200 USB Device
-- Security Center -------------------------------------------------------------
AUOptions is set to notify before download.
Windows Internal Firewall is disabled.
FirstRunDisabled is set.
AntiVirusDisableNotify is set.
UpdatesDisableNotify is set.
FirewallOverride is set.
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Arquivos de programas\\eMule\\emule.exe"="C:\\Arquivos de programas\\eMule\\emule.exe:*:Enabled:eMule"
"C:\\Arquivos de programas\\uTorrent\\uTorrent.exe"="C:\\Arquivos de programas\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\ROBERIO\Dados de aplicativos
CLIENTNAME=Console
CommonProgramFiles=C:\Arquivos de programas\Arquivos comuns
COMPUTERNAME=ROBERIO
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\ROBERIO
LOGONSERVER=\\ROBERIO
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Arquivos de programas\Microsoft SQL Server\80\Tools\Binn\;C:\Arquivos de programas\Java\jre1.5.0_10\bin\client\;
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Arquivos de programas
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ROBERIO\CONFIG~1\Temp
TMP=C:\DOCUME~1\ROBERIO\CONFIG~1\Temp
USERDOMAIN=ROBERIO
USERNAME=ROBERIO
USERPROFILE=C:\Documents and Settings\ROBERIO
windir=C:\WINDOWS
-- User Profiles ---------------------------------------------------------------
ROBERIO (admin)
-- Add/Remove Programs ---------------------------------------------------------
--> C:\Arquivos de programas\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\NuNInst.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Acronis*True*Image*Home --> MsiExec.exe /X{419CF344-3D94-4DAD-99C8-EA7B00E5EA8B}
Adobe AIR 1.0 Beta 1 --> MsiExec.exe /X{BB8B979E-E336-47E7-96BC-1031C1B94561}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe -uninstallDelete
Adobe Reader 7.0.7 - Português --> MsiExec.exe /I{AC76BA86-7AD7-1046-7B44-A70700000002}
Antares Auto-Tune v4.39 --> C:\ARQUIV~1\ANTARE~1\AUTO-T~1\AIRLOG~1\AT4\UNWISE.EXE C:\ARQUIV~1\ANTARE~1\AUTO-T~1\AIRLOG~1\AT4\INSTALL.LOG
Antares Tube 1.02 DirectX --> C:\ARQUIV~1\Antares\TubeDX\UNWISE.EXE C:\ARQUIV~1\Antares\TubeDX\INSTALL.LOG
AoA MP4 Converter --> "C:\Arquivos de programas\AoA MP4 Converter\unins000.exe"
AsusUpdate --> RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{587178E7-B1DF-494E-9838-FA4DD36E873C}\Setup.exe" -l0x9
µTorrent --> "C:\Arquivos de programas\uTorrent\uTorrent.exe" /UNINSTALL
Atualização de Segurança para Windows XP (KB890046) --> "C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB893756) --> "C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB896358) --> "C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB896423) --> "C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB896428) --> "C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB899587) --> "C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB899591) --> "C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB900725) --> "C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB901017) --> "C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB901214) --> "C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB902400) --> "C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB904706) --> "C:\WINDOWS\$NtUninstallKB904706$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB905414) --> "C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB905749) --> "C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB908519) --> "C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB911562) --> "C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB911927) --> "C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB913580) --> "C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB914388) --> "C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB914389) --> "C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB917344) --> "C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB917953) --> "C:\WINDOWS\$NtUninstallKB917953$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB918118) --> "C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB918439) --> "C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB919007) --> "C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB920213) --> "C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB920670) --> "C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB920683) --> "C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB920685) --> "C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB921503) --> "C:\WINDOWS\$NtUninstallKB921503$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB922819) --> "C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB923191) --> "C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB923414) --> "C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB923689) --> "C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB923980) --> "C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB924191) --> "C:\WINDOWS\$NtUninstallKB924191$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB924270) --> "C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB924496) --> "C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB924667) --> "C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB925902) --> "C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB926255) --> "C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB926436) --> "C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB927779) --> "C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB927802) --> "C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB928255) --> "C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB928843) --> "C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB929123) --> "C:\WINDOWS\$NtUninstallKB929123$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB929969) --> "C:\WINDOWS\$NtUninstallKB929969$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB930178) --> "C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB931261) --> "C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB931784) --> "C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB932168) --> "C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB933566) --> "C:\WINDOWS\$NtUninstallKB933566$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB933729) --> "C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB935839) --> "C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB935840) --> "C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB936021) --> "C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB937143) --> "C:\WINDOWS\$NtUninstallKB937143$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB937894) --> "C:\WINDOWS\$NtUninstallKB937894$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB938127) --> "C:\WINDOWS\$NtUninstallKB938127$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB938829) --> "C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB939653) --> "C:\WINDOWS\$NtUninstallKB939653$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB941202) --> "C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB941568) --> "C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB941569) --> "C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB942615) --> "C:\WINDOWS\$NtUninstallKB942615$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB943460) --> "C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB944653) --> "C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Atualização para Windows XP (KB894391) --> "C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Atualização para Windows XP (KB898461) --> "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Atualização para Windows XP (KB900485) --> "C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Atualização para Windows XP (KB908531) --> "C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Atualização para Windows XP (KB910437) --> "C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Atualização para Windows XP (KB911280) --> "C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Atualização para Windows XP (KB916595) --> "C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Atualização para Windows XP (KB920872) --> "C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Atualização para Windows XP (KB922582) --> "C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Atualização para Windows XP (KB927891) --> "C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Atualização para Windows XP (KB930916) --> "C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Atualização para Windows XP (KB931836) --> "C:\WINDOWS\$NtUninstallKB931836$\spuninst\spuninst.exe"
Atualização para Windows XP (KB933360) --> "C:\WINDOWS\$NtUninstallKB933360$\spuninst\spuninst.exe"
Atualização para Windows XP (KB936357) --> "C:\WINDOWS\$NtUninstallKB936357$\spuninst\spuninst.exe"
Atualização para Windows XP (KB938828) --> "C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
Atualização para Windows XP (KB942763) --> "C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Atualização para Windows XP (KB942840) --> "C:\WINDOWS\$NtUninstallKB942840$\spuninst\spuninst.exe"
Atualização para Windows XP (KB946627) --> "C:\WINDOWS\$NtUninstallKB946627$\spuninst\spuninst.exe"
Continue...
Now the second part (2/2) of Extra:
AVS Disc Creator version 2.1 --> "C:\Arquivos de programas\AVSMedia\DiscCreator\unins000.exe"
AVS Video Editor 3.1.1.93 --> "C:\Arquivos de programas\AVSMedia\AVSVideoEditor\unins000.exe"
AVS Video Tools 5.1 --> "C:\Arquivos de programas\AVSMedia\VideoTools\unins000.exe"
Best Service Galaxy Steinway 5.1 --> C:\ARQUIV~1\BESTSE~1\GALAXY~1.1\UNWISE.EXE C:\ARQUIV~1\BESTSE~1\GALAXY~1.1\INSTALL.LOG
Blaze MediaConvert --> C:\ARQUIV~1\MYSTIK~1\BLAZEM~1\UNWISE.EXE C:\ARQUIV~1\MYSTIK~1\BLAZEM~1\INSTALL.LOG
BS.Player PRO --> "C:\Arquivos de programas\Webteh\BSplayerPro\uninstall.exe"
Celestia 1.4.1 --> "C:\Arquivos de programas\Celestia\unins000.exe"
Chessmaster 10th Edition --> C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\8\Intel 32\IDriver.exe /M{E9AE9A91-AB45-4321-87BD-AD34855D944F}
CloneDVD --> "C:\Arquivos de programas\Elaborate Bytes\CloneDVD\CloneDVD-uninst.exe" /D="C:\Arquivos de programas\Elaborate Bytes\CloneDVD"
CorelDRAW Graphics Suite X3 --> MsiExec.exe /I{63218538-4A69-497F-8455-904261B0E9E4}
CUE Splitter --> MsiExec.exe /I{DFB9FD6D-08A7-4B26-AAC8-3163D6EEF739}
dBPowerAMP AIFF codec r3 --> "C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBPowerAMP AIFF codec r3.dat
dBPowerAMP Dalet codec R1 --> "C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBPowerAMP Dalet codec R1.dat
dBpowerAMP FLAC Codec --> "C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP FLAC Codec.dat
dBpowerAMP Monkeys Audio Codec --> "C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Monkeys Audio Codec.dat
dBpowerAMP Musepack Codec --> "C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Musepack Codec.dat
dBpowerAMP Music Converter --> "C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Music Converter.dat
dBpowerAMP Ogg Vorbis Codec --> "C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Ogg Vorbis Codec.dat
dBpowerAMP Real Audio Codec --> "C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP Real Audio Codec.dat
dBPowerAMP Real Audio Encoder R3 --> "C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBPowerAMP Real Audio Encoder R3.dat
dBpowerAMP WMA V9 Codec --> "C:\WINDOWS\system32\SpoonUninstall.exe" <uninstall>C:\WINDOWS\system32\SpoonUninstall-dBpowerAMP WMA V9 Codec.dat
Delta --> RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{A4810699-E859-43A6-8F40-1743873E72AB}\setup.exe" -l0x9 -removeonly
Disco de recordações HP --> MsiExec.exe /X{B376402D-58EA-45EA-BD50-DD924EB67A70}
DivX --> C:\Arquivos de programas\DivX\DivXCodecUninstall.exe /CODEC
Dolet Light for Finale 2006 --> MsiExec.exe /X{1C3C0464-5944-4520-96B5-705541C3BB3E}
DreamStation DXi2 --> C:\WINDOWS\DSDXIRMV.EXE C:\ARQUIVOS DE PROGRAMAS\CAKEWALK\SHARED DXI\AUDIO SIMULATION\DREAMSTATION DXI2
DVD Decrypter (Remove Only) --> "C:\Arquivos de programas\DVD Decrypter\uninstall.exe"
DVD Shrink 3.2 --> "C:\Arquivos de programas\DVD Shrink\unins000.exe"
EarMaster Pro 4 --> "C:\Arquivos de programas\EarMaster\unins000.exe"
East West Boesendorfer 290 --> C:\ARQUIV~1\EASTWE~1\BOESEN~1\UNWISE.EXE C:\ARQUIV~1\EASTWE~1\BOESEN~1\INSTALL.LOG
East West Colossus --> C:\ARQUIV~1\EASTWE~1\Colossus\UNWISE.EXE C:\ARQUIV~1\EASTWE~1\Colossus\INSTALL.LOG
East West EWQLSO Gold Edition --> C:\ARQUIV~1\EASTWE~1\EWQLSO~2\UNWISE.EXE C:\ARQUIV~1\EASTWE~1\EWQLSO~2\INSTALL.LOG
East West EWQLSO PRO XP Gold --> C:\ARQUIV~1\EASTWE~1\EWQLSO~3\UNWISE.EXE C:\ARQUIV~1\EASTWE~1\EWQLSO~3\INSTALL.LOG
East West EWQLSO Silver Edition --> C:\ARQUIV~1\EASTWE~1\EWQLSO~1\UNWISE.EXE C:\ARQUIV~1\EASTWE~1\EWQLSO~1\INSTALL.LOG
East West Ra --> C:\ARQUIV~1\EASTWE~1\Ra\UNWISE.EXE C:\ARQUIV~1\EASTWE~1\Ra\INSTALL.LOG
East West Symphonic Choirs --> C:\ARQUIV~1\EASTWE~1\SYMPHO~1\UNWISE.EXE C:\ARQUIV~1\EASTWE~1\SYMPHO~1\INSTALL.LOG
Edirol HQ Orchestral VSTi v1.03 --> C:\ARQUIV~1\EDIROL\ORCHES~1.03\UNWISE.EXE C:\ARQUIV~1\EDIROL\ORCHES~1.03\INSTALL.LOG
Edirol Hyper Canvas DXi v1.52 --> C:\ARQUIV~1\EDIROL\HYPERC~1\UNWISE.EXE C:\ARQUIV~1\EDIROL\HYPERC~1\INSTALL.LOG
Edirol Super Quartet v1.52 TALiO --> C:\ARQUIV~1\EDIROL\SUPERQ~1.52\UNWISE.EXE C:\ARQUIV~1\EDIROL\SUPERQ~1.52\INSTALL.LOG
Emagic EVP73 VSTi v1.0 --> C:\ARQUIV~1\STEINB~1\VSTPLU~1\emagic\UNWISE.EXE C:\ARQUIV~1\STEINB~1\VSTPLU~1\emagic\INSTALL.LOG
eMule --> "C:\Arquivos de programas\eMule\Uninstall.exe"
EN --> MsiExec.exe /I{32A72502-BC2C-4C39-ACEA-BC3D463F0697}
FairStars Audio Converter 1.46 --> "C:\Arquivos de programas\FairStars Audio Converter\unins000.exe"
FileZilla versão 2.2.28 --> "C:\Arquivos de programas\FileZilla\unins000.exe"
Finale 2006 --> C:\WINDOWS\unvise32.exe C:\Arquivos de programas\Finale 2006\uninstal.log
Finale Performance Assessment --> C:\WINDOWS\unvise32.exe C:\Arquivos de programas\Finale Performance Assessment\uninstal.log
FL Studio 5 --> C:\Arquivos de programas\Image-Line\FLStudio5\uninstall.exe
FLAC Installer 1.1.2a (remove only) --> C:\Arquivos de programas\FLAC\uninstall.exe
Focusrite Saffire Bundle VST v1.0 --> C:\ARQUIV~1\STEINB~1\VSTPLU~1\FOCUSR~1\SAFFIR~1\UNINST~1\UNWISE.EXE C:\ARQUIV~1\STEINB~1\VSTPLU~1\FOCUSR~1\SAFFIR~1\UNINST~1\INSTALL.LOG
FontNav --> MsiExec.exe /I{4E98F23B-1328-4322-A6EC-2EDC8FC3A4FE}
Google Earth --> RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
GVOX Encore 32 v4.5 --> C:\ARQUIV~1\GVOX\Encore\UNWISE.EXE C:\ARQUIV~1\GVOX\Encore\INSTALL.LOG
HijackThis 2.0.2 --> "C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Photo and Imaging 2.1 - Scanjet 2400 Series --> MsiExec.exe /I{6F7ECD56-E224-4263-9B7E-158E5CECC43B}
HP Software Update --> MsiExec.exe /X{6FA269F8-38CB-4DF7-AA0D-36E3CE789485}
Hurchalla Maple VMidi Cable v3.56 --> "C:\WINDOWS\unins000.exe"
Innovative Music Systems IntelliScore Polyphonic Edition v6.0 --> C:\ARQUIV~1\INTELL~1\UNWISE.EXE C:\ARQUIV~1\INTELL~1\INSTALL.LOG
Intel(R) 537EP Modem --> rundll32 IntelCci.dll,iSMUninstallation "Intel(R) 537EP Modem"
InterVideo WinDVD Creator 2 --> "C:\Arquivos de programas\InstallShield Installation Information\{2FCE4FC5-6930-40E7-A4F1-F862207424EF}\setup.exe" REMOVEALL
Java DB 10.2.2.0 --> MsiExec.exe /X{0ECB59D5-A3FC-4D61-AD3B-6CE679B3F852}
Java(TM) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java(TM) SE Development Kit 6 Update 2 --> MsiExec.exe /I{32A3A4F4-B792-11D6-A78A-00B0D0160020}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
KORG Legacy Collection v1.1.3 --> C:\ARQUIV~1\KORG\KORGLE~1\UNWISE.EXE C:\ARQUIV~1\KORG\KORGLE~1\INSTALL.LOG
Magic File Renamer 6.12 Professional Edition --> MsiExec.exe /I{2F09F8D0-797D-4F98-9638-4BE6B83A8E26}
Marvell Miniport Driver --> MsiExec.exe /X{C950420B-4182-49EA-850A-A6A2ABF06C6B}
Matroska Pack --> C:\Arquivos de programas\Matroska Pack\uninstall.exe
Microsoft Age of Empires II --> "D:\Arquivos de programas\Jogos\Age of Empires II - The Ages Of Kings\UNINSTAL.EXE" /runtemp /uninstall
Microsoft Office Professional Edição 2003 --> MsiExec.exe /I{90110416-6000-11D3-8CFE-0150048383C9}
Microsoft SQL Server Desktop Engine (PINNACLESYS) --> MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Monkey's Audio --> "C:\Arquivos de programas\Monkey's Audio\unins000.exe"
MusicLab RealGuitar v1.5 --> C:\ARQUIV~1\MusicLab\REALGU~1\UNWISE.EXE C:\ARQUIV~1\MusicLab\REALGU~1\INSTALL.LOG
Naevius YouTube Converter 1.6 --> "C:\Arquivos de programas\Naevius YouTube Converter\unins000.exe"
Native Instruments B4 v1.11 w/ DXi --> C:\ARQUIV~1\NATIVE~1\B4\UNWISE.EXE C:\ARQUIV~1\NATIVE~1\B4\INSTALL.LOG
Native Instruments Finale GPO --> C:\ARQUIV~1\NATIVE~1\FINALE~1\UNWISE.EXE C:\ARQUIV~1\NATIVE~1\FINALE~1\INSTALL.LOG
Native Instruments FM7 --> C:\ARQUIV~1\NATIVE~1\Fm7\UNWISE.EXE C:\ARQUIV~1\NATIVE~1\Fm7\INSTALL.LOG
Native Instruments GuitarRig2 RTAS VSTi DXi --> C:\ARQUIV~1\NATIVE~1\GUITAR~1\UNWISE.EXE C:\ARQUIV~1\NATIVE~1\GUITAR~1\INSTALL.LOG
Need for Speed™ Most Wanted --> D:\Arquivos de programas\Jogos\EA GAMES\Need for Speed Most Wanted\EAUninstall.exe
Nero 7 Premium --> MsiExec.exe /I{F14B8ECC-BDA0-4987-9201-D7B7DBE11046}
Neuratron PhotoScore Demo --> C:\ARQUIV~1\NEURAT~2\UNWISE.EXE C:\ARQUIV~1\NEURAT~2\INSTALL.LOG
Neuratron PhotoScore Lite --> C:\ARQUIV~1\NEURAT~1\UNWISE.EXE C:\ARQUIV~1\NEURAT~1\INSTALL.LOG
NomadFactory Essential Studio Suite VST v1.0 --> C:\ARQUIV~1\STEINB~1\VSTPLU~1\ESSv1.0\UNWISE.EXE C:\ARQUIV~1\STEINB~1\VSTPLU~1\ESSv1.0\INSTALL.LOG
NomadFactory Rock Amp Legends VST v1.01 --> C:\ARQUIV~1\STEINB~1\VSTPLU~1\RALv101\UNWISE.EXE C:\ARQUIV~1\STEINB~1\VSTPLU~1\RALv101\INSTALL.LOG
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
oggcodecs 0.71.0946 --> C:\Arquivos de programas\illiminable\oggcodecs\uninst.exe
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
PC DUAL SHOCK --> RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{42DC7D64-F389-4E37-B545-E7D674A97D66}\setup.exe" -l0x9 -removeonly
PDFCreator --> MsiExec.exe /I{0001B4FD-9EA3-4D90-A79E-FD14BA3AB01D}
Photosmart 140,240,7200,7600,7700,7900 Series --> C:\Arquivos de programas\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\setup\hpzscr01.exe -datfile hphscr01.dat
Pinnacle MediaCenter --> "C:\Documents and Settings\ROBERIO\Dados de aplicativos\InstallShield Installation Information\{F38ADCA4-AF7C-4C73-9021-6F1EA15D15EA}\Setup.exe"UNINSTALL /l0x0416
Pinnacle MediaServer --> RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{460CE8B9-6EC2-458A-90D4-691631ECE9D9}\setup.exe" -l0x416 UNINSTALL
PowerDVD --> RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
Realtek AC'97 Audio --> RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" REMOVE
Remove DivX Pro Codec --> C:\WINDOWS\unvise32.exe C:\Arquivos de programas\DivX\DivX Pro Codec\UninstalDivXProCodec.log
Sibelius 5 --> MsiExec.exe /X{C23B8C30-E05E-4CB5-8188-F27CC3B2DD3E}
Sibelius Scorch --> MsiExec.exe /I{80F6A672-C39B-41CE-8AF5-A9C2FA8C2B72}
Sibelius Sounds Essentials --> D:\ARQUIV~1\SIBELI~1\SIBELI~1\ESSENT~1\UNWISE.EXE D:\ARQUIV~1\SIBELI~1\SIBELI~1\ESSENT~1\INSTALL.LOG
SONAR 6 Producer Edition --> "C:\Arquivos de programas\Cakewalk\SONAR 6 Producer Edition\unins000.exe"
Sony Sound Forge 8.0d --> MsiExec.exe /X{5636E517-8100-4E2A-B69E-2B16AFFA2360}
Sound Set Editor --> MsiExec.exe /I{D5E93779-98F8-A262-A338-8DED5907312D}
SpywareBlaster v3.5.1 --> "C:\Arquivos de programas\SpywareBlaster\unins000.exe"
Steinberg Hypersonic 2 --> "C:\Arquivos de programas\Steinberg\VSTPlugins\Hypersonic\Hypersonic Content\unins000.exe"
Subtitle Workshop 2.51 --> "C:\Arquivos de programas\URUSoft\Subtitle Workshop\uninstall.exe"
The Sims 2 --> D:\Arquivos de programas\Jogos\EA GAMES\The Sims 2\EAUninstall.exe
The Sims 2 - Aberto Para Negócios --> C:\Arquivos de programas\EA GAMES\The Sims 2 - Aberto Para Negócios\EAUninstall.exe
The Sims 2 Diversão em Família Coleção de Objetos --> C:\Arquivos de programas\EA GAMES\The Sims 2 Diversão em Família Coleção de Objetos\EAUninstall.exe
The Sims 2 University --> C:\Arquivos de programas\EA GAMES\The Sims 2 University\EAUninstall.exe
The Sims 2: Vida Noturna --> C:\Arquivos de programas\EA GAMES\The Sims 2 Vida Noturna\EAUninstall.exe
The Sims™ 2 Bichos de Estimação --> C:\Arquivos de programas\EA GAMES\The Sims 2 Bichos de Estimação\EAUninstall.exe
The Sims™ 2 Glamour Coleção de Objetos --> C:\Arquivos de programas\EA GAMES\The Sims 2 Glamour Coleção de Objetos\EAUninstall.exe
Timeworks Millenium Pack --> C:\Audio\TIMEWO~1\UNWISE.EXE C:\Audio\TIMEWO~1\INSTALL.LOG
Total Video Converter 3.10 --> "C:\Arquivos de programas\Total Video Converter\unins000.exe"
Ultra Tag Editor --> C:\Arquivos de programas\Ultra Tag Editor\uninst.exe
Update Manager --> MsiExec.exe /I{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}
URS Everything EQ Bundle v4.0 --> C:\ARQUIV~1\STEINB~1\VSTPLU~1\URSINS~1\UNWISE.EXE C:\ARQUIV~1\STEINB~1\VSTPLU~1\URSINS~1\INSTALL.LOG
VBA --> MsiExec.exe /I{C94E45B0-6AA6-4FB9-9AAE-22085F631880}
Waves Diamond Bundle v5.2 --> C:\ARQUIV~1\Waves\DIAMON~1\UNWISE.EXE C:\ARQUIV~1\Waves\DIAMON~1\INSTALL.LOG
Waves L3 v5.2 --> C:\ARQUIV~1\Waves\UNINST~1\UNWISE.EXE C:\ARQUIV~1\Waves\UNINST~1\INSTALL.LOG
Waves Q-Clone v1.0 --> C:\ARQUIV~1\Waves\Q-Clone\UNWISE.EXE C:\ARQUIV~1\Waves\Q-Clone\INSTALL.LOG
Waves SSL Collection v1.2 --> C:\ARQUIV~1\Waves\AIRLOG~1\WAVESS~1.2\UNWISE.EXE C:\ARQUIV~1\Waves\AIRLOG~1\WAVESS~1.2\INSTALL.LOG
Winamp (remove only) --> "C:\Arquivos de programas\Winamp\UninstWA.exe"
WinRAR archiver --> C:\Arquivos de programas\WinRAR\uninstall.exe
Wireless Combo --> C:\WINDOWS\ISUN0816.EXE -f"C:\Arquivos de programas\Wireless Combo\Uninst.isu" -c"C:\Arquivos de programas\Wireless Combo\UnInst.dll"
WordBuilder --> MsiExec.exe /I{91C36BDB-B77C-4C2D-B278-3CF1D1005C8F}
Xvid 1.1.2 final uninstall --> "C:\Arquivos de programas\XviD\unins001.exe"
-- Application Event Log -------------------------------------------------------
Event Record #/Type3939 / Error
Event Submitted/Written: 01/18/2008 01:19:13 PM
Event ID/Source: 1001 / Application Error
Event Description:
Falha no compartimento de memória 296617473.
O intercâmbio de chave Wep não resultou em uma configuração de conexão segura após a autenticação 802.1x. A configuração atual foi marcada como tendo falhado e a conexão sem fio será desconectada.
Event Record #/Type3938 / Error
Event Submitted/Written: 01/18/2008 01:19:08 PM
Event ID/Source: 1000 / Application Error
Event Description:
Aplicativo com falha iexplore.exe, versão 6.0.2900.2180, módulo com falha oscan8.ocx, versão 1.0.0.1, endereço com falha 0x00029291.
Processando evento específico de mídia para [iexplore.exe!ws!]
Event Record #/Type3935 / Error
Event Submitted/Written: 01/17/2008 03:42:50 AM
Event ID/Source: 1 / nview_info
Event Description:
NVIEW : MulMouse: WAIT_TIMEOUT, while waiting for a read to clear - resetting read event
Event Record #/Type3933 / Error
Event Submitted/Written: 01/16/2008 08:23:12 PM
Event ID/Source: 1001 / Application Error
Event Description:
Falha no compartimento de memória 347130002.
O intercâmbio de chave Wep não resultou em uma configuração de conexão segura após a autenticação 802.1x. A configuração atual foi marcada como tendo falhado e a conexão sem fio será desconectada.
Event Record #/Type3932 / Error
Event Submitted/Written: 01/16/2008 08:23:08 PM
Event ID/Source: 1000 / Application Error
Event Description:
Aplicativo com falha iexplore.exe, versão 6.0.2900.2180, módulo com falha flash9b.ocx, versão 9.0.28.0, endereço com falha 0x00099589.
Processando evento específico de mídia para [iexplore.exe!ws!]
-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
-- System Event Log ------------------------------------------------------------
Event Record #/Type2557 / Error
Event Submitted/Written: 01/19/2008 02:32:32 PM
Event ID/Source: 7023 / Service Control Manager
Event Description:
O serviço Localizador de computadores terminou com o erro:
%%1460
Event Record #/Type2538 / Error
Event Submitted/Written: 01/19/2008 02:28:08 PM
Event ID/Source: 7001 / Service Control Manager
Event Description:
O serviço Configuração zero sem fio depende do serviço Protocolo de modo de usuário E/S em dispositivos NDIS, mas não foi possível iniciá-lo devido ao seguinte erro:
%%1058
Event Record #/Type2534 / Error
Event Submitted/Written: 01/19/2008 09:37:53 AM
Event ID/Source: 7023 / Service Control Manager
Event Description:
O serviço Localizador de computadores terminou com o erro:
%%1460
Event Record #/Type2515 / Error
Event Submitted/Written: 01/19/2008 09:34:06 AM
Event ID/Source: 7001 / Service Control Manager
Event Description:
O serviço Configuração zero sem fio depende do serviço Protocolo de modo de usuário E/S em dispositivos NDIS, mas não foi possível iniciá-lo devido ao seguinte erro:
%%1058
Event Record #/Type2510 / Warning
Event Submitted/Written: 01/18/2008 05:05:30 PM
Event ID/Source: 57 / Ftdisk
Event Description:
O sistema não pôde mover dados para o log de transações. Corrupção possível.
-- End of Deckard's System Scanner: finished at 2008-01-19 14:33:56 ------------
Continue...
The other stuff:
STEP 1: the pathnames in red:
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\wintems.exe
and the Process:
System Idle Process
System
C:\Arquivos de programas\Wireless Combo\MulMouse.exe
C:\Arquivos de programas\Wireless Combo\MagicKey.exe
C:\Arquivos de programas\Wireless Combo\OSD.exe
C:\Arquivos de programas\Wireless Combo\MagicWl.exe
C:\WINDOWS\system32\smss.exe
C:\Arquivos de programas\Arquivos comuns\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Arquivos de programas\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\Documents and Settings\ROBERIO\Desktop\IceSword122en\IceSword.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wintems.exe
STEP 2: the Win32 Services (no red entries):
Started Service:
Service Name:AcrSch2Svc Display Name:Acronis Scheduler2 Service
Service Name:AudioSrv Display Name:Áudio do Windows
Service Name:BITS Display Name:Serviço de transferência inteligente de plano de fundo
Service Name:CryptSvc Display Name:Serviços de criptografia
Service Name:DcomLaunch Display Name:Inicializador de Processo de Servidor DCOM
Service Name:Dhcp Display Name:Cliente DHCP
Service Name:dmserver Display Name:Gerenciador de discos lógicos
Service Name:Dnscache Display Name:Cliente DNS
Service Name:ERSvc Display Name:Error Reporting Service
Service Name:Eventlog Display Name:Log de eventos
Service Name:EventSystem Display Name:Sistema de eventos COM+
Service Name:FastUserSwitchingCompatibility Display Name:Compatibilidade com 'Troca rápida de usuário'
Service Name:GbpSv Display Name:Gbp Service
Service Name:helpsvc Display Name:Ajuda e suporte
Service Name:HTTPFilter Display Name:HTTP SSL
Service Name:InCDsrv Display Name:InCD Helper
Service Name:lanmanserver Display Name:Servidor
Service Name:lanmanworkstation Display Name:Estação de trabalho
Service Name:LmHosts Display Name:Auxiliar NetBIOS TCP/IP
Service Name:Netman Display Name:Conexões de rede
Service Name:Nla Display Name:Reconhecimento de local da rede (NLA)
Service Name:NVSvc Display Name:NVIDIA Display Driver Service
Service Name:PlugPlay Display Name:Plug and Play
Service Name:PolicyAgent Display Name:Serviços IPSEC
Service Name:ProtectedStorage Display Name:Armazenamento protegido
Service Name:RasMan Display Name:Gerenciador de conexão de acesso remoto
Service Name:RemoteRegistry Display Name:Registro remoto
Service Name:RpcSs Display Name:Chamada de procedimento remoto (RPC)
Service Name:SamSs Display Name:Gerenciador de contas de segurança
Service Name:Schedule Display Name:Schedule
Service Name:seclogon Display Name:Logon secundário
Service Name:SENS Display Name:Notificação de eventos de sistema
Service Name:ShellHWDetection Display Name:Detecção do hardware do shell
Service Name:Spooler Display Name:Spooler de impressão
Service Name:srservice Display Name:Serviço de restauração do sistema
Service Name:SSDPSRV Display Name:Serviço de descoberta SSDP
Service Name:stisvc Display Name:Assistente de aquisição de imagens do Windows (WIA)
Service Name:TapiSrv Display Name:Telefonia
Service Name:TermService Display Name:Serviços de terminal
Service Name:Themes Display Name:Temas
Service Name:TrkWks Display Name:Cliente de rastreamento de link distribuído
Service Name:UMWdf Display Name:Windows User Mode Driver Framework
Service Name:W32Time Display Name:Horário do Windows
Service Name:WebClient Display Name:Cliente da Web
Service Name:winmgmt Display Name:Testador de instrumentação de gerenciam. do Windows
STEP 3: the SSDT KModule name:
\??\C:\WINDOWS\system32\drivers\srosa.sys (12 times listed in red)
sptd.sys (3 times listed in red)
That's it. UAU! Sorry, but rapidshare was offline.
Thanks.
Rorschach112
2008-01-19, 19:09
Hello
Now for the fix. Close all windows and run IceSword.exe. Do not restart your until the very end to ensure the fix works
Step 1 : Click the Processes tab and right-click on the following red colored processes one by one and choose "Terminate Process". This will kill the rooted processes.
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\wintems.exe
Step 2 : Now, we have to delete the rooted files. Click the File button. This will display a Windows Explorer type interface. Navigate to the following file(s) and folder in bold and delete them.
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\drivers\down << folder
Step 4 : Now, we have to delete the rooted registry keys. Click the Registry button. This will display a regedit type interface. Navigate to the following registry keys in bold and delete them.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa <<< Let me know if this key is present, delete it if it is
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer
Then reboot your PC and run IceSword again. Save new logs from the "Processes" and "Win32 Services" tabs, taking note of any red entries from them and from the SSDT tab.
Hi,
Navigate to the following file(s) and folder in bold and delete them.
C:\WINDOWS\system32\drivers\hldrrr.exe
C:\WINDOWS\system32\wintems.exe
C:\WINDOWS\system32\drivers\srosa.sys
C:\WINDOWS\system32\mdelk.exe
C:\WINDOWS\system32\drivers\down << folder
Did you meant to delete all the files in the folder or the folder itself? Anyway, the folder's gone. I've deleted it. And...
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\srosa <<< Let me know if this key is present, delete it if it is
Well, the key was there and I've deleted it too.
There are no red entries in 'Processes' nor in 'Win32 Services', but in SSDT there are now 7 entries in red with the same kmodule name: 'sptd.sys'. :sad:
Also, I could note that in 'start up' (icesword) there are 2 registry keys for the 'hldrrr.exe' and 'wintems.exe'. Should I delete them too? :devil:
The logs:
Process:
System Idle Process
System
C:\Arquivos de programas\Wireless Combo\OSD.exe
C:\Arquivos de programas\Wireless Combo\MagicWl.exe
C:\Arquivos de programas\Arquivos comuns\Acronis\Schedule2\schedul2.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\GbPlugin\GbpSv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Arquivos de programas\DAEMON Tools\daemon.exe
C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe
C:\Arquivos de programas\Wireless Combo\MulMouse.exe
C:\Arquivos de programas\Wireless Combo\MagicKey.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\ROBERIO\Desktop\IceSword122en\IceSword.exe
Started Service:
Service Name:AcrSch2Svc Display Name:Acronis Scheduler2 Service
Service Name:AudioSrv Display Name:Áudio do Windows
Service Name:BITS Display Name:Serviço de transferência inteligente de plano de fundo
Service Name:Browser Display Name:Localizador de computadores
Service Name:CryptSvc Display Name:Serviços de criptografia
Service Name:DcomLaunch Display Name:Inicializador de Processo de Servidor DCOM
Service Name:Dhcp Display Name:Cliente DHCP
Service Name:dmserver Display Name:Gerenciador de discos lógicos
Service Name:Dnscache Display Name:Cliente DNS
Service Name:ERSvc Display Name:Error Reporting Service
Service Name:Eventlog Display Name:Log de eventos
Service Name:EventSystem Display Name:Sistema de eventos COM+
Service Name:FastUserSwitchingCompatibility Display Name:Compatibilidade com 'Troca rápida de usuário'
Service Name:GbpSv Display Name:Gbp Service
Service Name:helpsvc Display Name:Ajuda e suporte
Service Name:HTTPFilter Display Name:HTTP SSL
Service Name:InCDsrv Display Name:InCD Helper
Service Name:lanmanserver Display Name:Servidor
Service Name:lanmanworkstation Display Name:Estação de trabalho
Service Name:LmHosts Display Name:Auxiliar NetBIOS TCP/IP
Service Name:Netman Display Name:Conexões de rede
Service Name:Nla Display Name:Reconhecimento de local da rede (NLA)
Service Name:NVSvc Display Name:NVIDIA Display Driver Service
Service Name:PlugPlay Display Name:Plug and Play
Service Name:PolicyAgent Display Name:Serviços IPSEC
Service Name:ProtectedStorage Display Name:Armazenamento protegido
Service Name:RasMan Display Name:Gerenciador de conexão de acesso remoto
Service Name:RemoteRegistry Display Name:Registro remoto
Service Name:RpcSs Display Name:Chamada de procedimento remoto (RPC)
Service Name:SamSs Display Name:Gerenciador de contas de segurança
Service Name:Schedule Display Name:Schedule
Service Name:seclogon Display Name:Logon secundário
Service Name:SENS Display Name:Notificação de eventos de sistema
Service Name:ShellHWDetection Display Name:Detecção do hardware do shell
Service Name:Spooler Display Name:Spooler de impressão
Service Name:srservice Display Name:Serviço de restauração do sistema
Service Name:SSDPSRV Display Name:Serviço de descoberta SSDP
Service Name:stisvc Display Name:Assistente de aquisição de imagens do Windows (WIA)
Service Name:TapiSrv Display Name:Telefonia
Service Name:TermService Display Name:Serviços de terminal
Service Name:Themes Display Name:Temas
Service Name:TrkWks Display Name:Cliente de rastreamento de link distribuído
Service Name:UMWdf Display Name:Windows User Mode Driver Framework
Service Name:W32Time Display Name:Horário do Windows
Service Name:WebClient Display Name:Cliente da Web
Service Name:winmgmt Display Name:Testador de instrumentação de gerenciam. do Windows
Rorschach112
2008-01-19, 23:46
Hello
Also, I could note that in 'start up' (icesword) there are 2 registry keys for the 'hldrrr.exe' and 'wintems.exe'. Should I delete them too?
Yes delete those too.
Once you have done that, restart your PC and post me new logs from all the areas including Startup
Rorschach112
2008-01-20, 00:30
Actually it won't allow you to delete them from there
Do this instead
Backup Your Registry with ERUNT
Please use the following link and scroll down to ERUNT and download it.
http://aumha.org/freeware/freeware.php
For version with the Installer:
Use the setup program to install ERUNT on your computer
For the zipped version:
Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.
Note: to restore your registry, go to the folder and start ERDNT.exe
Then navigate to the following registry keys in bold and delete them
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hldrrr.exe"="C:\\WINDOWS\\System32\\igfxtray.exe"
"wintems.exe"="C:\\WINDOWS\\System32\\igfxtray.exe"
Reboot and post the logs
Hi,
Then navigate to the following registry keys in bold and delete them
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hldrrr.exe"="C:\\WINDOWS\\System32\\igfxtray.exe"
"wintems.exe"="C:\\WINDOWS\\System32\\igfxtray.exe"
You've meant: "HKEY_CURRENT_USER\..." and not "HKEY_LOCAL_MACHINE\...", haven't you? Because the keys were not there. Anyway, I've deleted the keys where I found them: in "HKEY_CURRENT_USER\...", and also the keys are not the same you've said: there wasn't the word 'igfxtray.exe', for example.
Well, here the logs go:
Process:
System Idle Process
System
C:\Arquivos de programas\Wireless Combo\OSD.exe
C:\Arquivos de programas\Wireless Combo\MagicWl.exe
C:\Arquivos de programas\Arquivos comuns\Acronis\Schedule2\schedul2.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\GbPlugin\GbpSv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Arquivos de programas\DAEMON Tools\daemon.exe
C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Arquivos de programas\Wireless Combo\MulMouse.exe
C:\Arquivos de programas\Wireless Combo\MagicKey.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\ROBERIO\Desktop\IceSword122en\IceSword.exe
Started Service:
Service Name:AcrSch2Svc Display Name:Acronis Scheduler2 Service
Service Name:AudioSrv Display Name:Áudio do Windows
Service Name:BITS Display Name:Serviço de transferência inteligente de plano de fundo
Service Name:Browser Display Name:Localizador de computadores
Service Name:CryptSvc Display Name:Serviços de criptografia
Service Name:DcomLaunch Display Name:Inicializador de Processo de Servidor DCOM
Service Name:Dhcp Display Name:Cliente DHCP
Service Name:dmserver Display Name:Gerenciador de discos lógicos
Service Name:Dnscache Display Name:Cliente DNS
Service Name:ERSvc Display Name:Error Reporting Service
Service Name:Eventlog Display Name:Log de eventos
Service Name:EventSystem Display Name:Sistema de eventos COM+
Service Name:FastUserSwitchingCompatibility Display Name:Compatibilidade com 'Troca rápida de usuário'
Service Name:GbpSv Display Name:Gbp Service
Service Name:helpsvc Display Name:Ajuda e suporte
Service Name:HTTPFilter Display Name:HTTP SSL
Service Name:InCDsrv Display Name:InCD Helper
Service Name:lanmanserver Display Name:Servidor
Service Name:lanmanworkstation Display Name:Estação de trabalho
Service Name:LmHosts Display Name:Auxiliar NetBIOS TCP/IP
Service Name:Netman Display Name:Conexões de rede
Service Name:Nla Display Name:Reconhecimento de local da rede (NLA)
Service Name:NVSvc Display Name:NVIDIA Display Driver Service
Service Name:PlugPlay Display Name:Plug and Play
Service Name:PolicyAgent Display Name:Serviços IPSEC
Service Name:ProtectedStorage Display Name:Armazenamento protegido
Service Name:RasMan Display Name:Gerenciador de conexão de acesso remoto
Service Name:RemoteRegistry Display Name:Registro remoto
Service Name:RpcSs Display Name:Chamada de procedimento remoto (RPC)
Service Name:SamSs Display Name:Gerenciador de contas de segurança
Service Name:Schedule Display Name:Schedule
Service Name:seclogon Display Name:Logon secundário
Service Name:SENS Display Name:Notificação de eventos de sistema
Service Name:ShellHWDetection Display Name:Detecção do hardware do shell
Service Name:Spooler Display Name:Spooler de impressão
Service Name:srservice Display Name:Serviço de restauração do sistema
Service Name:SSDPSRV Display Name:Serviço de descoberta SSDP
Service Name:stisvc Display Name:Assistente de aquisição de imagens do Windows (WIA)
Service Name:TapiSrv Display Name:Telefonia
Service Name:TermService Display Name:Serviços de terminal
Service Name:Themes Display Name:Temas
Service Name:TrkWks Display Name:Cliente de rastreamento de link distribuído
Service Name:UMWdf Display Name:Windows User Mode Driver Framework
Service Name:W32Time Display Name:Horário do Windows
Service Name:WebClient Display Name:Cliente da Web
Service Name:winmgmt Display Name:Testador de instrumentação de gerenciam. do Windows
Startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Ptipbmf
rundll32.exe ptipbmf.dll,SetWriteCacheMode
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvCplDaemon
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
nwiz
nwiz.exe /install
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
NvMediaCenter
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SoundMan
SOUNDMAN.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Pinnacle WebUpdater
"C:\Arquivos de programas\Pinnacle\Shared Files\Programs\WebUpdater\WebUpdater.exe" -s -f=UpdateVersion.xml -url=http://cdn.pinnaclesys.com/SupportFiles
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
DAEMON Tools
"C:\Arquivos de programas\DAEMON Tools\daemon.exe" -lang 1033
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SunJavaUpdateSched
"C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"
C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar
Activar programa de Leading Scroll.lnk
C:\Arquivos de programas\Wireless Combo\MulMouse.exe (Remark£º)
C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar
desktop.ini
C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar
Media Key.lnk
C:\Arquivos de programas\Wireless Combo\MagicKey.exe (Remark£º)
C:\Documents and Settings\ROBERIO\Menu Iniciar\Programas\Inicializar
desktop.ini
Again, there are no red entries in 'Processes' nor in 'Win32 Services', but in SSDT there still are 7 entries in red with the same kmodule name: 'sptd.sys'. What are these?
I've restored the registries too. Was it necessary?
Thanks again, I feel the PC is becoming like before.
Rorschach112
2008-01-20, 02:30
Hello
Good work
Sptd.sys is a legitimate file so don't touch that
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html)
Click on Kaspersky Online Scanner and click Accept
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.
click on Start, click on Run
copy and paste the following in bold in the open window and then click OK
"%userprofile%\desktop\dss.exe" /config
This will open up DSS configuration
click on Drivers and click Scan
Hi,
Here we go:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, January 20, 2008 3:33:46 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/01/2008
Kaspersky Anti-Virus database records: 524225
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
G:\
H:\
I:\
J:\
Scan Statistics:
Total number of scanned objects: 143969
Number of viruses found: 4
Number of infected objects: 15
Number of suspicious objects: 0
Duration of the scan process: 02:13:21
Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\20080120011756\backup\WINDOWS\temp\ASHeuristic\wintems.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\ROBERIO\.housecall6.6\Quarantine\mdelk.exe.bac_a01456 Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\ROBERIO\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\ROBERIO\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\ROBERIO\Configurações locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ROBERIO\Configurações locais\Histórico\History.IE5\MSHist012008012020080121\index.dat Object is locked skipped
C:\Documents and Settings\ROBERIO\Configurações locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ROBERIO\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\ROBERIO\ntuser.dat Object is locked skipped
C:\Documents and Settings\ROBERIO\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{1112CD02-B90E-4226-8E24-9C9D042B5813}\RP160\A0020810.sys Infected: Trojan-Downloader.Win32.Bagle.hw skipped
C:\System Volume Information\_restore{1112CD02-B90E-4226-8E24-9C9D042B5813}\RP160\A0020812.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{1112CD02-B90E-4226-8E24-9C9D042B5813}\RP160\A0020834.sys Infected: Trojan-Downloader.Win32.Bagle.hw skipped
C:\System Volume Information\_restore{1112CD02-B90E-4226-8E24-9C9D042B5813}\RP160\A0020835.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{1112CD02-B90E-4226-8E24-9C9D042B5813}\RP160\A0020836.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{1112CD02-B90E-4226-8E24-9C9D042B5813}\RP160\A0020838.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{1112CD02-B90E-4226-8E24-9C9D042B5813}\RP160\A0020839.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{1112CD02-B90E-4226-8E24-9C9D042B5813}\RP161\A0021834.sys Infected: Trojan-Downloader.Win32.Bagle.hw skipped
C:\System Volume Information\_restore{1112CD02-B90E-4226-8E24-9C9D042B5813}\RP161\A0021835.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{1112CD02-B90E-4226-8E24-9C9D042B5813}\RP161\A0021836.exe Infected: Email-Worm.Win32.Bagle.of skipped
C:\System Volume Information\_restore{1112CD02-B90E-4226-8E24-9C9D042B5813}\RP161\A0021844.exe Infected: Trojan-Downloader.Win32.Bagle.ht skipped
C:\System Volume Information\_restore{1112CD02-B90E-4226-8E24-9C9D042B5813}\RP161\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd8925.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
D:\Meus Documentos\Programas\Pessoais\Jogos\Cracks\The Sims 2\Packs de Expansão\The Sims 2 EP4-1 Pets - Bichos de Estimação\install.exe/irsetup.dat Infected: P2P-Worm.Win32.Padonak.b skipped
D:\Meus Documentos\Programas\Pessoais\Jogos\Cracks\The Sims 2\Packs de Expansão\The Sims 2 EP4-1 Pets - Bichos de Estimação\install.exe SetupFactory: infected - 1 skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{1112CD02-B90E-4226-8E24-9C9D042B5813}\RP161\change.log Object is locked skipped
Scan process completed.
Continue...
Continue...
Deckard's System Scanner v20071014.68
Run by ROBERIO on 2008-01-20 03:47:05
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- HijackThis (run as ROBERIO.exe) ---------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:47:12, on 20/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\GbPlugin\GbpSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Arquivos de programas\DAEMON Tools\daemon.exe
C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe
C:\Arquivos de programas\Wireless Combo\MulMouse.exe
C:\Arquivos de programas\Wireless Combo\MagicKey.exe
C:\Arquivos de programas\Wireless Combo\OSD.EXE
C:\Arquivos de programas\Wireless Combo\MagicWl.exe
C:\Arquivos de programas\Arquivos comuns\Acronis\Schedule2\schedul2.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\ROBERIO\desktop\dss.exe
C:\ARQUIV~1\TRENDM~1\HIJACK~1\ROBERIO.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://br.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GbPlugin\gbieh.dll
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\Arquivos de programas\GbPlugin\gbiehabn.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Pinnacle WebUpdater] "C:\Arquivos de programas\Pinnacle\Shared Files\Programs\WebUpdater\WebUpdater.exe" -s -f=UpdateVersion.xml -url=http://cdn.pinnaclesys.com/SupportFiles
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Arquivos de programas\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Activar programa de Leading Scroll.lnk = C:\Arquivos de programas\Wireless Combo\MulMouse.exe
O4 - Global Startup: Media Key.lnk = C:\Arquivos de programas\Wireless Combo\MagicKey.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginABN.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1DA91069-F0A3-45D2-9120-5039B282F347}: NameServer = 200.165.132.147,200.165.132.154
O20 - Winlogon Notify: GbPluginBb - C:\ARQUIV~1\GbPlugin\gbieh.dll
O20 - Winlogon Notify: __GbPluginBb - C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Arquivos de programas\Arquivos comuns\Acronis\Schedule2\schedul2.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - C:\Arquivos de programas\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 6433 bytes
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R1 AFS2K - c:\windows\system32\drivers\afs2k.sys <Not Verified; Oak Technology Inc.; AFS>
R1 kbfilter (Keyboard Filter Driver) - c:\windows\system32\drivers\kbfilter.sys <Not Verified; WayTech Development, Inc.; Keyboard filter driver>
R1 mapledxp - c:\windows\system32\drivers\mapledxp.sys <Not Verified; Jeff Hurchalla and Marble Sound; MarbleSound Maple Midi XP Driver SYS>
R1 moufiltr (Mouse Filter Driver) - c:\windows\system32\drivers\moufiltr.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R1 UsbFltr (WayTechMUSBFilterDriver) - c:\windows\system32\drivers\usbfltr.sys <Not Verified; Waytech Development, Inc.; Ortek USB Keypad>
R2 ElbyCDIO (ElbyCDIO Driver) - c:\windows\system32\drivers\elbycdio.sys <Not Verified; Elaborate Bytes AG; CDRTools>
R3 ASAPIW2k - c:\windows\system32\drivers\asapiw2k.sys <Not Verified; VOB Computersysteme GmbH; asapi>
R3 DELTA (Service for Delta Driver (WDM)) - c:\windows\system32\drivers\delta.sys <Not Verified; Midiman/M-Audio; M-Audio Delta WDM Driver>
R3 ElbyDelay - c:\windows\system32\drivers\elbydelay.sys <Not Verified; Elaborate Bytes; CDRTools>
R3 mohfilt - c:\windows\system32\drivers\mohfilt.sys <Not Verified; Intel Corporation; Creatix V.9X data fax modem>
R3 Pfc (Padus ASPI Shell) - c:\windows\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus(R) ASPI Shell>
S3 catchme - c:\docume~1\roberio\config~1\temp\catchme.sys (file missing)
-- Files created between 2007-12-20 and 2008-01-20 -----------------------------
2008-01-20 02:26:30 0 dr-h----- C:\Documents and Settings\ROBERIO\Recent
2008-01-18 17:46:48 0 d-------- C:\Arquivos de programas\Trend Micro
2008-01-18 10:41:22 8576 --a------ C:\WINDOWS\system32\drivers\vfhfvquoiswm.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-01-18 09:50:21 8576 --a------ C:\WINDOWS\system32\drivers\oemjiubaxbrj.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-01-17 19:22:01 8576 --a------ C:\WINDOWS\system32\drivers\jocnmljhbhvi.sys <Not Verified; Panda Software International; RKPavProc Driver>
-- Find3M Report ---------------------------------------------------------------
2008-01-18 02:29:18 0 d-------- C:\Arquivos de programas\Wireless Combo
2008-01-18 02:09:28 0 d-------- C:\Arquivos de programas\MFR6
2008-01-18 01:43:42 0 d-------- C:\Arquivos de programas\GbPlugin
2008-01-18 01:27:59 0 d-------- C:\Arquivos de programas\DAEMON Tools
2008-01-16 18:20:20 0 d-------- C:\Arquivos de programas\SpywareBlaster
2008-01-09 20:08:52 0 d-------- C:\Arquivos de programas\eMule
2008-01-09 16:58:40 0 d-------- C:\Documents and Settings\ROBERIO\Dados de aplicativos\BSplayer PRO
2008-01-09 16:58:29 0 d-------- C:\Arquivos de programas\Webteh
2007-12-20 14:35:19 5018 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-12-12 11:54:59 240 --a------ C:\WINDOWS\system32\RfmDat2.dat
2007-12-01 10:36:24 0 d-------- C:\Documents and Settings\ROBERIO\Dados de aplicativos\Adobe
2007-12-01 10:29:04 0 d-------- C:\Arquivos de programas\Arquivos comuns
2007-12-01 09:04:56 0 d-------- C:\Arquivos de programas\Sibelius Software
2007-11-29 22:32:20 0 d-------- C:\Documents and Settings\ROBERIO\Dados de aplicativos\uTorrent
2007-11-22 09:39:59 451670 --a------ C:\WINDOWS\system32\perfh016.dat
2007-11-22 09:39:59 78596 --a------ C:\WINDOWS\system32\perfc016.dat
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ptipbmf"="ptipbmf.dll" [20/06/2003 13:06 C:\WINDOWS\system32\ptipbmf.dll]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [22/10/2006 12:22]
"nwiz"="nwiz.exe" [22/10/2006 12:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [22/10/2006 12:22]
"SoundMan"="SOUNDMAN.EXE" [26/02/2004 06:53 C:\WINDOWS\SOUNDMAN.EXE]
"Pinnacle WebUpdater"="C:\Arquivos de programas\Pinnacle\Shared Files\Programs\WebUpdater\WebUpdater.exe" [26/03/2006 12:10]
"DAEMON Tools"="C:\Arquivos de programas\DAEMON Tools\daemon.exe" [10/12/2005 12:57]
"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 02:11]
C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\
Activar programa de Leading Scroll.lnk - C:\Arquivos de programas\Wireless Combo\MulMouse.exe [27/1/2007 14:33:31]
Media Key.lnk - C:\Arquivos de programas\Wireless Combo\MagicKey.exe [27/1/2007 14:33:32]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\ARQUIV~1\GbPlugin\gbieh.dll [03/12/2007 16:30 347976]
"{E37CB5F0-51F5-4395-A808-5FA49E399007}"= C:\Arquivos de programas\GbPlugin\gbiehabn.dll [15/08/2007 19:14 207280]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]
C:\ARQUIV~1\GbPlugin\gbieh.dll 03/12/2007 16:30 347976 C:\ARQUIV~1\GbPlugin\gbieh.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__GbPluginBb]
C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll 03/12/2007 16:30 347976 C:\Arquivos de programas\GbPlugin\gbieh.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap
SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
"C:\Arquivos de programas\Arquivos comuns\Acronis\Schedule2\schedhlp.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
C:\Arquivos de programas\Acronis\TrueImageHome\TimounterMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdVantage]
"C:\Arquivos de programas\AdVantage\AdVantage.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
C:\Arquivos de programas\SyncroSoft\Pos\H2O\cledx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
C:\WINDOWS\system32\hphmon05.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
C:\Arquivos de programas\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I downloaded pirated Software from P2P ]
C:\WINDOWS\system32\Sims 2 Pets.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"c:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" -startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Arquivos de programas\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Arquivos de programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Arquivos de programas\Java\jre1.5.0_11\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tomar Agua]
D:\Meus Documentos\E-mail\Slides\Tomar_Agua.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
C:\Arquivos de programas\Acronis\TrueImageHome\TrueImageMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Arquivos de programas\Winamp\Winampa.exe"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ebad148-5a83-11dc-90e0-0013d42eb01f}]
AutoRun\command- E:\LaunchU3.exe -a
-- End of Deckard's System Scanner: finished at 2008-01-20 03:47:30 ------------
Well, how are we going? Don't we have to delete these back-ups viruses now? And the file 'install.exe' in my documents too?
May I re-install AVG and Spybot? They will work?
One more thing: and the red line above "SafeBoot registry key needs repairs. This machine cannot enter Safe Mode."?
Thanks again and forever. :D:
Rorschach112
2008-01-20, 11:39
We are nearly done now
Download and run SafeBootKeyRepair-CF from:
http://download.bleepingcomputer.com/sUBs/SafeBootKeyRepair.exe
or
http://www.techsupportforum.com/sectools/sUBs/SafeBootKeyRepair-CF.exe
It will take only a moment for it to run.
A log will be produced at C:\SafeBoot_Repair.txt. Please post that in your next reply
And the file 'install.exe' in my documents too?
Go to this site and scan that file
http://virusscan.jotti.org/de/
Paste the results back here
Hi,
Here goes the SafeBootKeyRepair report:
Reg export of SafeBoot key after repair:
========================
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot]
"AlternateShell"="cmd.exe"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\AppMgmt]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Base]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot Bus Extender]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot file system]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\CryptSvc]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\DcomLaunch]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmadmin]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmboot.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmio.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmload.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmserver]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\EventLog]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\File system]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Filter]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\HelpSvc]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Netlogon]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PCI Configuration]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PlugPlay]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PNP Filter]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Primary disk]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\RpcSs]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SCSI Class]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sermouse.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sr.sys]
@="FSFilter System Recovery"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SRService]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\System Bus Extender]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vga.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vgasave.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\WinMgmt]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AFD]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AppMgmt]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Base]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot Bus Extender]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot file system]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Browser]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\CryptSvc]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DcomLaunch]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Dhcp]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmadmin]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmboot.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmio.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmload.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmserver]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DnsCache]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\EventLog]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\File system]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Filter]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\HelpSvc]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ip6fw.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ipnat.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanServer]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanWorkstation]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LmHosts]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Messenger]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS Wrapper]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Ndisuio]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOS]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOSGroup]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBT]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetDDEGroup]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Netlogon]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetMan]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Network]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetworkProvider]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NtLmSsp]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PCI Configuration]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PlugPlay]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP Filter]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP_TDI]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Primary disk]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpcdd.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpdd.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpwd.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdsessmgr]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\RpcSs]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SCSI Class]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sermouse.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SharedAccess]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sr.sys]
@="FSFilter System Recovery"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SRService]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Streams Drivers]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\System Bus Extender]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Tcpip]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\TDI]
@="Driver Group"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdpipe.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdtcp.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\termservice]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vga.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vgasave.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WinMgmt]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WZCSVC]
@="Service"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
@="Net"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
@="NetClient"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
@="NetService"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
@="NetTrans"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"
========================
And the file scan:
Datei: install.exe
Auslastung: 0% 100%
Status: INFIZIERT/MALWARE
Entdeckte Packprogramme: PE_PATCH.PECOMPACT, PECBUNDLE, PECOMPACT
Bit9 rapportiert: No threat detected (more info)
A-Squared Keine Viren gefunden
AntiVir DR/Padonak.B gefunden
ArcaVir Keine Viren gefunden
Avast Win32:Trojan-gen {VC} gefunden
AVG Antivirus Keine Viren gefunden
BitDefender Keine Viren gefunden
ClamAV Keine Viren gefunden
CPsecure Keine Viren gefunden
Dr.Web Keine Viren gefunden
F-Prot Antivirus Keine Viren gefunden
F-Secure Anti-Virus P2P-Worm.Win32.Padonak.b gefunden
Fortinet Keine Viren gefunden
Ikarus P2P-Worm.Win32.Padonak.b gefunden
Kaspersky Anti-Virus P2P-Worm.Win32.Padonak.b gefunden
NOD32 Keine Viren gefunden
Norman Virus Control Keine Viren gefunden
Panda Antivirus Keine Viren gefunden
Rising Antivirus Keine Viren gefunden
Sophos Antivirus Keine Viren gefunden
VirusBuster Keine Viren gefunden
VBA32 P2P-Worm.Win32.Padonak.b gefunden
Rorschach112
2008-01-20, 17:45
You can delete that install.exe file in My Documents
Reboot and tell me if it is still there and post a new DSS log
Hi,
The 'install.exe' seems to be gone. And the DSS have only created the 'main report'. Here it is:
Deckard's System Scanner v20071014.68
Run by ROBERIO on 2008-01-20 14:56:10
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- HijackThis (run as ROBERIO.exe) ---------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:56:15, on 20/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\GbPlugin\GbpSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Arquivos de programas\DAEMON Tools\daemon.exe
C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe
C:\Arquivos de programas\Wireless Combo\MulMouse.exe
C:\Arquivos de programas\Wireless Combo\MagicKey.exe
C:\Arquivos de programas\Wireless Combo\OSD.EXE
C:\Arquivos de programas\Wireless Combo\MagicWl.exe
C:\Arquivos de programas\Arquivos comuns\Acronis\Schedule2\schedul2.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\ROBERIO\Desktop\dss.exe
C:\ARQUIV~1\TRENDM~1\HIJACK~1\ROBERIO.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://br.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GbPlugin\gbieh.dll
O2 - BHO: G-Buster Browser Defense ABN AMRO - {C41A1C0E-EA6C-11D4-B1B8-444553540007} - C:\Arquivos de programas\GbPlugin\gbiehabn.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Pinnacle WebUpdater] "C:\Arquivos de programas\Pinnacle\Shared Files\Programs\WebUpdater\WebUpdater.exe" -s -f=UpdateVersion.xml -url=http://cdn.pinnaclesys.com/SupportFiles
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Arquivos de programas\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Activar programa de Leading Scroll.lnk = C:\Arquivos de programas\Wireless Combo\MulMouse.exe
O4 - Global Startup: Media Key.lnk = C:\Arquivos de programas\Wireless Combo\MagicKey.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399007} (GbPluginObj Class) - https://wwws.realsecureweb.com.br/mpr/plugin/Cab/GbPluginABN.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1DA91069-F0A3-45D2-9120-5039B282F347}: NameServer = 200.165.132.147,200.165.132.154
O20 - Winlogon Notify: GbPluginBb - C:\ARQUIV~1\GbPlugin\gbieh.dll
O20 - Winlogon Notify: __GbPluginBb - C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Arquivos de programas\Arquivos comuns\Acronis\Schedule2\schedul2.exe
O23 - Service: Gbp Service (GbpSv) - Unknown owner - C:\Arquivos de programas\GbPlugin\GbpSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pinnacle Systems Media Service (PinnacleSys.MediaServer) - Pinnacle Systems - C:\Arquivos de programas\Pinnacle\Shared Files\Programs\MediaServer\PMSHost.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 6376 bytes
-- Files created between 2007-12-20 and 2008-01-20 -----------------------------
2008-01-20 04:07:42 0 dr-h----- C:\Documents and Settings\ROBERIO\Recent
2008-01-18 17:46:48 0 d-------- C:\Arquivos de programas\Trend Micro
2008-01-18 10:41:22 8576 --a------ C:\WINDOWS\system32\drivers\vfhfvquoiswm.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-01-18 09:50:21 8576 --a------ C:\WINDOWS\system32\drivers\oemjiubaxbrj.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-01-17 19:22:01 8576 --a------ C:\WINDOWS\system32\drivers\jocnmljhbhvi.sys <Not Verified; Panda Software International; RKPavProc Driver>
-- Find3M Report ---------------------------------------------------------------
2008-01-20 04:01:18 0 d-------- C:\Arquivos de programas\SpywareBlaster
2008-01-18 02:29:18 0 d-------- C:\Arquivos de programas\Wireless Combo
2008-01-18 02:09:28 0 d-------- C:\Arquivos de programas\MFR6
2008-01-18 01:43:42 0 d-------- C:\Arquivos de programas\GbPlugin
2008-01-18 01:27:59 0 d-------- C:\Arquivos de programas\DAEMON Tools
2008-01-09 20:08:52 0 d-------- C:\Arquivos de programas\eMule
2008-01-09 16:58:40 0 d-------- C:\Documents and Settings\ROBERIO\Dados de aplicativos\BSplayer PRO
2008-01-09 16:58:29 0 d-------- C:\Arquivos de programas\Webteh
2007-12-20 14:35:19 5018 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-12-12 11:54:59 240 --a------ C:\WINDOWS\system32\RfmDat2.dat
2007-12-01 10:36:24 0 d-------- C:\Documents and Settings\ROBERIO\Dados de aplicativos\Adobe
2007-12-01 10:29:04 0 d-------- C:\Arquivos de programas\Arquivos comuns
2007-12-01 09:04:56 0 d-------- C:\Arquivos de programas\Sibelius Software
2007-11-29 22:32:20 0 d-------- C:\Documents and Settings\ROBERIO\Dados de aplicativos\uTorrent
2007-11-22 09:39:59 451670 --a------ C:\WINDOWS\system32\perfh016.dat
2007-11-22 09:39:59 78596 --a------ C:\WINDOWS\system32\perfc016.dat
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ptipbmf"="ptipbmf.dll" [20/06/2003 13:06 C:\WINDOWS\system32\ptipbmf.dll]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [22/10/2006 12:22]
"nwiz"="nwiz.exe" [22/10/2006 12:22 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [22/10/2006 12:22]
"SoundMan"="SOUNDMAN.EXE" [26/02/2004 06:53 C:\WINDOWS\SOUNDMAN.EXE]
"Pinnacle WebUpdater"="C:\Arquivos de programas\Pinnacle\Shared Files\Programs\WebUpdater\WebUpdater.exe" [26/03/2006 12:10]
"DAEMON Tools"="C:\Arquivos de programas\DAEMON Tools\daemon.exe" [10/12/2005 12:57]
"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 02:11]
C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\
Activar programa de Leading Scroll.lnk - C:\Arquivos de programas\Wireless Combo\MulMouse.exe [27/1/2007 14:33:31]
Media Key.lnk - C:\Arquivos de programas\Wireless Combo\MagicKey.exe [27/1/2007 14:33:32]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\ARQUIV~1\GbPlugin\gbieh.dll [03/12/2007 16:30 347976]
"{E37CB5F0-51F5-4395-A808-5FA49E399007}"= C:\Arquivos de programas\GbPlugin\gbiehabn.dll [15/08/2007 19:14 207280]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]
C:\ARQUIV~1\GbPlugin\gbieh.dll 03/12/2007 16:30 347976 C:\ARQUIV~1\GbPlugin\gbieh.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__GbPluginBb]
C:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbieh.dll 03/12/2007 16:30 347976 C:\Arquivos de programas\GbPlugin\gbieh.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 relog_ap
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]
"C:\Arquivos de programas\Arquivos comuns\Acronis\Schedule2\schedhlp.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]
C:\Arquivos de programas\Acronis\TrueImageHome\TimounterMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdVantage]
"C:\Arquivos de programas\AdVantage\AdVantage.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMBgMonitor.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H2O]
C:\Arquivos de programas\SyncroSoft\Pos\H2O\cledx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
"C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
"C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon05]
C:\WINDOWS\system32\hphmon05.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD05]
C:\Arquivos de programas\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I downloaded pirated Software from P2P ]
C:\WINDOWS\system32\Sims 2 Pets.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"c:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\isuspm.exe" -startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" -start
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Arquivos de programas\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PinnacleDriverCheck]
C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Arquivos de programas\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
C:\Arquivos de programas\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Arquivos de programas\Java\jre1.5.0_11\bin\jusched.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tomar Agua]
D:\Meus Documentos\E-mail\Slides\Tomar_Agua.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrueImageMonitor.exe]
C:\Arquivos de programas\Acronis\TrueImageHome\TrueImageMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"C:\Arquivos de programas\Winamp\Winampa.exe"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9ebad148-5a83-11dc-90e0-0013d42eb01f}]
AutoRun\command- E:\LaunchU3.exe -a
-- End of Deckard's System Scanner: finished at 2008-01-20 14:56:32 ------------
Rorschach112
2008-01-20, 18:37
Your logs are clean ! We need to do a few things
Now we need to create a new System Restore point.
Click Start Menu > Run > type (or copy and paste)
%SystemRoot%\System32\restore\rstrui.exe
Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.
Next goto Start Menu > Run > type
cleanmgr
Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.
To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.
You now need to update your Java and remove your older versions.
Please follow these steps to remove older version Java components.
* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.
Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here (http://java.sun.com/javase/downloads/index.jsp)
Below I have included a number of recommendations for how to protect your computer against malware infections.
* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.
* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster (http://www.javacoolsoftware.com/sbdownload.html) protects against bad ActiveX
IE-SPYAD (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe) puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
* SpywareGuard (http://www.javacoolsoftware.com/sgdownload.html) offers realtime protection from spyware installation attempts.
Make Internet Explorer more secure
Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.
* MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here (http://www.mozilla.org/products/firefox/)
* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here (http://forums.spywareinfo.com/index.php?showtopic=60955)
Thank you for your patience, and performing all of the procedures requested.
Hi,
Great! Man, you are the guy! :bow:
Spybot is already running and I'll install AVG next. I think I will not have any problems with it. :)
I've already had SpywareBlaster in my PC and I'm considering in trying Mozilla instead of IE. I've also downloaded all the programs and warnings you told me to. :2thumb:
One thing: The 'Deckard' folder in C:\ contains a folder named '\backup\' that has: 1. my old temp files (in 'C:\Deckard\System Scanner\20080120011756\backup\DOCUME~1\ROBERIO\CONFIG~1\Temp\') and 2. an back-up of the viruses themselves: mdelk.exe & wintems.exe (in 'C:\Deckard\System Scanner\20080120011756\backup\WINDOWS\temp\ASHeuristic\'). Also, a folder named '\Downloaded Program Files\' (in the same folder '\WINDOWS\') with some files.
Should I deleted all of them? :scratch:
And the programs HijackThis and Erunt, should I unninstall them too?
Thanks a lot. Guys like you make the world better to live. :bigthumb:
Robério, the Kankiz.
Rorschach112
2008-01-20, 20:52
Hello
You should delete this folder
C:\Deckard
The viruses have been removed so you have nothing to worry about that folder
And the programs HijackThis and Erunt, should I unninstall them too?
Yes it is best if you remove these for your own safety
Any other questions for me ?
Hi,
Sorry for the delay, but I had to run SpyBot for 3 times and it showed 5 spywares: :oops:
Win32.Agent.bgy: [SBI $3FF5579E] Configurações (Chave do registo, fixed)
HKEY_USERS\S-1-5-21-448539723-507921405-725345543-1003\Software\FirstRRRun
Win32.Bagle.E: [SBI $FC4E0548] Configurações (Chave do registo, fixed)
HKEY_USERS\S-1-5-21-448539723-507921405-725345543-1003\Software\DateTime4
Win32.Banker.ekn: [SBI $2636392B] Configurações (Chave do registo, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\GbpSv
Win32.Banker.ekn: [SBI $899F74E1] Configurações (Chave do registo, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\GbpSv
Win32.Banker.ekn: [SBI $D3EF9AE2] Configurações (Chave do registo, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GbpSv
The first two have been fixed, but the other 3 (Win32.Banker.ekn) still remain. I've run AVG and it detected nothing.
First, I was thinking that they were SpywareGuard's entries, so I unnistalled it and run 2 times Spybot, but nothing. Actually, SpywareGuard have made my PC to be much slower, including the boot. Is it normal? Seems to be some incompability with SpyBot or AVG or SpywareBlaster.
Why IceSword did not detected these entries?
Well, these entries make me worry. What should we do?
Thanks again.
Rorschach112
2008-01-21, 14:52
Hello
I wouldn't worry about them, they are orphaned registry entries. Lets nuke them anyway though
Backup Your Registry with ERUNT
Please use the following link and scroll down to ERUNT and download it.
http://aumha.org/freeware/freeware.php
For version with the Installer:
Use the setup program to install ERUNT on your computer
For the zipped version:
Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.
Note: to restore your registry, go to the folder and start ERDNT.exe
Now we need to fix your problems by making a .reg file. Copy the code below into a Notepad file. Name the file as fix.reg, change the "Save as Type" to "All files" and save it on the desktop.
Windows Registry Editor Version 5.00
[-HKEY_USERS\S-1-5-21-448539723-507921405-725345543-1003\Software\FirstRRRun]
[-HKEY_USERS\S-1-5-21-448539723-507921405-725345543-1003\Software\DateTime4
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\GbpSv]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\GbpSv]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\GbpSv]
Then double click on the fix.reg file, when it prompts to merge click "Yes".
Download and scan with SUPERAntiSpyware (http://www.superantispyware.com/) Free for Home Users Double-click SUPERAntiSpyware.exe and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here (http://www.superantispyware.com/definitions.html).)
Under "Configuration and Preferences", click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked (leave all others unchecked): Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining. Click the "Close" button to leave the control center screen.
Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
On the left, make sure you check C:\Fixed Drive.
On the right, under "Complete Scan", choose Perform Complete Scan.
Click "Next" to start the scan. Please be patient while it scans your computer.
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
Make sure everything has a checkmark next to it and click "Next".
A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
If asked if you want to reboot, click "Yes".
To retrieve the removal information after reboot, launch SUPERAntispyware again. Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply. Click Close to exit the program.
Let me know how that goes
Hi,
I've done you told me but SpyBot still detects the 3 entries for the 'Win32.Banker.ekn'. :sad:
I've run SUPERAntiSpyware and it detected some threats, but not the 'Win32.Banker.ekn' entries. They are in quarantine. Should I delete them from there?
Then I've run Kaspesky and it detected some others threats too.
The logs follow:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 01/21/2008 at 10:18 PM
Application Version : 3.9.1008
Core Rules Database Version : 3384
Trace Rules Database Version: 1378
Scan type : Complete Scan
Total Scan Time : 02:48:20
Memory items scanned : 389
Memory threats detected : 0
Registry items scanned : 8642
Registry threats detected : 0
File items scanned : 135508
File threats detected : 4
Adware.Tracking Cookie
C:\Documents and Settings\ROBERIO\Cookies\roberio@ads.abril.com[1].txt
C:\Documents and Settings\ROBERIO\Cookies\roberio@ad.adnetwork.com[2].txt
Trojan.Downloader-Gen
C:\WINDOWS\SYSTEM32\STU.DLL
Unclassified.Unknown Origin
D:\MEUS DOCUMENTOS\PROGRAMAS\PESSOAIS\PC\DRIVES\P4P800E-DELUXE\378RAID_100137\378RAID\WINXP\FASTTX2K.SYS
The Kaspesky's log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, January 22, 2008 9:53:51 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/01/2008
Kaspersky Anti-Virus database records: 526268
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
Scan Statistics:
Total number of scanned objects: 235839
Number of viruses found: 2
Number of infected objects: 7
Number of suspicious objects: 0
Duration of the scan process: 03:22:52
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Dados de aplicativos\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Dados de aplicativos\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Configurações locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Configurações locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\ROBERIO\.housecall6.6\Quarantine\mdelk.exe.bac_a01456 Infected: Email-Worm.Win32.Bagle.of skipped
C:\Documents and Settings\ROBERIO\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\ROBERIO\Configurações locais\Dados de aplicativos\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\ROBERIO\Configurações locais\Histórico\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ROBERIO\Configurações locais\Histórico\History.IE5\MSHist012008012220080123\index.dat Object is locked skipped
C:\Documents and Settings\ROBERIO\Configurações locais\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ROBERIO\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\ROBERIO\ntuser.dat Object is locked skipped
C:\Documents and Settings\ROBERIO\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\ROBERIO\UserData\index.dat Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{1112CD02-B90E-4226-8E24-9C9D042B5813}\RP170\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\dtscsi.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd8925.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\Meus Documentos C\Programas\Diversos\DAP 5.3.9.8 & Language\dap53lang.exe/WISE0021.BIN/dapiebar.dll Infected: not-a-virus:AdWare.Win32.Dap.c skipped
E:\Meus Documentos C\Programas\Diversos\DAP 5.3.9.8 & Language\dap53lang.exe/WISE0021.BIN Infected: not-a-virus:AdWare.Win32.Dap.c skipped
E:\Meus Documentos C\Programas\Diversos\DAP 5.3.9.8 & Language\dap53lang.exe WiseSFX: infected - 2 skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{1112CD02-B90E-4226-8E24-9C9D042B5813}\RP89\A0012905.exe Object is locked skipped
E:\System Volume Information\_restore{ED8B2F9C-2807-476C-9B80-AF4C801C46F9}\RP354\A0053864.exe/WISE0021.BIN/dapiebar.dll Infected: not-a-virus:AdWare.Win32.Dap.c skipped
E:\System Volume Information\_restore{ED8B2F9C-2807-476C-9B80-AF4C801C46F9}\RP354\A0053864.exe/WISE0021.BIN Infected: not-a-virus:AdWare.Win32.Dap.c skipped
E:\System Volume Information\_restore{ED8B2F9C-2807-476C-9B80-AF4C801C46F9}\RP354\A0053864.exe WiseSFX: infected - 2 skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
Rorschach112
2008-01-22, 15:49
I wouldn't worry about those entries
Run Spybot in Safe Mode and see if that removes them
Kaspersky or SUPERAntiSpyware didn't detect anything so that's good. They are just orphaned registry keys
How is your PC running ? Any problems ?
Hi,
Sorry again for the delay. Now I have hardware problems. First, I couldn't enter safe mode in order to run SpyBot as you've said: simply my motherboard uses the F8 key to select between boot devices and I do not know another way to enter safe mode. Second, I've just realized the CPU's fan is not working properly and the chip is becoming a sun inside the box. :sick: Of course my PC is off now and I'm writing this letter from another one.
But I think the software part of it is well as never. If you say that I should not concern myself with that entries, I believe in you.
I should have to say 'THANK YOU' a lot of times, but it would be boring for both of us. Let us say we need more guys like you in the planet. God bless you, man. That's it.
Robério, the Kankiz.
Rorschach112
2008-01-23, 01:36
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.