View Full Version : Yet another Virtumonde infection
I share this computer with two other people, and one of them downloaded an infected keygen. As a result, we now have a persistent Virtumonde infection, and I can't get rid of it. Vundofix fixes some entries, but whenever I run Spybot it's still there. Any help would be greatly appreciated.
Unfortunately, I can never get the Kaspersky Online Scanner to run here, and I'm also afraid running Internet Explorer will make it worse. But here's the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:46:41, on 7/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\ARQUIV~1\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\Arquivos de programas\Cyberlink\Shared Files\brs.exe
C:\Arquivos de programas\Netropa\Multimedia Keyboard\MMKeybd.exe
C:\Arquivos de programas\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Arquivos de programas\Netropa\Multimedia Keyboard\TrayMon.exe
C:\Arquivos de programas\Netropa\Onscreen Display\OSD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Last.fm\LastFMHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Clara\Desktop\HiJackThis.exe
O3 - Toolbar: Exibir Barra de ferramentas do Norton - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Atualizador - Puxa Rápido] C:\Arquivos de programas\Puxa Rápido\Atualiza.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [EPSON Stylus C43 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S08IC1.EXE /P23 "EPSON Stylus C43 Series" /O5 "LPT1:" /M "Stylus C43"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [BDRegion] C:\Arquivos de programas\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Arquivos de programas\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [Ink Monitor] C:\Arquivos de programas\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [BM63b99a00] Rundll32.exe "C:\WINDOWS\system32\wpwoloxl.dll",s
O4 - HKLM\..\Run: [608aa99c] rundll32.exe "C:\WINDOWS\system32\irulhapn.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Arquivos de programas\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: Last.fm Helper.lnk = C:\Arquivos de programas\Last.fm\LastFMHelper.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: Last.fm Helper.lnk = C:\Arquivos de programas\Last.fm\LastFMHelper.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Last.fm Helper.lnk = C:\Arquivos de programas\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Arquivos de programas\Bejeweled 2\Images\stg_drm.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204238145968
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Arquivos de programas\Sunset Studio\Images\armhelper.ocx
O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\VAScanner\comHost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\ARQUIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Arquivos de programas\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 8026 bytes
Rorschach112
2008-04-08, 00:45
Hello
Please download ComboFix from Here (http://subs.geekstogo.com/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------
Close any open browsers.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
I downloaded ComboFix to the desktop, deactivated Norton and closed the browser, but when double-clicking it I get a progress bar and a prompt window that has nothing in it and closes almost immediately. No log file is created. Is there anything else I should be doing?
In any case, I created another HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:39:54, on 7/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\ARQUIV~1\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe
C:\Arquivos de programas\Cyberlink\Shared Files\brs.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSvcHst.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Documents and Settings\Clara\Desktop\HiJackThis.exe
O3 - Toolbar: Exibir Barra de ferramentas do Norton - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Atualizador - Puxa Rápido] C:\Arquivos de programas\Puxa Rápido\Atualiza.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [EPSON Stylus C43 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S08IC1.EXE /P23 "EPSON Stylus C43 Series" /O5 "LPT1:" /M "Stylus C43"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [BDRegion] C:\Arquivos de programas\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Arquivos de programas\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [608aa99c] rundll32.exe "C:\WINDOWS\system32\irulhapn.dll",b
O4 - HKLM\..\Run: [BM63b99a00] Rundll32.exe "C:\WINDOWS\system32\wpwoloxl.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Arquivos de programas\Bejeweled 2\Images\stg_drm.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204238145968
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Arquivos de programas\Sunset Studio\Images\armhelper.ocx
O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Arquivos de programas\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\VAScanner\comHost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\ARQUIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Arquivos de programas\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 6541 bytes
Rorschach112
2008-04-08, 18:06
Can you delete ComboFix.exe and re-download it from there again and run it
Let me know how that goes
Hey,
ComboFix did run this time, restarted the computer and created a log, though it doesn't look like much of a complete log:
ComboFix 08-04-08.4 - Clara 2008-04-08 17:14:05.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.492 [GMT -3:00]
Executando de: C:\Documents and Settings\Clara\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
And the HJT log from after that:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:25, on 2008-04-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSvcHst.exe
C:\ARQUIV~1\GbPlugin\GbpSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\Arquivos de programas\Cyberlink\Shared Files\brs.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Clara\Desktop\HiJackThis.exe
O3 - Toolbar: Exibir Barra de ferramentas do Norton - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Atualizador - Puxa Rápido] C:\Arquivos de programas\Puxa Rápido\Atualiza.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [EPSON Stylus C43 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S08IC1.EXE /P23 "EPSON Stylus C43 Series" /O5 "LPT1:" /M "Stylus C43"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [BDRegion] C:\Arquivos de programas\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [608aa99c] rundll32.exe "C:\WINDOWS\system32\irulhapn.dll",b
O4 - HKLM\..\Run: [BM63b99a00] Rundll32.exe "C:\WINDOWS\system32\wpwoloxl.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Arquivos de programas\Bejeweled 2\Images\stg_drm.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204238145968
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Arquivos de programas\Sunset Studio\Images\armhelper.ocx
O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\VAScanner\comHost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\ARQUIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Arquivos de programas\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 6140 bytes
Rorschach112
2008-04-09, 00:45
Do this
Please download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) and save it to your Desktop.
Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.
Hey, thank you for you quick replies. The text is too long for a single reply, so I had to break it in two.
Deckard's System Scanner v20071014.68
Run by Clara on 2008-04-08 20:14:59
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
Successfully created a Deckard's System Scanner Restore Point.
-- Last 5 Restore Point(s) --
70: 2008-04-08 23:15:05 UTC - RP70 - Deckard's System Scanner Restore Point
69: 2008-04-08 23:00:31 UTC - RP69 - Software Distribution Service 3.0
68: 2008-04-08 22:53:50 UTC - RP68 - Deckard's System Scanner Restore Point
67: 2008-04-08 20:05:58 UTC - RP67 - ComboFix created restore point
66: 2008-04-07 22:04:32 UTC - RP66 - Software Distribution Service 3.0
-- First Restore Point --
1: 2008-04-06 06:15:45 UTC - RP1 - Ponto de verificação do sistema
Backed up registry hives.
Performed disk cleanup.
-- HijackThis (run as Clara.exe) -----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:16, on 2008-04-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSvcHst.exe
C:\ARQUIV~1\GbPlugin\GbpSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\Arquivos de programas\Cyberlink\Shared Files\brs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Clara\Desktop\dss.exe
C:\DOCUME~1\Clara\Desktop\Clara.exe
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {77600C61-464B-4207-BF5F-8CB2A2F630AF} - C:\WINDOWS\system32\khfDTmmk.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {85E3E7F1-99CF-4253-BF4D-D4D5D4C4BCF4} - C:\WINDOWS\system32\geBtSLDS.dll (file missing)
O2 - BHO: (no name) - {8E1BFC0E-8AD2-424D-AC8A-06038481516E} - C:\WINDOWS\system32\yayARjkk.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9B334F8B-4A08-43A4-80B1-87999E92145F} - C:\WINDOWS\system32\urqQgEUo.dll (file missing)
O2 - BHO: (no name) - {A5678FD2-82B3-424E-83FB-9A65E8534893} - C:\WINDOWS\system32\mlJAroOG.dll (file missing)
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GBPLUGIN\gbieh.dll
O3 - Toolbar: Exibir Barra de ferramentas do Norton - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Atualizador - Puxa Rápido] C:\Arquivos de programas\Puxa Rápido\Atualiza.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [EPSON Stylus C43 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S08IC1.EXE /P23 "EPSON Stylus C43 Series" /O5 "LPT1:" /M "Stylus C43"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [BDRegion] C:\Arquivos de programas\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Arquivos de programas\Bejeweled 2\Images\stg_drm.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204238145968
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Arquivos de programas\Sunset Studio\Images\armhelper.ocx
O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab
O20 - Winlogon Notify: GbPluginBb - C:\ARQUIV~1\GBPLUGIN\gbieh.dll
O20 - Winlogon Notify: yayARjkk - yayARjkk.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\VAScanner\comHost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\ARQUIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Arquivos de programas\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 7554 bytes
-- File Associations -----------------------------------------------------------
All associations okay.
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------
R3 Ptserial (W2K Conexant Serial Device Driver) - c:\windows\system32\drivers\ptserial.sys <Not Verified; PCTEL, INC.; HSP Modem Serial Device>
R3 Vmodem (W2K Vmodem) - c:\windows\system32\drivers\vmodem.sys <Not Verified; Conexant Systems, Inc.; HSP Modem Modem Device>
R3 Vpctcom (W2K Vpctcom) - c:\windows\system32\drivers\vpctcom.sys <Not Verified; Conexant Systems, Inc.; HSP Modem Virtual Control Device>
R3 Vvoice (W2K Vvoice) - c:\windows\system32\drivers\vvoice.sys <Not Verified; Conexant Systems, Inc.; Conexant HSP Modem Voice Device>
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------
R2 nhksrv (Netropa NHK Server) - c:\arquivos de programas\netropa\multimedia keyboard\nhksrv.exe
0
-- Device Manager: Disabled ----------------------------------------------------
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: SiS 900 PCI Fast Ethernet Adapter
Device ID: PCI\VEN_1039&DEV_0900&SUBSYS_09001039&REV_90\3&267A616A&0&20
Manufacturer: SiS
Name: SiS 900 PCI Fast Ethernet Adapter
PNP Device ID: PCI\VEN_1039&DEV_0900&SUBSYS_09001039&REV_90\3&267A616A&0&20
Service: SISNIC
-- Files created between 2008-03-08 and 2008-04-08 -----------------------------
2008-04-08 17:05:26 68096 --a------ C:\WINDOWS\zip.exe
2008-04-08 17:05:26 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-08 17:05:26 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-08 17:05:26 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-08 17:05:26 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-08 17:05:26 98816 --a------ C:\WINDOWS\sed.exe
2008-04-08 17:05:26 80412 --a------ C:\WINDOWS\grep.exe
2008-04-08 17:05:26 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-07 17:44:41 88128 --a------ C:\WINDOWS\system32\wpwoloxl.dll
2008-04-07 17:43:08 163017 --ahs---- C:\WINDOWS\system32\oUEgQqru.ini2
2008-04-07 04:19:41 87104 --a------ C:\WINDOWS\system32\blpstkic.dll
2008-04-07 04:17:49 50688 --a------ C:\ATF-Cleaner.exe <Not Verified; Atribune.org; ATF Cleaner>
2008-04-07 02:09:40 3348 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-07 00:18:15 87104 --a------ C:\WINDOWS\system32\urihoasd.dll
2008-04-06 15:18:35 87104 --a------ C:\WINDOWS\system32\lcsevkjb.dll
2008-04-06 14:33:24 6454 --ahs---- C:\WINDOWS\system32\CJStCJjl.ini2
2008-04-06 03:46:56 37376 --a------ C:\WINDOWS\system32\ssqRJDWP.dll
2008-04-06 03:15:34 181509 --ahs---- C:\WINDOWS\system32\GOorAJlm.ini2
2008-04-02 01:20:33 0 d-------- C:\QuickPix 2005 Win
2008-03-16 00:49:32 0 d-------- C:\marvin_ico
2008-03-13 09:48:27 479232 --a------ C:\WINDOWS\system32\AudioVisu.dll <Not Verified; NCT Company Ltd.; NCTAudioVisualization2 ActiveX DLL>
2008-03-13 09:48:27 454656 --a------ C:\WINDOWS\system32\AudioRecord.dll <Not Verified; NCT Company Ltd.; NCTAudioRecord2 ActiveX DLL>
2008-03-13 09:48:26 458752 --a------ C:\WINDOWS\system32\AudPlayer.dll <Not Verified; NCT Company Ltd.; NCTAudioPlayer2 ActiveX DLL>
2008-03-13 09:48:26 1212416 --a------ C:\WINDOWS\system32\AudioInfos.dll <Not Verified; NCT Company Ltd.; NCTAudioInformation2 ActiveX DLL>
2008-03-13 09:48:26 1986560 --a------ C:\WINDOWS\system32\AudFile.dll <Not Verified; NCT Company Ltd.; NCTAudioFile2 ActiveX DLL>
2008-03-13 09:48:26 417792 --a------ C:\WINDOWS\system32\AudDisplay.dll <Not Verified; NCT Company Ltd.; NCTAudioDisplay2 ActiveX DLL>
2008-03-13 09:48:25 101888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL <Not Verified; Microsoft Corporation; Microsoft® Visual Basic pour Windows>
2008-03-13 09:48:25 119568 --a------ C:\WINDOWS\system32\VB6FR.DLL <Not Verified; Microsoft Corporation; Environnement Visual Basic>
2008-03-13 09:48:25 15360 --a------ C:\WINDOWS\system32\inetfr.DLL <Not Verified; Microsoft Corporation; DLL du contrôle Microsoft Internet Transfer>
2008-03-13 09:48:25 2084864 --a------ C:\WINDOWS\system32\AudDesign.dll <Not Verified; NCT Company Ltd.; NCTAudioDesign2 ActiveX DLL>
2008-03-13 09:48:24 21504 --a------ C:\WINDOWS\system32\TABCTFR.DLL <Not Verified; Microsoft Corporation; Bibliothèque d'objets TabCtl32>
2008-03-13 09:48:22 141312 --a------ C:\WINDOWS\system32\MSCMCFR.DLL <Not Verified; Microsoft Corporation; COMCTL>
2008-03-13 09:48:22 59904 --a------ C:\WINDOWS\system32\Mscc2fr.dll <Not Verified; Microsoft Corporation; Bibliothèque d'objets de Microsoft Common Controls 2>
2008-03-13 09:48:22 32768 --a------ C:\WINDOWS\system32\CMDLGFR.DLL <Not Verified; Microsoft Corporation; CMDIALOG>
2008-03-08 19:35:00 0 d-------- C:\Arquivos de programas\Bejeweled 2 Deluxe
2008-03-08 19:34:39 0 d-------- C:\Arquivos de programas\ReflexiveArcade
2008-03-08 10:28:46 0 d-------- C:\Arquivos de programas\Bejeweled 2
2008-03-08 10:25:39 0 d-------- C:\Arquivos de programas\Sunset Studio
2008-03-08 09:04:35 69632 -ra------ C:\WINDOWS\system32\MSJCE.dll
2008-03-08 09:03:04 0 d-------- C:\Arquivos de programas\Programas RFB
[continues]
[Main report, continued]
-- Find3M Report ---------------------------------------------------------------
2008-04-08 20:14:08 0 d-------- C:\Arquivos de programas\Arquivos comuns\Symantec Shared
2008-04-08 19:52:17 0 d-------- C:\Arquivos de programas\Mozilla Thunderbird
2008-04-06 21:14:41 0 d-------- C:\Documents and Settings\Clara\Dados de aplicativos\uTorrent
2008-04-06 17:36:22 0 d-------- C:\Arquivos de programas\CyberLink
2008-04-06 17:36:19 0 d-------- C:\Arquivos de programas\Arquivos comuns
2008-04-06 14:01:28 31 --a------ C:\WINDOWS\popcinfo.dat
2008-04-06 04:01:37 0 d-------- C:\Documents and Settings\Clara\Dados de aplicativos\dvdcss
2008-04-06 03:29:54 0 d-------- C:\Documents and Settings\Clara\Dados de aplicativos\CyberLink
2008-04-06 03:13:39 0 d--h----- C:\Arquivos de programas\InstallShield Installation Information
2008-04-06 02:01:23 0 d-------- C:\Arquivos de programas\Astonsoft
2008-04-04 21:26:30 0 d-------- C:\Arquivos de programas\Soulseek
2008-03-30 23:41:49 0 d-------- C:\Documents and Settings\Clara\Dados de aplicativos\FireShot
2008-03-29 23:26:03 0 d-------- C:\Arquivos de programas\GbPlugin
2008-03-27 19:39:26 0 d-------- C:\Arquivos de programas\Winamp
2008-03-27 19:38:53 0 d-------- C:\Documents and Settings\Clara\Dados de aplicativos\Winamp
2008-03-20 10:04:44 0 d-------- C:\Arquivos de programas\Norton 360
2008-03-18 17:32:07 0 d-------- C:\Arquivos de programas\Java
2008-03-07 13:22:39 0 d-------- C:\Documents and Settings\Clara\Dados de aplicativos\DeepBurner Pro
2008-03-05 13:34:58 0 d-------- C:\Arquivos de programas\Atrativa Games
2008-03-04 00:09:05 0 d-------- C:\Arquivos de programas\Audacity
2008-03-03 22:13:58 0 d-------- C:\Documents and Settings\Clara\Dados de aplicativos\Adobe
2008-03-02 15:00:41 0 d-------- C:\Arquivos de programas\Programas SRF
2008-02-29 05:34:59 0 d-------- C:\Arquivos de programas\Symantec
2008-02-28 22:47:12 0 d-------- C:\Documents and Settings\Clara\Dados de aplicativos\Symantec
2008-02-28 21:12:21 347648 --a------ C:\WINDOWS\system32\perfh016.dat
2008-02-28 21:12:21 49804 --a------ C:\WINDOWS\system32\perfc016.dat
2008-02-28 21:02:36 0 d-------- C:\Arquivos de programas\Messenger
2008-02-28 20:49:17 0 d-------- C:\Arquivos de programas\Windows Live
2008-02-28 20:47:20 0 d--hs--c- C:\Arquivos de programas\Arquivos comuns\WindowsLiveInstaller
2008-02-28 18:15:07 0 d-------- C:\Arquivos de programas\MusicBrainz Picard
2008-02-26 17:12:22 0 d-------- C:\Arquivos de programas\Lavasoft
2008-02-26 17:09:31 0 d-------- C:\Arquivos de programas\Arquivos comuns\Wise Installation Wizard
2008-02-26 16:59:27 0 d-------- C:\Arquivos de programas\DVD Region+CSS Free
2008-02-26 06:17:49 0 d-------- C:\Documents and Settings\Clara\Dados de aplicativos\Opera
2008-02-26 01:03:16 0 d-------- C:\Arquivos de programas\ACD Systems
2008-02-26 01:01:37 0 d-------- C:\Arquivos de programas\ACDSee32
2008-02-25 19:07:19 0 d-------- C:\Arquivos de programas\Opera
2008-02-24 12:33:42 0 d-------- C:\Arquivos de programas\TryMedia
2008-02-24 08:36:50 0 d-------- C:\Arquivos de programas\CDex_150
2008-02-24 04:52:49 0 d-------- C:\Arquivos de programas\EvilLyrics
2008-02-24 02:24:40 0 d-------- C:\Documents and Settings\Clara\Dados de aplicativos\vlc
2008-02-23 21:54:14 0 d-------- C:\Documents and Settings\Clara\Dados de aplicativos\ACD Systems
2008-02-23 21:29:20 0 d-------- C:\Arquivos de programas\uTorrent
2008-02-23 21:13:42 0 d-------- C:\Arquivos de programas\CoreFTP
2008-02-23 21:12:28 3472061 --a------ C:\Arquivos de programas\coreftplite.exe
2008-02-23 21:09:20 0 --a------ C:\Arquivos de programas\Opera_9.26_Eng_Setup.exe
2008-02-23 21:03:15 0 d-------- C:\Arquivos de programas\Last.fm
2008-02-23 21:02:50 842672 --a------ C:\Arquivos de programas\slsk156c.exe
2008-02-23 21:02:24 5708354 --a------ C:\Arquivos de programas\Last.fm-1.4.2.59470.exe <Not Verified; Last.fm; >
2008-02-23 21:01:46 0 d-------- C:\Documents and Settings\Clara\Dados de aplicativos\Macromedia
2008-02-23 20:51:27 0 d-------- C:\Arquivos de programas\CDisplay
2008-02-23 20:50:57 1158444 --a------ C:\Arquivos de programas\setup.zip
2008-02-23 20:46:42 0 d-------- C:\Arquivos de programas\VideoLAN
2008-02-23 20:37:06 6013552 --a------ C:\Arquivos de programas\DeepBurnerPro.exe
2008-02-23 20:35:22 6890566 --a------ C:\Arquivos de programas\picard-setup-0.9.0.exe
2008-02-23 20:34:11 9733451 --a------ C:\Arquivos de programas\vlc-0.8.6d-win32.exe
2008-02-23 20:33:45 0 d-------- C:\Arquivos de programas\Microsoft Reader
2008-02-23 20:31:48 811198 --a------ C:\Arquivos de programas\evillyrics.zip
2008-02-23 20:23:24 0 d-------- C:\Arquivos de programas\Arquivos comuns\Adobe
2008-02-23 20:20:41 0 d-------- C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared
2008-02-23 20:13:43 344998294 --a------ C:\Arquivos de programas\Photoshop_CS2_tryout.zip
2008-02-23 19:53:36 0 d-------- C:\Arquivos de programas\Arquivos comuns\Java
2008-02-23 19:52:45 0 d-------- C:\Documents and Settings\Clara\Dados de aplicativos\Sun
2008-02-23 19:35:01 0 d-------- C:\Documents and Settings\Clara\Dados de aplicativos\WinRAR
2008-02-23 17:42:59 0 d-------- C:\Arquivos de programas\BrOffice.org 2.3
2008-02-23 17:42:10 1190 --a------ C:\WINDOWS\mozver.dat
2008-02-23 15:50:04 0 d-------- C:\Documents and Settings\Clara\Dados de aplicativos\Mozilla
2008-02-23 15:50:02 0 d-------- C:\Documents and Settings\Clara\Dados de aplicativos\Thunderbird
2008-02-23 15:44:49 0 d-------- C:\Documents and Settings\Clara\Dados de aplicativos\Talkback
2008-02-23 15:26:47 0 d-------- C:\Documents and Settings\Clara\Dados de aplicativos\Identities
2008-02-23 07:23:07 0 d-------- C:\Arquivos de programas\EPSON
2008-02-21 20:40:00 0 d-------- C:\Arquivos de programas\Netropa
2008-02-21 20:39:48 0 d-------- C:\Arquivos de programas\Arquivos comuns\InstallShield
2008-02-21 19:49:03 0 d-------- C:\Arquivos de programas\Puxa Rápido
2008-02-21 18:38:40 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-20 16:27:14 0 d-------- C:\Arquivos de programas\C-Media 3D Audio
2008-02-20 16:26:35 0 d-------- C:\Arquivos de programas\Ahead
2008-02-20 16:26:22 0 d-------- C:\Arquivos de programas\Arquivos comuns\Ahead
2008-02-20 16:25:57 1536 --a------ C:\WINDOWS\system32\TrueSoft.dat
2008-02-20 16:25:57 0 --a------ C:\WINDOWS\system32\PTPTT.dat
2008-02-20 16:25:57 0 --a------ C:\WINDOWS\system32\PTHSP.dat
2008-02-20 15:43:44 0 d-------- C:\Arquivos de programas\Microsoft.NET
2008-02-20 15:43:11 0 d-------- C:\Arquivos de programas\Microsoft Works
2008-02-20 15:22:55 0 d-------- C:\Arquivos de programas\microsoft frontpage
2008-02-20 15:22:29 0 -rahs---- C:\MSDOS.SYS
2008-02-20 15:22:29 0 -rahs---- C:\IO.SYS
2008-02-20 15:22:29 0 --a------ C:\CONFIG.SYS
2008-02-20 15:22:29 0 --a------ C:\AUTOEXEC.BAT
2008-02-20 15:21:00 0 d--h----- C:\Arquivos de programas\WindowsUpdate
2008-02-20 15:20:56 0 d-------- C:\Arquivos de programas\Serviços on-line
2008-02-20 15:20:17 0 d-------- C:\Arquivos de programas\Arquivos comuns\Serviços
2008-02-20 15:20:14 0 d-------- C:\Arquivos de programas\Arquivos comuns\MSSoap
2008-02-20 15:20:06 0 d-------- C:\Arquivos de programas\Movie Maker
2008-02-20 15:19:12 21844 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-02-20 15:18:40 0 d-------- C:\Arquivos de programas\MSN Gaming Zone
2008-02-20 15:18:33 0 d-------- C:\Arquivos de programas\Windows NT
2008-02-20 12:14:39 0 d-------- C:\Arquivos de programas\Arquivos comuns\ODBC
2008-02-20 12:14:36 0 d-------- C:\Arquivos de programas\Arquivos comuns\SpeechEngines
2008-02-20 12:14:12 62 --ahs---- C:\Documents and Settings\Clara\Dados de aplicativos\desktop.ini
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77600C61-464B-4207-BF5F-8CB2A2F630AF}]
C:\WINDOWS\system32\khfDTmmk.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85E3E7F1-99CF-4253-BF4D-D4D5D4C4BCF4}]
C:\WINDOWS\system32\geBtSLDS.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E1BFC0E-8AD2-424D-AC8A-06038481516E}]
C:\WINDOWS\system32\yayARjkk.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9B334F8B-4A08-43A4-80B1-87999E92145F}]
C:\WINDOWS\system32\urqQgEUo.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A5678FD2-82B3-424E-83FB-9A65E8534893}]
C:\WINDOWS\system32\mlJAroOG.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Atualizador - Puxa Rápido"="C:\Arquivos de programas\Puxa Rápido\Atualiza.exe" []
"PCTVOICE"="pctspk.exe" [2004-01-30 08:33 C:\WINDOWS\system32\pctspk.exe]
"Cmaudio"="cmicnfg.cpl" []
"SiSPower"="SiSPower.dll" [2006-05-05 21:13 C:\WINDOWS\system32\SiSPower.dll]
"EPSON Stylus C43 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S08IC1.exe" [2002-12-25 03:00]
"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25]
"ccApp"="C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe" [2007-01-09 18:59]
"Symantec PIF AlertEng"="C:\Arquivos de programas\Arquivos comuns\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38]
"BDRegion"="C:\Arquivos de programas\Cyberlink\Shared Files\brs.exe" [2007-11-17 04:20]
"LanguageShortcut"="C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:45]
C:\Documents and Settings\Clara\Menu Iniciar\Programas\Inicializar\
Adobe Gamma.lnk - C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\ARQUIV~1\DVDREG~1\DVDShell.dll [2004-10-09 15:18 49152]
"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\ARQUIV~1\GBPLUGIN\gbieh.dll [2008-03-11 08:18 354600]
"{8E1BFC0E-8AD2-424D-AC8A-06038481516E}"= C:\WINDOWS\system32\yayARjkk.dll [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]
C:\ARQUIV~1\GBPLUGIN\gbieh.dll 2008-03-11 08:18 354600 C:\ARQUIV~1\GbPlugin\gbieh.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayARjkk]
yayARjkk.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\urqQgEUo
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Clara^Menu Iniciar^Programas^Inicializar^Last.fm Helper.lnk]
path=C:\Documents and Settings\Clara\Menu Iniciar\Programas\Inicializar\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ink Monitor]
C:\Arquivos de programas\EPSON\Ink Monitor\InkMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MULTIMEDIA KEYBOARD]
C:\Arquivos de programas\Netropa\Multimedia Keyboard\MMKeybd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Adobe LM Service"=3 (0x3)
"aawservice"=2 (0x2)
*Newly Created Service* - COMHOST
-- End of Deckard's System Scanner: finished at 2008-04-08 20:17:31 ------------
[I'm going to need more space for the extra report, it seems, it doesn't fit here]
[Extra logfile Part One]
Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------
-- System Information ----------------------------------------------------------
Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: Portuguese
CPU 0: AMD Athlon(tm) MP
Percentage of Memory in Use: 40%
Physical Memory (total/avail): 735.36 MiB / 434.33 MiB
Pagefile Memory (total/avail): 1802.05 MiB / 1522.29 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1942.65 MiB
A: is Removable (No Media)
C: is Fixed (NTFS) - 37.3 GiB total, 26.52 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
F: is Fixed (NTFS) - 149.05 GiB total, 77.52 GiB free.
\\.\PHYSICALDRIVE0 - SAMSUNG SP0411N - 37.31 GiB - 1 partition
\PARTITION0 (bootable) - Sistema de arquivos instalável - 37.3 GiB - C:
\\.\PHYSICALDRIVE1 - SAMSUNG SP1644N - 149.05 GiB - 1 partition
\PARTITION0 - Gerenciador de discos lógicos - 149.05 GiB - F:
-- Security Center -------------------------------------------------------------
AUOptions is set to notify before download.
Windows Internal Firewall is disabled.
FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.
FW: Norton 360 v2007 (SYMANTEC Corporation) Disabled
AV: Norton 360 v2007 (SYMANTEC Corperation) Disabled Outdated
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"="C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Arquivos de programas\\CyberLink\\PowerDVD\\PowerDVD.exe"="C:\\Arquivos de programas\\CyberLink\\PowerDVD\\PowerDVD.exe:*:Enabled:CyberLink PowerDVD"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Arquivos de programas\\uTorrent\\uTorrent.exe"="C:\\Arquivos de programas\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"="C:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Arquivos de programas\\CyberLink\\PowerDVD\\PowerDVD.exe"="C:\\Arquivos de programas\\CyberLink\\PowerDVD\\PowerDVD.exe:*:Enabled:CyberLink PowerDVD"
-- Environment Variables -------------------------------------------------------
ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Clara\Dados de aplicativos
CLIENTNAME=Console
CommonProgramFiles=C:\Arquivos de programas\Arquivos comuns
COMPUTERNAME=PESSOAL-FA2B37D
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Clara
LOGONSERVER=\\PESSOAL-FA2B37D
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Arquivos de programas\Arquivos comuns\Adobe\AGL
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0801
ProgramFiles=C:\Arquivos de programas
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Clara\CONFIG~1\Temp
TMP=C:\DOCUME~1\Clara\CONFIG~1\Temp
USERDOMAIN=PESSOAL-FA2B37D
USERNAME=Clara
USERPROFILE=C:\Documents and Settings\Clara
windir=C:\WINDOWS
-- User Profiles ---------------------------------------------------------------
Clara (admin)
Talita (admin)
Iara (admin)
Administrador (admin)
-- Add/Remove Programs ---------------------------------------------------------
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
ACDSee Classic --> C:\ARQUIV~1\ACDSee32\UNWISE.EXE C:\ARQUIV~1\ACDSee32\INSTALL.LOG
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Bridge 1.0 --> MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 8.1.2 - Português --> MsiExec.exe /I{AC76BA86-7AD7-1046-7B44-A81200000003}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
Arquivo do WinRAR --> C:\Arquivos de programas\WinRAR\uninstall.exe
µTorrent --> "C:\Arquivos de programas\uTorrent\uTorrent.exe" /UNINSTALL
Atualização de Segurança para Windows XP (KB890046) --> "C:\WINDOWS\$NtUninstallKB890046$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB893756) --> "C:\WINDOWS\$NtUninstallKB893756$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB896358) --> "C:\WINDOWS\$NtUninstallKB896358$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB896423) --> "C:\WINDOWS\$NtUninstallKB896423$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB896428) --> "C:\WINDOWS\$NtUninstallKB896428$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB899587) --> "C:\WINDOWS\$NtUninstallKB899587$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB899591) --> "C:\WINDOWS\$NtUninstallKB899591$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB900725) --> "C:\WINDOWS\$NtUninstallKB900725$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB901017) --> "C:\WINDOWS\$NtUninstallKB901017$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB901214) --> "C:\WINDOWS\$NtUninstallKB901214$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB902400) --> "C:\WINDOWS\$NtUninstallKB902400$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB905414) --> "C:\WINDOWS\$NtUninstallKB905414$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB905749) --> "C:\WINDOWS\$NtUninstallKB905749$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB908519) --> "C:\WINDOWS\$NtUninstallKB908519$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB911562) --> "C:\WINDOWS\$NtUninstallKB911562$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB911927) --> "C:\WINDOWS\$NtUninstallKB911927$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB913580) --> "C:\WINDOWS\$NtUninstallKB913580$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB914388) --> "C:\WINDOWS\$NtUninstallKB914388$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB914389) --> "C:\WINDOWS\$NtUninstallKB914389$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB917344) --> "C:\WINDOWS\$NtUninstallKB917344$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB918118) --> "C:\WINDOWS\$NtUninstallKB918118$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB918439) --> "C:\WINDOWS\$NtUninstallKB918439$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB919007) --> "C:\WINDOWS\$NtUninstallKB919007$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB920213) --> "C:\WINDOWS\$NtUninstallKB920213$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB920670) --> "C:\WINDOWS\$NtUninstallKB920670$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB920683) --> "C:\WINDOWS\$NtUninstallKB920683$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB920685) --> "C:\WINDOWS\$NtUninstallKB920685$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB922819) --> "C:\WINDOWS\$NtUninstallKB922819$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB923191) --> "C:\WINDOWS\$NtUninstallKB923191$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB923414) --> "C:\WINDOWS\$NtUninstallKB923414$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB923689) --> "C:\WINDOWS\$NtUninstallKB923689$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB923694) --> "C:\WINDOWS\$NtUninstallKB923694$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB923789) --> C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Atualização de Segurança para Windows XP (KB923980) --> "C:\WINDOWS\$NtUninstallKB923980$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB924270) --> "C:\WINDOWS\$NtUninstallKB924270$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB924496) --> "C:\WINDOWS\$NtUninstallKB924496$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB924667) --> "C:\WINDOWS\$NtUninstallKB924667$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB925902) --> "C:\WINDOWS\$NtUninstallKB925902$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB926255) --> "C:\WINDOWS\$NtUninstallKB926255$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB926436) --> "C:\WINDOWS\$NtUninstallKB926436$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB927779) --> "C:\WINDOWS\$NtUninstallKB927779$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB927802) --> "C:\WINDOWS\$NtUninstallKB927802$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB928255) --> "C:\WINDOWS\$NtUninstallKB928255$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB928843) --> "C:\WINDOWS\$NtUninstallKB928843$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB930178) --> "C:\WINDOWS\$NtUninstallKB930178$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB931261) --> "C:\WINDOWS\$NtUninstallKB931261$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB931784) --> "C:\WINDOWS\$NtUninstallKB931784$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB932168) --> "C:\WINDOWS\$NtUninstallKB932168$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB933729) --> "C:\WINDOWS\$NtUninstallKB933729$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB935839) --> "C:\WINDOWS\$NtUninstallKB935839$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB935840) --> "C:\WINDOWS\$NtUninstallKB935840$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB936021) --> "C:\WINDOWS\$NtUninstallKB936021$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB937894) --> "C:\WINDOWS\$NtUninstallKB937894$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB938127) --> "C:\WINDOWS\$NtUninstallKB938127$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB938829) --> "C:\WINDOWS\$NtUninstallKB938829$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB941202) --> "C:\WINDOWS\$NtUninstallKB941202$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB941568) --> "C:\WINDOWS\$NtUninstallKB941568$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB941569) --> "C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB941644) --> "C:\WINDOWS\$NtUninstallKB941644$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB941693) --> "C:\WINDOWS\$NtUninstallKB941693$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB943055) --> "C:\WINDOWS\$NtUninstallKB943055$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB943460) --> "C:\WINDOWS\$NtUninstallKB943460$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB943485) --> "C:\WINDOWS\$NtUninstallKB943485$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB944338) --> "C:\WINDOWS\$NtUninstallKB944338$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB944533) --> "C:\WINDOWS\$NtUninstallKB944533$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB944653) --> "C:\WINDOWS\$NtUninstallKB944653$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB945553) --> "C:\WINDOWS\$NtUninstallKB945553$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB946026) --> "C:\WINDOWS\$NtUninstallKB946026$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB947864) --> "C:\WINDOWS\$NtUninstallKB947864$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB948590) --> "C:\WINDOWS\$NtUninstallKB948590$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB948881) --> "C:\WINDOWS\$NtUninstallKB948881$\spuninst\spuninst.exe"
Atualização para Windows XP (KB894391) --> "C:\WINDOWS\$NtUninstallKB894391$\spuninst\spuninst.exe"
Atualização para Windows XP (KB898461) --> "C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Atualização para Windows XP (KB900485) --> "C:\WINDOWS\$NtUninstallKB900485$\spuninst\spuninst.exe"
Atualização para Windows XP (KB908531) --> "C:\WINDOWS\$NtUninstallKB908531$\spuninst\spuninst.exe"
Atualização para Windows XP (KB910437) --> "C:\WINDOWS\$NtUninstallKB910437$\spuninst\spuninst.exe"
Atualização para Windows XP (KB911280) --> "C:\WINDOWS\$NtUninstallKB911280$\spuninst\spuninst.exe"
Atualização para Windows XP (KB916595) --> "C:\WINDOWS\$NtUninstallKB916595$\spuninst\spuninst.exe"
Atualização para Windows XP (KB920872) --> "C:\WINDOWS\$NtUninstallKB920872$\spuninst\spuninst.exe"
Atualização para Windows XP (KB922582) --> "C:\WINDOWS\$NtUninstallKB922582$\spuninst\spuninst.exe"
Atualização para Windows XP (KB927891) --> "C:\WINDOWS\$NtUninstallKB927891$\spuninst\spuninst.exe"
Atualização para Windows XP (KB930916) --> "C:\WINDOWS\$NtUninstallKB930916$\spuninst\spuninst.exe"
Atualização para Windows XP (KB938828) --> "C:\WINDOWS\$NtUninstallKB938828$\spuninst\spuninst.exe"
Atualização para Windows XP (KB942763) --> "C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Atualização para Windows XP (KB942840) --> "C:\WINDOWS\$NtUninstallKB942840$\spuninst\spuninst.exe"
[continues]
[continued]
Audacity 1.2.6 --> "C:\Arquivos de programas\Audacity\unins000.exe"
AV --> MsiExec.exe /I{F4DB525F-A986-4249-B98B-42A8066251CA}
Bejeweled 2 --> C:\Arquivos de programas\Bejeweled 2\uninstall.exe
Bejeweled 2 Deluxe --> "C:\Arquivos de programas\Bejeweled 2 Deluxe\ReflexiveArcade\unins000.exe"
Bejeweled Deluxe 1.861 --> C:\Program Files\PopCap Games\Bejeweled Deluxe\PopUninstall.exe "C:\Program Files\PopCap Games\Bejeweled Deluxe\Install.log"
BrOffice.org 2.3 --> MsiExec.exe /I{311262EB-4A01-4708-A315-9814AF1FDA02}
C-Media 3D Audio --> C:\WINDOWS\CMIUnInstall.exe
ccCommon --> MsiExec.exe /I{3CCAD2EF-CFF2-4637-82AA-AABF370282D3}
CDex extraction audio --> "C:\Arquivos de programas\CDex_150\uninstall.exe"
CDisplay 1.8 --> "C:\Arquivos de programas\CDisplay\unins000.exe"
Core FTP LE 2.1 --> C:\ARQUIV~1\CoreFTP\UNWISE.EXE C:\ARQUIV~1\CoreFTP\INSTALL.LOG
DVD Region+CSS Free 5.9.8.3 --> "C:\Arquivos de programas\DVD Region+CSS Free\unins000.exe"
EvilLyrics --> "C:\Arquivos de programas\EvilLyrics\uninst.exe"
GearDrvs --> MsiExec.exe /I{228F6876-A313-40A3-91C0-C3CBE6997D09}
HijackThis 2.0.2 --> "C:\Documents and Settings\Clara\Desktop\HijackThis.exe" /uninstall
HSP56 Modem Drivers --> ptuninst.exe
Ink Monitor --> C:\Arquivos de programas\EPSON\Ink Monitor\InkMonitor.exe -U
IRPF2006 - Declaração de Ajuste Anual --> C:\ARQUIV~1\PROGRA~1\IRPF2006\UNWISE.EXE C:\ARQUIV~1\PROGRA~1\IRPF2006\INSTALL.LOG
IRPF2007 - Declaração de Ajuste Anual --> C:\ARQUIV~1\PROGRA~1\IRPF2007\UNWISE.EXE C:\ARQUIV~1\PROGRA~1\IRPF2007\INSTALL.LOG
IRPF2008 - Declaração de Ajuste Anual --> C:\ARQUIV~1\PROGRA~2\IRPF2008\UNWISE.EXE C:\ARQUIV~1\PROGRA~2\IRPF2008\INSTALL.LOG
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java(TM) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Last.fm 1.4.2.59470 --> "C:\Arquivos de programas\Last.fm\unins000.exe"
LiveUpdate 3.2 (Symantec Corporation) --> "C:\Arquivos de programas\Symantec\LiveUpdate\LSETUP.EXE" /U
LiveUpdate Notice (Symantec Corporation) --> MsiExec.exe /X{DBA4DB9D-EE51-4944-A419-98AB1F1249C8}
Microsoft Office Professional Edição 2003 --> MsiExec.exe /I{90110416-6000-11D3-8CFE-0150048383C9}
Microsoft Reader --> RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{B6F7DBE7-2FE2-458F-A738-B10832746036}\Setup.exe" -L0x9
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0.0.13) --> C:\Arquivos de programas\Mozilla Firefox\uninstall\helper.exe
Mozilla Thunderbird (2.0.0.12) --> C:\Arquivos de programas\Mozilla Thunderbird\uninstall\helper.exe
MusicBrainz Picard 0.9.0 --> C:\Arquivos de programas\MusicBrainz Picard\uninst.exe
Nero OEM --> C:\Arquivos de programas\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
Norton 360 --> MsiExec.exe /I{21829177-4DED-4209-AD08-490B3AC9C01A}
Norton 360 --> MsiExec.exe /I{2D617065-1C52-4240-B5BC-C0AE12157777}
Norton 360 --> MsiExec.exe /I{63A6E9A9-A190-46D4-9430-2DB28654AFD8}
Norton 360 (Symantec Corporation) --> "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SymSetup\{2D617065-1C52-4240-B5BC-C0AE12157777}_1_0_0_184\{2D617065-1C52-4240-B5BC-C0AE12157777}.exe" /X
Norton 360 Help --> MsiExec.exe /I{1CA941F1-5006-487E-9FD4-09F812A7D6B8}
Norton Confidential Browser Component --> MsiExec.exe /I{4843B611-8FCB-4428-8C23-31D0A5EAE164}
Norton Confidential Web Authentification Component --> MsiExec.exe /I{3074EB89-1BCA-4AEF-AFF4-EFB4634C1923}
Norton Confidential Web Protection Component --> MsiExec.exe /I{D353CC51-430D-4C6F-9B7E-52003DA1E05A}
Opera 9.26 --> MsiExec.exe /X{FB706A00-C234-4716-AB1F-27DCB192C664}
Receitanet 2008 --> C:\WINDOWS\DesinstRecnet.exe
Receitanet Java 2008.01 --> C:\Arquivos de programas\Programas RFB\Receitanet Java\desinstalar\desinstalar.exe
SiS Mirage Graphics --> Rundll32 SiSInst.dll,Uninstall VGA,R,oem3.inf
Smart Office Keyboard --> RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{0208A7E3-0D30-11D4-A1FC-00508B9D1BA2}\Setup.exe" -l0x416
Software para Impressoras EPSON --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /R
SoulSeek Client 156c --> "C:\Arquivos de programas\Soulseek\uninstall.exe"
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
Spybot - Search & Destroy --> "C:\Arquivos de programas\Spybot - Search & Destroy\unins000.exe"
Sunset Studio --> C:\Arquivos de programas\Sunset Studio\uninstall.exe
SuppSoft --> MsiExec.exe /I{022DA2C3-81C7-4003-A6BC-1BB147B20097}
Symantec Technical Support Controls --> MsiExec.exe /I{92B1B3CC-EC78-45B8-96D0-8B3F11495864}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
VideoLAN VLC media player 0.8.6d --> C:\Arquivos de programas\VideoLAN\VLC\uninstall.exe
Winamp --> "C:\Arquivos de programas\Winamp\UninstWA.exe"
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
-- Application Event Log -------------------------------------------------------
Event Record #/Type1465 / Error
Event Submitted/Written: 04/08/2008 07:57:17 PM
Event ID/Source: 1000 / Application Error
Event Description:
Aplicativo com falha dss.exe, versão 3.2.8.1, módulo com falha dss.exe, versão 3.2.8.1, endereço com falha 0x0000f9d5.
Processando evento específico de mídia para [dss.exe!ws!]
Event Record #/Type1462 / Error
Event Submitted/Written: 04/08/2008 05:51:14 PM
Event ID/Source: 1000 / Application Error
Event Description:
Aplicativo com falha opera.exe, versão 9.26.8835.0, módulo com falha unknown, versão 0.0.0.0, endereço com falha 0x038f140a.
Processando evento específico de mídia para [opera.exe!ws!]
Event Record #/Type1269 / Error
Event Submitted/Written: 04/07/2008 04:40:34 PM
Event ID/Source: 1000 / Application Error
Event Description:
Aplicativo com falha firefox.exe, versão 1.8.20080.31114, módulo com falha gebtslds.dll, versão 0.0.0.0, endereço com falha 0x00038d06.
Processando evento específico de mídia para [firefox.exe!ws!]
Event Record #/Type1244 / Error
Event Submitted/Written: 04/07/2008 04:21:52 AM
Event ID/Source: 1000 / Application Error
Event Description:
Aplicativo com falha firefox.exe, versão 1.8.20080.31114, módulo com falha unknown, versão 0.0.0.0, endereço com falha 0x0419140a.
Processando evento específico de mídia para [firefox.exe!ws!]
Event Record #/Type1217 / Error
Event Submitted/Written: 04/07/2008 00:17:58 AM
Event ID/Source: 1000 / Application Error
Event Description:
Aplicativo com falha firefox.exe, versão 1.8.20080.31114, módulo com falha , versão 0.0.0.0, endereço com falha 0x00000000.
Processando evento específico de mídia para [firefox.exe!ws!]
-- Security Event Log ----------------------------------------------------------
No Errors/Warnings found.
-- System Event Log ------------------------------------------------------------
Event Record #/Type4855 / Error
Event Submitted/Written: 04/08/2008 08:10:04 PM
Event ID/Source: 7028 / Service Control Manager
Event Description:
A chave de Registro GbpSv negou acesso aos programas da conta SYSTEM e o Gerenciador de controle de serviços apropriou-se da chave.
Event Record #/Type4832 / Warning
Event Submitted/Written: 04/08/2008 07:51:53 PM
Event ID/Source: 1007 / Dhcp
Event Description:
O computador configurou automaticamente o endereço IP da placa de
rede com o endereço de rede 00115B500302. O endereço IP que está sendo usado é 169.254.132.169.
Event Record #/Type4830 / Warning
Event Submitted/Written: 04/08/2008 05:22:30 PM
Event ID/Source: 1007 / Dhcp
Event Description:
O computador configurou automaticamente o endereço IP da placa de
rede com o endereço de rede 00115B500302. O endereço IP que está sendo usado é 169.254.132.169.
Event Record #/Type4827 / Error
Event Submitted/Written: 04/08/2008 05:16:16 PM
Event ID/Source: 1003 / System Error
Event Description:
Código de erro 00000093, parâmetro1 000005d8, parâmetro2 00000000, parâmetro3 00000000, parâmetro4 00000000.
Event Record #/Type4814 / Error
Event Submitted/Written: 04/08/2008 05:16:00 PM
Event ID/Source: 7028 / Service Control Manager
Event Description:
A chave de Registro GbpSv negou acesso aos programas da conta SYSTEM e o Gerenciador de controle de serviços apropriou-se da chave.
-- End of Deckard's System Scanner: finished at 2008-04-08 20:17:31 ------------
I'm *really* sorry about the multiple replies. I tried to break the parts up the best I could.
Rorschach112
2008-04-09, 01:58
No problem :)
1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):
O2 - BHO: (no name) - {77600C61-464B-4207-BF5F-8CB2A2F630AF} - C:\WINDOWS\system32\khfDTmmk.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {85E3E7F1-99CF-4253-BF4D-D4D5D4C4BCF4} - C:\WINDOWS\system32\geBtSLDS.dll (file missing)
O2 - BHO: (no name) - {8E1BFC0E-8AD2-424D-AC8A-06038481516E} - C:\WINDOWS\system32\yayARjkk.dll (file missing)
O2 - BHO: (no name) - {9B334F8B-4A08-43A4-80B1-87999E92145F} - C:\WINDOWS\system32\urqQgEUo.dll (file missing)
O2 - BHO: (no name) - {A5678FD2-82B3-424E-83FB-9A65E8534893} - C:\WINDOWS\system32\mlJAroOG.dll (file missing)
O20 - Winlogon Notify: yayARjkk - yayARjkk.dll (file missing)
2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.
Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).
Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
[kill explorer]
C:\WINDOWS\system32\wpwoloxl.dll
C:\WINDOWS\system32\oUEgQqru.ini2
C:\WINDOWS\system32\blpstkic.dll
C:\WINDOWS\system32\urihoasd.dll
C:\WINDOWS\system32\lcsevkjb.dll
C:\WINDOWS\system32\CJStCJjl.ini2
C:\WINDOWS\system32\ssqRJDWP.dll
C:\WINDOWS\system32\GOorAJlm.ini2
purity
[start explorer]
Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
Click the red Moveit! button.
A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Reboot and post a new DSS log
Hey, here are the OTMoveIt2 and DSS logs, again in two parts:
File/Folder Code: not found.
File/Folder --------- not found.
Explorer killed successfully
DllUnregisterServer procedure not found in C:\WINDOWS\system32\wpwoloxl.dll
C:\WINDOWS\system32\wpwoloxl.dll NOT unregistered.
C:\WINDOWS\system32\wpwoloxl.dll moved successfully.
C:\WINDOWS\system32\oUEgQqru.ini2 moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\blpstkic.dll
C:\WINDOWS\system32\blpstkic.dll NOT unregistered.
C:\WINDOWS\system32\blpstkic.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\urihoasd.dll
C:\WINDOWS\system32\urihoasd.dll NOT unregistered.
C:\WINDOWS\system32\urihoasd.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\lcsevkjb.dll
C:\WINDOWS\system32\lcsevkjb.dll NOT unregistered.
C:\WINDOWS\system32\lcsevkjb.dll moved successfully.
C:\WINDOWS\system32\CJStCJjl.ini2 moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ssqRJDWP.dll
C:\WINDOWS\system32\ssqRJDWP.dll NOT unregistered.
C:\WINDOWS\system32\ssqRJDWP.dll moved successfully.
C:\WINDOWS\system32\GOorAJlm.ini2 moved successfully.
< purity >
Explorer started successfully
File/Folder --------- not found.
OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04082008_223001
Deckard's System Scanner v20071014.68
Run by Clara on 2008-04-08 22:42:19
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- HijackThis (run as Clara.exe) -----------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:42, on 2008-04-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSvcHst.exe
C:\ARQUIV~1\GbPlugin\GbpSv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe
C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe
C:\Arquivos de programas\Cyberlink\Shared Files\brs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Last.fm\LastFMHelper.exe
C:\Documents and Settings\Clara\Desktop\dss.exe
C:\DOCUME~1\Clara\Desktop\Clara.exe
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\ARQUIV~1\GBPLUGIN\gbieh.dll
O3 - Toolbar: Exibir Barra de ferramentas do Norton - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Atualizador - Puxa Rápido] C:\Arquivos de programas\Puxa Rápido\Atualiza.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [EPSON Stylus C43 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S08IC1.EXE /P23 "EPSON Stylus C43 Series" /O5 "LPT1:" /M "Stylus C43"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Arquivos de programas\Arquivos comuns\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [BDRegion] C:\Arquivos de programas\Cyberlink\Shared Files\brs.exe
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Last.fm Helper.lnk = C:\Arquivos de programas\Last.fm\LastFMHelper.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file://C:\Arquivos de programas\Bejeweled 2\Images\stg_drm.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1204238145968
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file://C:\Arquivos de programas\Sunset Studio\Images\armhelper.ocx
O16 - DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} (GbpDistObj Class) - https://www14.bancobrasil.com.br/plugin/GbpDist.cab
O20 - Winlogon Notify: GbPluginBb - C:\ARQUIV~1\GBPLUGIN\gbieh.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\VAScanner\comHost.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\ARQUIV~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Arquivos de programas\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 7097 bytes
-- Files created between 2008-03-08 and 2008-04-08 -----------------------------
2008-04-08 17:05:26 68096 --a------ C:\WINDOWS\zip.exe
2008-04-08 17:05:26 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-08 17:05:26 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-08 17:05:26 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-08 17:05:26 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-08 17:05:26 98816 --a------ C:\WINDOWS\sed.exe
2008-04-08 17:05:26 80412 --a------ C:\WINDOWS\grep.exe
2008-04-08 17:05:26 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-07 04:17:49 50688 --a------ C:\ATF-Cleaner.exe <Not Verified; Atribune.org; ATF Cleaner>
2008-04-07 02:09:40 3348 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-02 01:20:33 0 d-------- C:\QuickPix 2005 Win
2008-03-16 00:49:32 0 d-------- C:\marvin_ico
2008-03-13 09:48:27 479232 --a------ C:\WINDOWS\system32\AudioVisu.dll <Not Verified; NCT Company Ltd.; NCTAudioVisualization2 ActiveX DLL>
2008-03-13 09:48:27 454656 --a------ C:\WINDOWS\system32\AudioRecord.dll <Not Verified; NCT Company Ltd.; NCTAudioRecord2 ActiveX DLL>
2008-03-13 09:48:26 458752 --a------ C:\WINDOWS\system32\AudPlayer.dll <Not Verified; NCT Company Ltd.; NCTAudioPlayer2 ActiveX DLL>
2008-03-13 09:48:26 1212416 --a------ C:\WINDOWS\system32\AudioInfos.dll <Not Verified; NCT Company Ltd.; NCTAudioInformation2 ActiveX DLL>
2008-03-13 09:48:26 1986560 --a------ C:\WINDOWS\system32\AudFile.dll <Not Verified; NCT Company Ltd.; NCTAudioFile2 ActiveX DLL>
2008-03-13 09:48:26 417792 --a------ C:\WINDOWS\system32\AudDisplay.dll <Not Verified; NCT Company Ltd.; NCTAudioDisplay2 ActiveX DLL>
2008-03-13 09:48:25 101888 --a------ C:\WINDOWS\system32\VB6STKIT.DLL <Not Verified; Microsoft Corporation; Microsoft® Visual Basic pour Windows>
2008-03-13 09:48:25 119568 --a------ C:\WINDOWS\system32\VB6FR.DLL <Not Verified; Microsoft Corporation; Environnement Visual Basic>
2008-03-13 09:48:25 15360 --a------ C:\WINDOWS\system32\inetfr.DLL <Not Verified; Microsoft Corporation; DLL du contrôle Microsoft Internet Transfer>
2008-03-13 09:48:25 2084864 --a------ C:\WINDOWS\system32\AudDesign.dll <Not Verified; NCT Company Ltd.; NCTAudioDesign2 ActiveX DLL>
2008-03-13 09:48:24 21504 --a------ C:\WINDOWS\system32\TABCTFR.DLL <Not Verified; Microsoft Corporation; Bibliothèque d'objets TabCtl32>
2008-03-13 09:48:22 141312 --a------ C:\WINDOWS\system32\MSCMCFR.DLL <Not Verified; Microsoft Corporation; COMCTL>
2008-03-13 09:48:22 59904 --a------ C:\WINDOWS\system32\Mscc2fr.dll <Not Verified; Microsoft Corporation; Bibliothèque d'objets de Microsoft Common Controls 2>
2008-03-13 09:48:22 32768 --a------ C:\WINDOWS\system32\CMDLGFR.DLL <Not Verified; Microsoft Corporation; CMDIALOG>
2008-03-08 19:35:00 0 d-------- C:\Arquivos de programas\Bejeweled 2 Deluxe
2008-03-08 19:34:39 0 d-------- C:\Arquivos de programas\ReflexiveArcade
2008-03-08 10:28:46 0 d-------- C:\Arquivos de programas\Bejeweled 2
2008-03-08 10:25:39 0 d-------- C:\Arquivos de programas\Sunset Studio
2008-03-08 09:04:35 69632 -ra------ C:\WINDOWS\system32\MSJCE.dll
2008-03-08 09:03:04 0 d-------- C:\Arquivos de programas\Programas RFB
[continued]
-- Find3M Report ---------------------------------------------------------------
2008-04-08 22:41:44 0 d-------- C:\Arquivos de programas\Arquivos comuns\Symantec Shared
2008-04-08 22:40:52 0 d-------- C:\Arquivos de programas\Mozilla Thunderbird
2008-04-06 21:14:41 0 d-------- C:\Documents and Settings\Clara\Dados de aplicativos\uTorrent
2008-04-06 17:36:22 0 d-------- C:\Arquivos de programas\CyberLink
2008-04-06 17:36:19 0 d-------- C:\Arquivos de programas\Arquivos comuns
2008-04-06 14:01:28 31 --a------ C:\WINDOWS\popcinfo.dat
2008-04-06 04:01:37 0 d-------- C:\Documents and Settings\Clara\Dados de aplicativos\dvdcss
2008-04-06 03:29:54 0 d-------- C:\Documents and Settings\Clara\Dados de aplicativos\CyberLink
2008-04-06 03:13:39 0 d--h----- C:\Arquivos de programas\InstallShield Installation Information
2008-04-06 02:01:23 0 d-------- C:\Arquivos de programas\Astonsoft
2008-04-04 21:26:30 0 d-------- C:\Arquivos de programas\Soulseek
2008-03-30 23:41:49 0 d-------- C:\Documents and Settings\Clara\Dados de aplicativos\FireShot
2008-03-29 23:26:03 0 d-------- C:\Arquivos de programas\GbPlugin
2008-03-27 19:39:26 0 d-------- C:\Arquivos de programas\Winamp
2008-03-27 19:38:53 0 d-------- C:\Documents and Settings\Clara\Dados de aplicativos\Winamp
2008-03-20 10:04:44 0 d-------- C:\Arquivos de programas\Norton 360
2008-03-18 17:32:07 0 d-------- C:\Arquivos de programas\Java
2008-03-07 13:22:39 0 d-------- C:\Documents and Settings\Clara\Dados de aplicativos\DeepBurner Pro
2008-03-05 13:34:58 0 d-------- C:\Arquivos de programas\Atrativa Games
2008-03-04 00:09:05 0 d-------- C:\Arquivos de programas\Audacity
2008-03-03 22:13:58 0 d-------- C:\Documents and Settings\Clara\Dados de aplicativos\Adobe
2008-03-02 15:00:41 0 d-------- C:\Arquivos de programas\Programas SRF
2008-02-29 05:34:59 0 d-------- C:\Arquivos de programas\Symantec
2008-02-28 22:47:12 0 d-------- C:\Documents and Settings\Clara\Dados de aplicativos\Symantec
2008-02-28 21:12:21 347648 --a------ C:\WINDOWS\system32\perfh016.dat
2008-02-28 21:12:21 49804 --a------ C:\WINDOWS\system32\perfc016.dat
2008-02-28 21:02:36 0 d-------- C:\Arquivos de programas\Messenger
2008-02-28 20:49:17 0 d-------- C:\Arquivos de programas\Windows Live
2008-02-28 20:47:20 0 d--hs--c- C:\Arquivos de programas\Arquivos comuns\WindowsLiveInstaller
2008-02-28 18:15:07 0 d-------- C:\Arquivos de programas\MusicBrainz Picard
2008-02-26 17:12:22 0 d-------- C:\Arquivos de programas\Lavasoft
2008-02-26 17:09:31 0 d-------- C:\Arquivos de programas\Arquivos comuns\Wise Installation Wizard
2008-02-26 16:59:27 0 d-------- C:\Arquivos de programas\DVD Region+CSS Free
2008-02-26 06:17:49 0 d-------- C:\Documents and Settings\Clara\Dados de aplicativos\Opera
2008-02-26 01:03:16 0 d-------- C:\Arquivos de programas\ACD Systems
2008-02-26 01:01:37 0 d-------- C:\Arquivos de programas\ACDSee32
2008-02-25 19:07:19 0 d-------- C:\Arquivos de programas\Opera
2008-02-24 12:33:42 0 d-------- C:\Arquivos de programas\TryMedia
2008-02-24 08:36:50 0 d-------- C:\Arquivos de programas\CDex_150
2008-02-24 04:52:49 0 d-------- C:\Arquivos de programas\EvilLyrics
2008-02-24 02:24:40 0 d-------- C:\Documents and Settings\Clara\Dados de aplicativos\vlc
2008-02-23 21:54:14 0 d-------- C:\Documents and Settings\Clara\Dados de aplicativos\ACD Systems
2008-02-23 21:29:20 0 d-------- C:\Arquivos de programas\uTorrent
2008-02-23 21:13:42 0 d-------- C:\Arquivos de programas\CoreFTP
2008-02-23 21:12:28 3472061 --a------ C:\Arquivos de programas\coreftplite.exe
2008-02-23 21:09:20 0 --a------ C:\Arquivos de programas\Opera_9.26_Eng_Setup.exe
2008-02-23 21:03:15 0 d-------- C:\Arquivos de programas\Last.fm
2008-02-23 21:02:50 842672 --a------ C:\Arquivos de programas\slsk156c.exe
2008-02-23 21:02:24 5708354 --a------ C:\Arquivos de programas\Last.fm-1.4.2.59470.exe <Not Verified; Last.fm; >
2008-02-23 21:01:46 0 d-------- C:\Documents and Settings\Clara\Dados de aplicativos\Macromedia
2008-02-23 20:51:27 0 d-------- C:\Arquivos de programas\CDisplay
2008-02-23 20:50:57 1158444 --a------ C:\Arquivos de programas\setup.zip
2008-02-23 20:46:42 0 d-------- C:\Arquivos de programas\VideoLAN
2008-02-23 20:37:06 6013552 --a------ C:\Arquivos de programas\DeepBurnerPro.exe
2008-02-23 20:35:22 6890566 --a------ C:\Arquivos de programas\picard-setup-0.9.0.exe
2008-02-23 20:34:11 9733451 --a------ C:\Arquivos de programas\vlc-0.8.6d-win32.exe
2008-02-23 20:33:45 0 d-------- C:\Arquivos de programas\Microsoft Reader
2008-02-23 20:31:48 811198 --a------ C:\Arquivos de programas\evillyrics.zip
2008-02-23 20:23:24 0 d-------- C:\Arquivos de programas\Arquivos comuns\Adobe
2008-02-23 20:20:41 0 d-------- C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared
2008-02-23 20:13:43 344998294 --a------ C:\Arquivos de programas\Photoshop_CS2_tryout.zip
2008-02-23 19:53:36 0 d-------- C:\Arquivos de programas\Arquivos comuns\Java
2008-02-23 19:52:45 0 d-------- C:\Documents and Settings\Clara\Dados de aplicativos\Sun
2008-02-23 19:35:01 0 d-------- C:\Documents and Settings\Clara\Dados de aplicativos\WinRAR
2008-02-23 17:42:59 0 d-------- C:\Arquivos de programas\BrOffice.org 2.3
2008-02-23 17:42:10 1190 --a------ C:\WINDOWS\mozver.dat
2008-02-23 15:50:04 0 d-------- C:\Documents and Settings\Clara\Dados de aplicativos\Mozilla
2008-02-23 15:50:02 0 d-------- C:\Documents and Settings\Clara\Dados de aplicativos\Thunderbird
2008-02-23 15:44:49 0 d-------- C:\Documents and Settings\Clara\Dados de aplicativos\Talkback
2008-02-23 15:26:47 0 d-------- C:\Documents and Settings\Clara\Dados de aplicativos\Identities
2008-02-23 07:23:07 0 d-------- C:\Arquivos de programas\EPSON
2008-02-21 20:40:00 0 d-------- C:\Arquivos de programas\Netropa
2008-02-21 20:39:48 0 d-------- C:\Arquivos de programas\Arquivos comuns\InstallShield
2008-02-21 19:49:03 0 d-------- C:\Arquivos de programas\Puxa Rápido
2008-02-21 18:38:40 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-20 16:27:14 0 d-------- C:\Arquivos de programas\C-Media 3D Audio
2008-02-20 16:26:35 0 d-------- C:\Arquivos de programas\Ahead
2008-02-20 16:26:22 0 d-------- C:\Arquivos de programas\Arquivos comuns\Ahead
2008-02-20 16:25:57 1536 --a------ C:\WINDOWS\system32\TrueSoft.dat
2008-02-20 16:25:57 0 --a------ C:\WINDOWS\system32\PTPTT.dat
2008-02-20 16:25:57 0 --a------ C:\WINDOWS\system32\PTHSP.dat
2008-02-20 15:43:44 0 d-------- C:\Arquivos de programas\Microsoft.NET
2008-02-20 15:43:11 0 d-------- C:\Arquivos de programas\Microsoft Works
2008-02-20 15:22:55 0 d-------- C:\Arquivos de programas\microsoft frontpage
2008-02-20 15:22:29 0 -rahs---- C:\MSDOS.SYS
2008-02-20 15:22:29 0 -rahs---- C:\IO.SYS
2008-02-20 15:22:29 0 --a------ C:\CONFIG.SYS
2008-02-20 15:22:29 0 --a------ C:\AUTOEXEC.BAT
2008-02-20 15:21:00 0 d--h----- C:\Arquivos de programas\WindowsUpdate
2008-02-20 15:20:56 0 d-------- C:\Arquivos de programas\Serviços on-line
2008-02-20 15:20:17 0 d-------- C:\Arquivos de programas\Arquivos comuns\Serviços
2008-02-20 15:20:14 0 d-------- C:\Arquivos de programas\Arquivos comuns\MSSoap
2008-02-20 15:20:06 0 d-------- C:\Arquivos de programas\Movie Maker
2008-02-20 15:19:12 21844 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-02-20 15:18:40 0 d-------- C:\Arquivos de programas\MSN Gaming Zone
2008-02-20 15:18:33 0 d-------- C:\Arquivos de programas\Windows NT
2008-02-20 12:14:39 0 d-------- C:\Arquivos de programas\Arquivos comuns\ODBC
2008-02-20 12:14:36 0 d-------- C:\Arquivos de programas\Arquivos comuns\SpeechEngines
2008-02-20 12:14:12 62 --ahs---- C:\Documents and Settings\Clara\Dados de aplicativos\desktop.ini
-- Registry Dump ---------------------------------------------------------------
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Atualizador - Puxa Rápido"="C:\Arquivos de programas\Puxa Rápido\Atualiza.exe" []
"PCTVOICE"="pctspk.exe" [2004-01-30 08:33 C:\WINDOWS\system32\pctspk.exe]
"Cmaudio"="cmicnfg.cpl" []
"SiSPower"="SiSPower.dll" [2006-05-05 21:13 C:\WINDOWS\system32\SiSPower.dll]
"EPSON Stylus C43 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S08IC1.exe" [2002-12-25 03:00]
"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25]
"ccApp"="C:\Arquivos de programas\Arquivos comuns\Symantec Shared\ccApp.exe" [2007-01-09 18:59]
"Symantec PIF AlertEng"="C:\Arquivos de programas\Arquivos comuns\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38]
"BDRegion"="C:\Arquivos de programas\Cyberlink\Shared Files\brs.exe" [2007-11-17 04:20]
"LanguageShortcut"="C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:45]
C:\Documents and Settings\Clara\Menu Iniciar\Programas\Inicializar\
Adobe Gamma.lnk - C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50]
Last.fm Helper.lnk - C:\Arquivos de programas\Last.fm\LastFMHelper.exe [2008-02-23 21:03:12]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429}"= C:\ARQUIV~1\DVDREG~1\DVDShell.dll [2004-10-09 15:18 49152]
"{E37CB5F0-51F5-4395-A808-5FA49E399F83}"= C:\ARQUIV~1\GBPLUGIN\gbieh.dll [2008-03-11 08:18 354600]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]
C:\ARQUIV~1\GBPLUGIN\gbieh.dll 2008-03-11 08:18 354600 C:\ARQUIV~1\GbPlugin\gbieh.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\urqQgEUo
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Clara^Menu Iniciar^Programas^Inicializar^Last.fm Helper.lnk]
path=C:\Documents and Settings\Clara\Menu Iniciar\Programas\Inicializar\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ink Monitor]
C:\Arquivos de programas\EPSON\Ink Monitor\InkMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MULTIMEDIA KEYBOARD]
C:\Arquivos de programas\Netropa\Multimedia Keyboard\MMKeybd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Adobe LM Service"=3 (0x3)
"aawservice"=2 (0x2)
*Newly Created Service* - COMHOST
-- End of Deckard's System Scanner: finished at 2008-04-08 22:43:36 ------------
Rorschach112
2008-04-09, 14:39
Hello
Please download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Full Scan", then click Scan. Check all the boxes and click Start Scan
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
Also tell me how your PC is running
The log:
Malwarebytes' Anti-Malware 1.11
Database version: 599
Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|)
Objects scanned: 106424
Time elapsed: 1 hour(s), 14 minute(s), 45 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\System Volume Information\_restore{16857E29-D65A-4204-9D8F-B1418E197B1F}\RP14\A0002843.dll (Trojan.DNSChanger) -> Quarantined and deleted successfully.
C:\Arquivos de programas\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.
I haven't noticed much difference in how the computer is running since the infection, to be honest. Firefox is acting weird, loading a lot slower and giving me error messages, which is why I've been using Opera to post here. But I am keeping it disconnected from the Internet most of the time.
Rorschach112
2008-04-10, 18:27
Your logs are clean ! We need to do a few things
Follow these steps to uninstall Combofix and tools used in the removal of malware
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
Below I have included a number of recommendations for how to protect your computer against malware infections.
* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.
* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster (http://www.javacoolsoftware.com/sbdownload.html) protects against bad ActiveX
IE-SPYAD (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe) puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
* SpywareGuard (http://www.javacoolsoftware.com/sgdownload.html) offers realtime protection from spyware installation attempts.
Make Internet Explorer more secure
Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.
* MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here (http://www.mozilla.org/products/firefox/)
* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here (http://forums.spywareinfo.com/index.php?showtopic=60955)
Thank you for your patience, and performing all of the procedures requested.
Yes, all the scans are coming up clean now, and I uninstalled ComboFix successfully. Thank you so much for all your help, it's been *greatly* appreciated. I'll follow the recommendations and make sure to take extra care in the future.
Rorschach112
2008-04-11, 16:03
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.