View Full Version : a-squared detecting gen.tdss!ik in msvcrt.dll (Resolved)
i ran a-squared free here and they detect a malware called (gen.tdss!ik) in the file msvcrt.dll (a critical windows file). i sent to virustotal and only a-squared and ikarus is detecting this. is this a false positive or i have a rootkit here?
virustotal results (http://www.virustotal.com/pt/analisis/218b6111e184af527d499a87aa6365f9b07f1b081ab94e132edc3697112a773b-1250186163)
avira, prevx, malwarebytes and superantispyware don't detect nothing in my system.
i want to be sure. please analyze my logs.
tks.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:39:35, on 13/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe
C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe
C:\Arquivos de programas\Prevx\prevx.exe
C:\Arquivos de programas\PC Tools Firewall Plus\FWService.exe
C:\Arquivos de programas\Macrium\Reflect\ReflectService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Prevx\prevx.exe
C:\Arquivos de programas\Microsoft IntelliPoint\ipoint.exe
C:\Arquivos de programas\BillP Studios\WinPatrol\winpatrol.exe
C:\Arquivos de programas\PC Tools Firewall Plus\FirewallGUI.exe
C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe
C:\Arquivos de programas\Microsoft IntelliPoint\dpupdchk.exe
C:\Arquivos de programas\RALINK\Common\RaUI.exe
C:\Arquivos de programas\Opera 10 Beta\Opera.exe
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Arquivos de programas\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Arquivos de programas\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Arquivos de programas\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Arquivos de programas\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [00PCTFW] "C:\Arquivos de programas\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Arquivos de programas\RALINK\Common\RaUI.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Preencher - file://C:\Arquivos de programas\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Preencher - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Arquivos de programas\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Preencher - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Arquivos de programas\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1218637684484
O16 - DPF: {E001C731-5E37-4538-A5CB-8168736A2360} (ActiveQscan Control) - http://qscan.bitdefender.com/cab/ActiveQscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{477F5228-2AD3-46CE-9F1D-A92DD32EB349}: NameServer = 208.67.222.222 208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{97E24F12-18C1-4029-9FD1-70E0B45398F9}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{477F5228-2AD3-46CE-9F1D-A92DD32EB349}: NameServer = 208.67.222.222 208.67.220.220
O20 - Winlogon Notify: !SASWinLogon - C:\Arquivos de programas\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe
O23 - Service: CSIScanner - Prevx - C:\Arquivos de programas\Prevx\prevx.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Arquivos de programas\PC Tools Firewall Plus\FWService.exe
O23 - Service: Ralink Registry Writer (RalinkRegistryWriter) - Ralink Technology, Corp. - C:\Arquivos de programas\RALINK\Common\RalinkRegistryWriter.exe
O23 - Service: Macrium Reflect Image Mounting Service (ReflectService) - Unknown owner - C:\Arquivos de programas\Macrium\Reflect\ReflectService.exe
--
End of file - 5494 bytes
sorry for my bad english. :confused:
Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.
If you think you have similar problems, please post a log in the HJT forum and wait for help.
Hello and welcome to the forums
My name is Katana and I will be helping you to remove any infection(s) that you may have.
Please observe these rules while we work:
Please Read All Instructions Carefully
If you don't understand something, stop and ask! Don't keep going on.
Please do not run any other tools or scans whilst I am helping you
Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)
If you can do those few things, everything should go smoothly http://www.countingcows.de/laechel.gif
Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe
----------------------------------------------------------------------------------------
I apologize for the delay in responding, but as you can probably see the forums are quite busy.
Unfortunately there are far more people needing help than there are helpers.
If you still require help please do the following
Download and Run RSIT
Please download Random's System Information Tool by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open:
log.txt will be opened maximized.
info.txt will be opened minimized.
Please post the contents of both log.txt and info.txt.
Logfile of random's system information tool 1.06 (written by random/random)
Run by winxp at 2009-08-16 14:19:09
Microsoft Windows XP Professional Service Pack 3
System drive C: has 31 GB (78%) free of 40 GB
Total RAM: 1015 MB (57% free)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:19:10, on 16/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16876)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe
C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe
C:\Arquivos de programas\Prevx\prevx.exe
C:\Arquivos de programas\PC Tools Firewall Plus\FWService.exe
C:\Arquivos de programas\Macrium\Reflect\ReflectService.exe
C:\Arquivos de programas\Prevx\prevx.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Microsoft IntelliPoint\ipoint.exe
C:\Arquivos de programas\BillP Studios\WinPatrol\winpatrol.exe
C:\Arquivos de programas\PC Tools Firewall Plus\FirewallGUI.exe
C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe
C:\Arquivos de programas\Microsoft IntelliPoint\dpupdchk.exe
C:\Arquivos de programas\RALINK\Common\RaUI.exe
C:\Arquivos de programas\Opera 10 Beta\opera.exe
C:\Documents and Settings\winxp\Desktop\RSIT.exe
C:\Arquivos de programas\Trend Micro\HijackThis\winxp.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Arquivos de programas\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Arquivos de programas\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Arquivos de programas\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Arquivos de programas\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [00PCTFW] "C:\Arquivos de programas\PC Tools Firewall Plus\FirewallGUI.exe" -s
O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Arquivos de programas\RALINK\Common\RaUI.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Preencher - file://C:\Arquivos de programas\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Preencher - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Arquivos de programas\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Preencher - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Arquivos de programas\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1218637684484
O16 - DPF: {E001C731-5E37-4538-A5CB-8168736A2360} (ActiveQscan Control) - http://qscan.bitdefender.com/cab/ActiveQscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{477F5228-2AD3-46CE-9F1D-A92DD32EB349}: NameServer = 30.20.10.1 208.67.220.220
O17 - HKLM\System\CCS\Services\Tcpip\..\{97E24F12-18C1-4029-9FD1-70E0B45398F9}: NameServer = 208.67.222.222,208.67.220.220
O17 - HKLM\System\CS1\Services\Tcpip\..\{477F5228-2AD3-46CE-9F1D-A92DD32EB349}: NameServer = 30.20.10.1 208.67.220.220
O20 - Winlogon Notify: !SASWinLogon - C:\Arquivos de programas\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe
O23 - Service: CSIScanner - Prevx - C:\Arquivos de programas\Prevx\prevx.exe
O23 - Service: PC Tools Firewall Plus (PCToolsFirewallPlus) - PC Tools - C:\Arquivos de programas\PC Tools Firewall Plus\FWService.exe
O23 - Service: Ralink Registry Writer (RalinkRegistryWriter) - Ralink Technology, Corp. - C:\Arquivos de programas\RALINK\Common\RalinkRegistryWriter.exe
O23 - Service: Macrium Reflect Image Mounting Service (ReflectService) - Unknown owner - C:\Arquivos de programas\Macrium\Reflect\ReflectService.exe
--
End of file - 5423 bytes
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{724d43a9-0d85-11d4-9908-00400523e39a}]
C:\Arquivos de programas\Siber Systems\AI RoboForm\roboform.dll [2009-06-19 5956424]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{724d43a0-0d85-11d4-9908-00400523e39a} - &RoboForm - C:\Arquivos de programas\Siber Systems\AI RoboForm\roboform.dll [2009-06-19 5956424]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"=C:\Arquivos de programas\Microsoft IntelliPoint\ipoint.exe [2007-08-31 1037736]
"WinPatrol"=C:\Arquivos de programas\BillP Studios\WinPatrol\winpatrol.exe [2009-07-22 341312]
"00PCTFW"=C:\Arquivos de programas\PC Tools Firewall Plus\FirewallGUI.exe [2009-02-23 2652056]
"avgnt"=C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]
C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar
Ralink Wireless Utility.lnk - C:\Arquivos de programas\RALINK\Common\RaUI.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Arquivos de programas\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxdev.dll [2008-02-15 208896]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Arquivos de programas\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\hitmanpro35]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\hitmanpro35.sys]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=1
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDrives"=
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\WINDOWS\system32\sessmgr.exe"="C:\WINDOWS\system32\sessmgr.exe:LocalSubNet:Disabled:@xpsp2res.dll,-22019"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
======List of files/folders created in the last 1 months======
2009-08-16 14:19:09 ----D---- C:\rsit
2009-08-16 02:35:12 ----SHD---- C:\RECYCLER
2009-08-16 02:15:33 ----D---- C:\WINDOWS\temp
2009-08-13 19:49:17 ----D---- C:\Arquivos de programas\ESET
2009-08-11 16:45:05 ----HDC---- C:\WINDOWS\$NtUninstallKB971657$
2009-08-11 16:45:01 ----HDC---- C:\WINDOWS\$NtUninstallKB973815$
2009-08-11 16:44:56 ----HDC---- C:\WINDOWS\$NtUninstallKB960859$
2009-08-11 16:44:52 ----HDC---- C:\WINDOWS\$NtUninstallKB973507$
2009-08-11 16:44:48 ----HDC---- C:\WINDOWS\$NtUninstallKB973354$
2009-08-11 16:44:43 ----HDC---- C:\WINDOWS\$NtUninstallKB956744$
2009-08-11 16:44:38 ----HDC---- C:\WINDOWS\$NtUninstallKB973869$
2009-08-11 16:44:31 ----HDC---- C:\WINDOWS\$NtUninstallKB973540_WM9$
2009-08-11 16:44:27 ----HDC---- C:\WINDOWS\$NtUninstallKB971557$
2009-08-11 16:44:19 ----HDC---- C:\WINDOWS\$NtUninstallKB968389$
2009-08-11 00:27:10 ----D---- C:\Documents and Settings\All Users\Dados de aplicativos\SUPERAntiSpyware.com
2009-08-11 00:26:59 ----D---- C:\Documents and Settings\winxp\Dados de aplicativos\SUPERAntiSpyware.com
2009-08-11 00:26:59 ----D---- C:\Arquivos de programas\SUPERAntiSpyware
2009-08-11 00:26:45 ----D---- C:\Arquivos de programas\Arquivos comuns\Wise Installation Wizard
2009-08-11 00:06:44 ----D---- C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy
2009-08-11 00:06:44 ----D---- C:\Arquivos de programas\Spybot - Search & Destroy
2009-07-28 20:11:09 ----D---- C:\Documents and Settings\winxp\Dados de aplicativos\vlc
2009-07-25 22:10:19 ----D---- C:\Documents and Settings\All Users\Dados de aplicativos\Avira
2009-07-25 22:10:19 ----D---- C:\Arquivos de programas\Avira
2009-07-20 15:42:34 ----D---- C:\Arquivos de programas\VS Revo Group
2009-07-17 15:14:26 ----D---- C:\Documents and Settings\All Users\Dados de aplicativos\Hitman Pro
2009-07-17 00:36:01 ----D---- C:\Documents and Settings\All Users\Dados de aplicativos\F-Secure
======List of files/folders modified in the last 1 months======
2009-08-16 14:13:21 ----D---- C:\WINDOWS
2009-08-16 14:13:03 ----D---- C:\WINDOWS\system32\CatRoot2
2009-08-16 03:27:03 ----D---- C:\WINDOWS\system32\drivers
2009-08-16 03:02:42 ----D---- C:\WINDOWS\Debug
2009-08-16 02:45:50 ----D---- C:\Arquivos de programas\PC Tools Firewall Plus
2009-08-16 02:44:37 ----D---- C:\Documents and Settings\All Users\Dados de aplicativos\PrevxCSI
2009-08-16 02:33:50 ----D---- C:\Arquivos de programas\Mozilla Firefox
2009-08-16 02:24:41 ----SHD---- C:\System Volume Information
2009-08-16 02:24:41 ----D---- C:\WINDOWS\system32\Restore
2009-08-16 02:21:57 ----D---- C:\WINDOWS\system32
2009-08-16 02:21:53 ----D---- C:\WINDOWS\ERDNT
2009-08-16 02:14:08 ----N---- C:\WINDOWS\system.ini
2009-08-16 02:13:24 ----D---- C:\WINDOWS\AppPatch
2009-08-16 02:13:21 ----D---- C:\Arquivos de programas\Arquivos comuns
2009-08-16 02:01:36 ----HD---- C:\WINDOWS\inf
2009-08-15 03:03:49 ----RD---- C:\Arquivos de programas
2009-08-15 02:35:23 ----D---- C:\WINDOWS\system32\config
2009-08-15 02:04:47 ----SHD---- C:\WINDOWS\Installer
2009-08-13 16:22:09 ----D---- C:\Arquivos de programas\Opera 10 Beta
2009-08-13 00:06:45 ----D---- C:\Documents and Settings\winxp\Dados de aplicativos\QuickScan
2009-08-13 00:06:34 ----SD---- C:\WINDOWS\Downloaded Program Files
2009-08-11 22:17:50 ----D---- C:\Arquivos de programas\Windows Media Connect 2
2009-08-11 16:45:07 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-08-11 16:44:49 ----D---- C:\Arquivos de programas\Outlook Express
2009-08-11 16:44:47 ----HD---- C:\WINDOWS\$hf_mig$
2009-08-11 16:18:57 ----D---- C:\LinhaDefensiva
2009-08-10 23:32:32 ----D---- C:\Dev-Cpp
2009-08-05 06:00:39 ----A---- C:\WINDOWS\system32\mswebdvd.dll
2009-08-04 20:12:32 ----A---- C:\WINDOWS\system32\deploytk.dll
2009-08-03 17:07:12 ----D---- C:\Arquivos de programas\Malwarebytes' Anti-Malware
2009-08-01 15:11:11 ----D---- C:\Documents and Settings
2009-07-29 17:49:16 ----A---- C:\WINDOWS\system32\MRT.exe
2009-07-28 17:46:45 ----D---- C:\WINDOWS\system32\pt-BR
2009-07-28 17:46:45 ----D---- C:\Arquivos de programas\Internet Explorer
2009-07-28 17:46:23 ----D---- C:\WINDOWS\WinSxS
2009-07-28 16:12:26 ----A---- C:\WINDOWS\win.ini
2009-07-26 01:05:14 ----D---- C:\WINDOWS\security
2009-07-26 00:20:31 ----D---- C:\WINDOWS\Help
2009-07-26 00:20:17 ----D---- C:\Arquivos de programas\Arquivos comuns\InstallShield
2009-07-26 00:08:11 ----D---- C:\WINDOWS\repair
2009-07-26 00:07:02 ----D---- C:\WINDOWS\Registration
2009-07-25 22:09:56 ----D---- C:\Arquivos de programas\Arquivos comuns\Microsoft Shared
2009-07-25 21:28:38 ----A---- C:\WINDOWS\RTacDbg.txt
2009-07-25 21:26:39 ----D---- C:\WINDOWS\system32\wbem
2009-07-20 15:48:45 ----D---- C:\Arquivos de programas\Adobe
2009-07-19 10:29:29 ----A---- C:\WINDOWS\system32\mshtml.dll
2009-07-19 10:29:27 ----A---- C:\WINDOWS\system32\ieframe.dll
2009-07-17 16:03:29 ----A---- C:\WINDOWS\system32\atl.dll
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 avgio;avgio; \??\C:\Arquivos de programas\Avira\AntiVir Desktop\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-03-30 96104]
R1 intelppm;Driver de Processador Intel; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 40448]
R1 pctgntdi;pctgntdi; \??\C:\WINDOWS\system32\drivers\pctgntdi.sys []
R1 SASDIFSV;SASDIFSV; \??\C:\Arquivos de programas\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Arquivos de programas\SUPERAntiSpyware\SASKUTIL.sys []
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-05-11 28520]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.7.5.0; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2009-06-02 21361]
R2 avgntflt;avgntflt; C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2009-08-05 55656]
R2 PCTAppEvent;PCTAppEvent Driver; \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys []
R2 tifsfilter;Acronis True Image FS Filter; C:\WINDOWS\system32\DRIVERS\tifsfilt.sys [2008-09-25 44384]
R3 HDAudBus;Driver de Barramento Microsoft UAA para High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 HidUsb;Driver de classe HID da Microsoft; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\igxpmp32.sys [2008-02-15 5854752]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2009-02-17 5026816]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-09-05 12288]
R3 pctplfw;pctplfw; \??\C:\WINDOWS\system32\drivers\pctplfw.sys []
R3 Point32;Microsoft IntelliPoint Filter Driver; C:\WINDOWS\system32\DRIVERS\point32.sys [2007-08-21 21760]
R3 RT2500;RT2500 Wireless Driver; C:\WINDOWS\system32\DRIVERS\RT2500.sys [2009-02-09 238208]
R3 RTLE8023xp;Realtek 10/100/1000 PCI-E NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys [2008-06-16 109184]
R3 SFilter;PCTools Driver; C:\WINDOWS\system32\DRIVERS\pctfw.sys [2008-09-22 97408]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S2 HWiNFO32;HWiNFO32 Kernel Driver; \??\D:\hw32_236\HWiNFO32.SYS []
S3 Ambfilt;Ambfilt; C:\WINDOWS\system32\drivers\Ambfilt.sys [2008-08-05 1684736]
S3 catchme;catchme; \??\C:\DOCUME~1\winxp\CONFIG~1\Temp\catchme.sys []
S3 Monfilt;Monfilt; C:\WINDOWS\system32\drivers\Monfilt.sys [2006-01-04 1389056]
S3 PSI;PSI; C:\WINDOWS\system32\DRIVERS\psi_mf.sys [2009-06-17 12648]
S3 PSMounter;Macrium Reflect Image Explorer Service; \??\C:\WINDOWS\system32\drivers\psmounter.sys []
S3 rspSanity;rspSanity; C:\WINDOWS\system32\DRIVERS\rspSanity32.sys [2009-03-07 30136]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter; C:\WINDOWS\system32\DRIVERS\RTL8187B.sys [2008-06-25 335104]
S3 SASENUM;SASENUM; \??\C:\Arquivos de programas\SUPERAntiSpyware\SASENUM.SYS []
S3 TfNetMon;TfNetMon; \??\C:\WINDOWS\system32\drivers\TfNetMon.sys []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sptd;sptd; C:\WINDOWS\System32\Drivers\sptd.sys []
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe [2009-05-13 108289]
R2 AntiVirService;Avira AntiVir Guard; C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe [2009-08-05 185089]
R2 CSIScanner;CSIScanner; C:\Arquivos de programas\Prevx\prevx.exe [2009-06-18 4368952]
R2 PCToolsFirewallPlus;PC Tools Firewall Plus; C:\Arquivos de programas\PC Tools Firewall Plus\FWService.exe [2008-12-11 146800]
R2 ReflectService;Macrium Reflect Image Mounting Service; C:\Arquivos de programas\Macrium\Reflect\ReflectService.exe [2008-08-06 216032]
S3 Adobe LM Service;Adobe LM Service; C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe [2008-08-23 72704]
S3 aspnet_state;Serviço de estado do ASP.NET; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 odserv;Microsoft Office Diagnostics Service; C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 RalinkRegistryWriter;Ralink Registry Writer; C:\Arquivos de programas\RALINK\Common\RalinkRegistryWriter.exe [2008-04-23 69632]
S3 WMPNetworkSvc;Serviço de Compartilhamento de Rede do Windows Media Player; C:\Arquivos de programas\Windows Media Player\WMPNetwk.exe [2006-11-02 914944]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 NetTcpPortSharing;Serviço de Compartilhamento de Porta Net.Tcp; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
S4 NMIndexingService;NMIndexingService; C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe []
-----------------EOF-----------------
info.txt logfile of random's system information tool 1.06 2009-08-16 14:19:11
======Uninstall list======
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
7-Zip 4.65-->"C:\Arquivos de programas\7-Zip\Uninstall.exe"
Adobe Common File Installer-->MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Help Center 1.0-->MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2-->msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
AI RoboForm (All Users)-->"C:\Arquivos de programas\Siber Systems\AI RoboForm\rfwipeout.exe"
Atualização de Segurança para o Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Atualização de Segurança para Windows Internet Explorer 7 (KB938127-v2)-->"C:\WINDOWS\ie7updates\KB938127-v2-IE7\spuninst\spuninst.exe"
Atualização de Segurança para Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Atualização de Segurança para Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Atualização de Segurança para Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Atualização de Segurança para Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Atualização de Segurança para Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Atualização de Segurança para Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Atualização de Segurança para Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Atualização de Segurança para Windows Internet Explorer 7 (KB972260)-->"C:\WINDOWS\ie7updates\KB972260-IE7\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Atualização de Segurança para Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Atualização para Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Atualização para Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
Audacity 1.2.6-->"C:\Arquivos de programas\Audacity\unins000.exe"
Avira AntiVir Personal - Free Antivirus-->C:\Arquivos de programas\Avira\AntiVir Desktop\setup.exe /REMOVE
CCleaner (remove only)-->"C:\Arquivos de programas\CCleaner\uninst.exe"
Dev-C++ 5 beta 9 release (4.9.9.2)-->"C:\Dev-Cpp\uninstall.exe"
DriverMax 4-->"C:\Arquivos de programas\Innovative Solutions\DriverMax\unins000.exe"
ESET Online Scanner v3-->C:\Arquivos de programas\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe
Foxit Reader-->C:\Arquivos de programas\Foxit Software\Foxit Reader\Uninstall.exe
HijackThis 2.0.2-->"C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB945282)-->C:\WINDOWS\system32\msiexec.exe /package {A4418082-E601-3954-805B-D56A2B50EC8B} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB946040)-->C:\WINDOWS\system32\msiexec.exe /package {A4418082-E601-3954-805B-D56A2B50EC8B} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB946308)-->C:\WINDOWS\system32\msiexec.exe /package {A4418082-E601-3954-805B-D56A2B50EC8B} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB947540)-->C:\WINDOWS\system32\msiexec.exe /package {A4418082-E601-3954-805B-D56A2B50EC8B} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft Visual C# 2008 Express Edition with SP1 - ENU (KB947789)-->C:\WINDOWS\system32\msiexec.exe /package {A4418082-E601-3954-805B-D56A2B50EC8B} /uninstall /qb+ REBOOTPROMPT=""
Index.dat Analyzer v2.0-->"C:\Arquivos de programas\Index.dat Analyzer\unins000.exe"
InfraRecorder-->C:\Arquivos de programas\InfraRecorder\uninstall.exe
Intel(R) Graphics Media Accelerator Driver-->C:\WINDOWS\system32\igxpun.exe -uninstall
IrfanView (remove only)-->C:\Arquivos de programas\IrfanView2\iv_uninstall.exe
Macrium Reflect - Free Edition-->MsiExec.exe /I{3BAD2D97-4900-4014-A2F5-B549802CEEE2}
Malwarebytes' Anti-Malware-->"C:\Arquivos de programas\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 2.0 Service Pack 2 Language Pack - PTB-->MsiExec.exe /I{3F31F3B5-C1FF-3708-8611-869DE39C0CB6}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Brazilian Portuguese Language Pack-->MsiExec.exe /X{F407D6FB-D3AD-44CC-B77B-5B3F0FF1F22C}
Microsoft .NET Framework 3.0 Service Pack 2 Language Pack - PTB-->MsiExec.exe /I{B1FA73D8-AB79-3A2E-81AC-DBBAC155B2FE}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 Language Pack SP1 - ptb-->MsiExec.exe /I{1438B41C-658C-35B7-9253-780F2E0A0B8E}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0015-0416-0000-0000000FF1CE} /uninstall {02A880E2-B8B9-4BF5-8822-EA1374734E2E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0016-0416-0000-0000000FF1CE} /uninstall {02A880E2-B8B9-4BF5-8822-EA1374734E2E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0018-0416-0000-0000000FF1CE} /uninstall {02A880E2-B8B9-4BF5-8822-EA1374734E2E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0019-0416-0000-0000000FF1CE} /uninstall {02A880E2-B8B9-4BF5-8822-EA1374734E2E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001A-0416-0000-0000000FF1CE} /uninstall {02A880E2-B8B9-4BF5-8822-EA1374734E2E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001B-0416-0000-0000000FF1CE} /uninstall {02A880E2-B8B9-4BF5-8822-EA1374734E2E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0044-0416-0000-0000000FF1CE} /uninstall {02A880E2-B8B9-4BF5-8822-EA1374734E2E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-006E-0416-0000-0000000FF1CE} /uninstall {9A141B2B-7C5E-47D2-8E9E-9AC6018F3C42}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-00A1-0416-0000-0000000FF1CE} /uninstall {02A880E2-B8B9-4BF5-8822-EA1374734E2E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-00BA-0416-0000-0000000FF1CE} /uninstall {02A880E2-B8B9-4BF5-8822-EA1374734E2E}
Microsoft Office Access MUI (Portuguese (Brazil)) 2007-->MsiExec.exe /X{90120000-0015-0416-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (Portuguese (Brazil)) 2007-->MsiExec.exe /X{90120000-0016-0416-0000-0000000FF1CE}
Microsoft Office Groove MUI (Portuguese (Brazil)) 2007-->MsiExec.exe /X{90120000-00BA-0416-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2007-->MsiExec.exe /X{90120000-0044-0416-0000-0000000FF1CE}
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2007-->MsiExec.exe /X{90120000-00A1-0416-0000-0000000FF1CE}
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2007-->MsiExec.exe /X{90120000-001A-0416-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2007-->MsiExec.exe /X{90120000-0018-0416-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (Portuguese (Brazil)) 2007-->MsiExec.exe /X{90120000-001F-0416-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (Portuguese (Brazil)) 2007-->MsiExec.exe /X{90120000-002C-0416-0000-0000000FF1CE}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {ABDDE972-355B-4AF1-89A8-DA50B7B5C045}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0416-0000-0000000FF1CE} /uninstall {75EBE365-7FC5-4720-A7D3-804BF550D1BC}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {187308AB-5FA7-4F14-9AB9-D290383A10D9}
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2007-->MsiExec.exe /X{90120000-0019-0416-0000-0000000FF1CE}
Microsoft Office Shared MUI (Portuguese (Brazil)) 2007-->MsiExec.exe /X{90120000-006E-0416-0000-0000000FF1CE}
Microsoft Office Word MUI (Portuguese (Brazil)) 2007-->MsiExec.exe /X{90120000-001B-0416-0000-0000000FF1CE}
Microsoft SQL Server 2008 Management Objects-->MsiExec.exe /I{F5E87B12-3C27-452F-8E78-21D42164FD83}
Microsoft SQL Server Compact 3.5 SP1 Design Tools English-->MsiExec.exe /X{0C19D563-5F25-4621-BF10-01F741BD283F}
Microsoft SQL Server Compact 3.5 SP1 English-->MsiExec.exe /I{E59113EB-0285-4BFD-A37A-B79EAC6B8F4B}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C# 2008 Express Edition with SP1 - ENU-->C:\Arquivos de programas\Microsoft Visual Studio 9.0\Microsoft Visual C# 2008 Express Edition with SP1 - ENU\setup.exe
Microsoft Visual C# 2008 Express Edition with SP1 - ENU-->MsiExec.exe /X{A4418082-E601-3954-805B-D56A2B50EC8B}
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148-->MsiExec.exe /X{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729-->MsiExec.exe /X{3C3D696B-0DB7-3C6D-A356-3DB8CE541918}
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for .NET Framework - enu-->MsiExec.exe /X{5BE1E709-30E4-3D6D-A708-96CE8D5E5E8D}
Microsoft Windows SDK for Visual Studio 2008 SP1 Express Tools for Win32-->MsiExec.exe /X{044F9133-B8D7-4d11-BF39-803FA20F5C8B}
Mozilla Firefox (3.5.2)-->C:\Arquivos de programas\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP3 Parser-->MsiExec.exe /I{196467F1-C11F-4F76-858B-5812ADC83B94}
MSXML 6.0 Parser (KB925673)-->MsiExec.exe /I{FE9126DB-5F84-495A-BB46-3C724F1C2D08}
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
Notepad++-->C:\Arquivos de programas\Notepad++\uninstall.exe
Opera 10.00-->MsiExec.exe /X{C5F18C74-7397-4DFF-A3C3-FD0420A1A479}
Opera 9.64-->MsiExec.exe /X{E1BBBAC5-2857-4155-82A6-54492CE88620}
Pacote de Idiomas do Microsoft .NET Framework 3.5 SP1 - PTB-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 Language Pack SP1 - ptb\setup.exe
Pacote de Idiomas do Português (Brasil) para Microsoft .NET Framework 3.0-->C:\WINDOWS\Microsoft.NET\Framework\v3.0\Microsoft .NET Framework 3.0 Brazilian Portuguese Language Pack\setup.exe
PC Tools Firewall Plus 5.0-->C:\Arquivos de programas\PC Tools Firewall Plus\unins000.exe /LOG
Prevx 3.0-->"C:\Arquivos de programas\Prevx\prevx.exe" /prop UNINSTALL=Y
Python 2.6 pysqlite-2.5.1-->"C:\Python26\Removepysqlite.exe" -u "C:\Python26\pysqlite-wininst.log"
Python 2.6-->MsiExec.exe /I{110EB5C4-E995-4CFB-AB80-A5F315BEA9E8}
Ralink Wireless LAN-->C:\Arquivos de programas\InstallShield Installation Information\{FAB1F336-1B7C-4057-A7BC-2922CD82A781}\setup.exe -runfromtemp -l0x0009 -removeonly
REALTEK GbE & FE Ethernet PCI-E NIC Driver-->C:\Arquivos de programas\InstallShield Installation Information\{C9BED750-1211-4480-B1A5-718A3BE15525}\Setup.exe -runfromtemp -l0x0416 -removeonly
Realtek High Definition Audio Driver-->RunDll32 C:\ARQUIV~1\ARQUIV~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Arquivos de programas\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x416 -removeonly
REALTEK RTL8187B Wireless LAN Driver and Utility-->C:\Arquivos de programas\InstallShield Installation Information\{BE686891-3C56-4714-AFEF-341A7867BA80}\Install.exe -uninst -l0x416
Revo Uninstaller 1.83-->C:\Arquivos de programas\VS Revo Group\Revo Uninstaller\uninst.exe
Secunia PSI-->"C:\Arquivos de programas\Secunia\PSI\uninstall.exe"
Security Update for 2007 Microsoft Office System (KB969559)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {69F52148-9BF6-4CDC-BF76-103DEAF3DD08}
Security Update for 2007 Microsoft Office System (KB969679)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {C66E4A6C-6E07-4C63-8CCD-2493B5087C73}
Security Update for Microsoft Office Excel 2007 (KB969682)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {C03803BD-745A-46F8-8557-817DED578780}
Security Update for Microsoft Office PowerPoint 2007 (KB957789)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {7559E742-FF9F-4FAE-B279-008ED296CB4D}
Security Update for Microsoft Office Publisher 2007 (KB969693)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {7BE67088-1EB3-4569-8E75-DDAFBF61BC4E}
Security Update for Microsoft Office system 2007 (KB969613)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {5ECEB317-CBE9-4E08-AB10-756CB6F0FB6C}
Security Update for Microsoft Office Word 2007 (KB969604)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {CF3D6499-709C-43D0-8908-BC5652656050}
SQL Server System CLR Types-->MsiExec.exe /I{342D4AD7-EC4C-4EC8-AEA6-E70F5905A490}
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Update for 2007 Microsoft Office System (KB967642)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {C444285D-5E4F-48A4-91DD-47AAAA68E92D}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Microsoft Office Outlook 2007 (KB969907)-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {74F98B24-AFBD-4800-9BD6-87D349B5C462}
Vista Ultimate Sound Scheme For XP-->MsiExec.exe /I{025C93B5-4499-4EC2-B137-7E3FA6E8420F}
VLC media player 1.0.1-->C:\Arquivos de programas\VideoLAN\VLC\uninstall.exe
Windows Internet Explorer 7-->"C:\WINDOWS\ie7\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Arquivos de programas\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Arquivos de programas\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Presentation Foundation Language Pack (PTB)-->MsiExec.exe /X{93676FC6-C7DB-45A6-A62B-74A324F17313}
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
WinPatrol 2009-->C:\ARQUIV~1\BILLPS~1\WINPAT~1\Setup.exe /remove /q0
XML Paper Specification Shared Components Language Pack 1.0-->"C:\WINDOWS\$NtUninstallXPSEPSCLP$\spuninst\spuninst.exe"
=====HijackThis Backups=====
O23 - Service: MySQL - Unknown owner - C:\Arquivos.exe (file missing) [2008-11-26]
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) [2009-02-28]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 [2009-04-26]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 [2009-04-26]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 [2009-04-26]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 [2009-04-26]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab [2009-08-12]
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/resources/scan8/oscan8.cab [2009-08-12]
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.8.cab [2009-08-12]
O2 - BHO: (no name) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - (no file) [2009-08-12]
======Security center information======
AV: AntiVir Desktop
FW: PC Tools Firewall Plus
======System event log======
Computer Name: PC
Event Code: 20158
Message: O usuário fpmedeiros estabeleceu com êxito uma conexão a World Connect usando o dispositivo PPPoE4-0.
Record Number: 5
Source Name: RemoteAccess
Time Written: 20090815024322.000000-180
Event Type: Informações
User:
Computer Name: PC
Event Code: 20159
Message: A conexão com World Connect feita pelo usuário fpmedeiros, utilizando o dispositivo PPPoE4-0, foi desconectada.
Record Number: 4
Source Name: RemoteAccess
Time Written: 20090815024318.000000-180
Event Type: Informações
User:
Computer Name: PC
Event Code: 7035
Message: O serviço SASENUM recebeu com êxito um controle Iniciar.
Record Number: 3
Source Name: Service Control Manager
Time Written: 20090815024218.000000-180
Event Type: Informações
User: PC\winxp
Computer Name: PC
Event Code: 7035
Message: O serviço MBAMSwissArmy recebeu com êxito um controle Iniciar.
Record Number: 2
Source Name: Service Control Manager
Time Written: 20090815024201.000000-180
Event Type: Informações
User: PC\winxp
Computer Name: PC
Event Code: 20158
Message: O usuário fpmedeiros estabeleceu com êxito uma conexão a World Connect usando o dispositivo PPPoE4-0.
Record Number: 1
Source Name: RemoteAccess
Time Written: 20090815024144.000000-180
Event Type: Informações
User:
=====Application event log=====
Computer Name: PC
Event Code: 1002
Message: O shell parou repentinamente e Explorer.exe foi reiniciado.
Record Number: 5
Source Name: Winlogon
Time Written: 20090815182548.000000-180
Event Type: Informações
User:
Computer Name: PC
Event Code: 1000
Message: Aplicativo com falha explorer.exe, versão 6.0.2900.5512, módulo com falha netshell.dll, versão 5.1.2600.5512, endereço com falha 0x000591ae.
Record Number: 4
Source Name: Application Error
Time Written: 20090815182537.000000-180
Event Type: Erro
User:
Computer Name: PC
Event Code: 4096
Message: The AntiVir service has been started successfully!
Record Number: 3
Source Name: Avira AntiVir
Time Written: 20090815153143.000000-180
Event Type: Informações
User: AUTORIDADE NT\SYSTEM
Computer Name: PC
Event Code: 4096
Message: The AntiVir service has been started successfully!
Record Number: 2
Source Name: Avira AntiVir
Time Written: 20090815122851.000000-180
Event Type: Informações
User: AUTORIDADE NT\SYSTEM
Computer Name: PC
Event Code: 4096
Message: The AntiVir service has been started successfully!
Record Number: 1
Source Name: Avira AntiVir
Time Written: 20090815025419.000000-180
Event Type: Informações
User: AUTORIDADE NT\SYSTEM
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"NUMBER_OF_PROCESSORS"=2
"OS"=Windows_NT
"Path"=%systemroot%\system32;%systemroot%;%systemroot%\system32\wbem;C:\Arquivos de programas\Arquivos comuns\Adobe\AGL;C:\Python26
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 13, GenuineIntel
"PROCESSOR_LEVEL"=6
"PROCESSOR_REVISION"=0f0d
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"windir"=%SystemRoot%
-----------------EOF-----------------
thanks!
There is no sign of infection in your logs, I strongly suspect it is a false positive but lets make sure
Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:
Bleeping Computer ComboFix Tutorial (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply
Re-enable all the programs that were disabled during the running of ComboFix..
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper
For instructions on how to disable your security programs, please see this topic
How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs (http://www.bleepingcomputer.com/forums/topic114351.html)
ComboFix 09-08-10.06 - winxp 16/08/2009 17:13.5.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.1015.582 [GMT -3:00]
Executando de: c:\documents and settings\winxp\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: PC Tools Firewall Plus *disabled* {ABBD5028-5A95-4B6D-996E-98D64AE88D52}
ATENÇAO - ESTA MAQUINA NAO TEM O CONSOLE DE RECUPERAÇÃO INSTALADA !!
.
(((((((((((((((( Arquivos/Ficheiros criados de 2009-07-16 to 2009-08-16 ))))))))))))))))))))))))))))
.
2009-08-16 17:19 . 2009-08-16 17:19 -------- d-----w- C:\rsit
2009-08-13 22:49 . 2009-08-13 22:49 -------- d-----w- c:\arquivos de programas\ESET
2009-08-11 03:28 . 2009-08-16 04:34 117760 ----a-w- c:\documents and settings\winxp\Dados de aplicativos\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-08-11 03:27 . 2009-08-11 03:27 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\SUPERAntiSpyware.com
2009-08-11 03:26 . 2009-08-11 03:27 -------- d-----w- c:\arquivos de programas\SUPERAntiSpyware
2009-08-11 03:26 . 2009-08-11 03:26 -------- d-----w- c:\documents and settings\winxp\Dados de aplicativos\SUPERAntiSpyware.com
2009-08-11 03:26 . 2009-08-11 03:26 -------- d-----w- c:\arquivos de programas\Arquivos comuns\Wise Installation Wizard
2009-08-11 03:06 . 2009-08-11 20:44 -------- d-----w- c:\arquivos de programas\Spybot - Search & Destroy
2009-08-11 03:06 . 2009-08-11 20:44 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Spybot - Search & Destroy
2009-07-28 23:11 . 2009-08-15 20:17 -------- d-----w- c:\documents and settings\winxp\Dados de aplicativos\vlc
2009-07-26 01:10 . 2009-03-30 13:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-07-26 01:10 . 2009-02-13 15:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2009-07-26 01:10 . 2009-02-13 15:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2009-07-26 01:10 . 2009-07-26 01:10 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Avira
2009-07-26 01:10 . 2009-07-26 01:10 -------- d-----w- c:\arquivos de programas\Avira
2009-07-26 00:26 . 2009-07-26 00:26 -------- d-----w- c:\windows\system32\wbem\Repository
2009-07-20 18:42 . 2009-07-20 18:42 -------- d-----w- c:\arquivos de programas\VS Revo Group
.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-16 19:24 . 2009-04-03 03:59 -------- d-----w- c:\arquivos de programas\PC Tools Firewall Plus
2009-08-16 19:01 . 2009-03-26 00:06 257768 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-08-16 19:01 . 2009-03-26 00:06 21815328 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-08-16 05:44 . 2009-06-18 23:41 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\PrevxCSI
2009-08-13 19:22 . 2009-06-07 17:47 -------- d-----w- c:\arquivos de programas\Opera 10 Beta
2009-08-13 03:06 . 2009-03-29 02:24 -------- d-----w- c:\documents and settings\winxp\Dados de aplicativos\QuickScan
2009-08-13 03:02 . 2009-07-17 18:15 11904 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2009-08-12 01:17 . 2008-08-13 13:56 -------- d-----w- c:\arquivos de programas\Windows Media Connect 2
2009-08-05 17:09 . 2009-03-21 06:05 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-08-05 09:00 . 2008-04-13 21:20 205312 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 23:12 . 2009-03-20 23:08 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-03 20:07 . 2008-10-07 00:21 -------- d-----w- c:\arquivos de programas\Malwarebytes' Anti-Malware
2009-08-03 20:06 . 2008-11-24 03:46 3942048 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-08-03 16:36 . 2008-10-07 00:21 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 16:36 . 2008-10-07 00:21 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-26 03:20 . 2008-08-13 13:36 -------- d-----w- c:\arquivos de programas\Arquivos comuns\InstallShield
2009-07-17 19:03 . 2008-04-13 21:20 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 18:47 . 2009-07-17 18:14 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Hitman Pro
2009-07-17 03:36 . 2009-07-17 03:36 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\F-Secure
2009-07-14 17:44 . 2008-08-13 13:52 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Microsoft Help
2009-07-14 02:43 . 2008-04-13 21:20 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-30 21:45 . 2008-08-13 13:36 -------- d--h--w- c:\arquivos de programas\InstallShield Installation Information
2009-06-29 15:58 . 2008-04-13 21:20 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 15:58 . 2008-04-13 21:20 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 15:58 . 2008-04-13 21:20 17408 ----a-w- c:\windows\system32\corpol.dll
2009-06-25 08:27 . 2008-04-13 21:20 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:27 . 2008-04-13 21:20 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:27 . 2008-04-13 21:20 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:27 . 2008-04-13 21:20 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:27 . 2008-04-13 21:20 732672 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:27 . 2008-04-13 21:20 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 22:07 . 2009-06-24 22:07 -------- d-----w- c:\arquivos de programas\Secunia
2009-06-24 11:18 . 2008-04-13 13:31 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-18 23:41 . 2009-06-18 23:41 27656 ----a-w- c:\windows\system32\drivers\pxsec.sys
2009-06-18 23:41 . 2009-06-18 23:41 22024 ----a-w- c:\windows\system32\drivers\pxscan.sys
2009-06-18 23:41 . 2009-06-18 23:41 -------- d-----w- c:\arquivos de programas\Prevx
2009-06-18 00:24 . 2009-06-18 00:24 -------- d-----w- c:\arquivos de programas\Microsoft SQL Server
2009-06-18 00:24 . 2009-06-18 00:21 -------- d-----w- c:\arquivos de programas\Microsoft Visual Studio 9.0
2009-06-18 00:23 . 2009-06-18 00:23 -------- d-----w- c:\arquivos de programas\Microsoft Synchronization Services
2009-06-18 00:23 . 2009-06-18 00:23 -------- d-----w- c:\arquivos de programas\Microsoft SQL Server Compact Edition
2009-06-18 00:23 . 2009-06-18 00:23 187328 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Microsoft\VCSExpress\9.0\1033\ResourceCache.dll
2009-06-18 00:22 . 2009-06-18 00:22 416 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2009-06-18 00:21 . 2009-06-18 00:21 -------- d-----w- c:\arquivos de programas\Microsoft.NET
2009-06-18 00:20 . 2009-06-18 00:20 -------- d-----w- c:\arquivos de programas\Microsoft SDKs
2009-06-17 12:20 . 2009-06-17 12:20 12648 ----a-w- c:\windows\system32\drivers\psi_mf.sys
2009-06-16 14:39 . 2008-04-13 21:20 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:39 . 2008-04-13 21:20 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 10:44 . 2008-04-13 21:21 77824 ----a-w- c:\windows\system32\telnet.exe
2009-06-15 10:44 . 2008-04-13 21:21 81408 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-10 14:14 . 2008-04-13 21:20 85504 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 12:21 . 2008-08-13 12:59 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:15 . 2008-04-13 21:20 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-03 19:10 . 2008-04-13 21:20 1295872 ----a-w- c:\windows\system32\quartz.dll
2009-06-03 01:53 . 2008-08-13 13:51 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-06-03 01:53 . 2009-06-03 01:51 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe
.
------- Sigcheck -------
[-] 2008-05-08 18:08 1571840 4531C3D8B1A6D3CC6D5CECF1D44624A3 c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelliPoint"="c:\arquivos de programas\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"WinPatrol"="c:\arquivos de programas\BillP Studios\WinPatrol\winpatrol.exe" [2009-07-22 341312]
"00PCTFW"="c:\arquivos de programas\PC Tools Firewall Plus\FirewallGUI.exe" [2009-02-23 2652056]
"avgnt"="c:\arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_3"="advpack.dll" - c:\windows\system32\advpack.dll [2009-06-29 124928]
c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\
Ralink Wireless Utility.lnk - c:\arquivos de programas\RALINK\Common\RaUI.exe [2009-6-2 1556480]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\arquivos de programas\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 15:05 356352 ----a-w- c:\arquivos de programas\SUPERAntiSpyware\SASWINLO.dll
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
R0 pssnap;Paramount Software Snapshot Filter;c:\windows\system32\drivers\pssnap.sys [20/5/2008 08:32 15328]
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [18/6/2009 20:41 22024]
R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [18/6/2009 20:41 27656]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2/6/2009 21:22 159600]
R1 SASDIFSV;SASDIFSV;c:\arquivos de programas\SUPERAntiSpyware\sasdifsv.sys [5/8/2009 16:06 9968]
R1 SASKUTIL;SASKUTIL;c:\arquivos de programas\SUPERAntiSpyware\SASKUTIL.SYS [5/8/2009 16:06 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\arquivos de programas\Avira\AntiVir Desktop\sched.exe [25/7/2009 22:10 108289]
R2 CSIScanner;CSIScanner;c:\arquivos de programas\Prevx\prevx.exe [18/6/2009 20:41 4368952]
R2 PCTAppEvent;PCTAppEvent Driver;c:\windows\system32\drivers\PCTAppEvent.sys [2/6/2009 21:22 73840]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\arquivos de programas\Macrium\Reflect\ReflectService.exe [6/8/2008 11:34 216032]
R3 pctplfw;pctplfw;c:\windows\system32\drivers\pctplfw.sys [2/6/2009 21:22 95640]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S2 HWiNFO32;HWiNFO32 Kernel Driver;\??\d:\hw32_236\HWiNFO32.SYS --> d:\hw32_236\HWiNFO32.SYS [?]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [4/4/2009 01:01 1684736]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [17/6/2009 09:20 12648]
S3 PSMounter;Macrium Reflect Image Explorer Service;c:\windows\system32\drivers\psmounter.sys [8/7/2008 12:39 31712]
S3 RalinkRegistryWriter;Ralink Registry Writer;c:\arquivos de programas\RALINK\Common\RalinkRegistryWriter.exe [2/6/2009 22:51 69632]
S3 rspSanity;rspSanity;c:\windows\system32\drivers\rspSanity32.sys [8/5/2009 20:37 30136]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8187B.sys [21/5/2009 22:20 335104]
S3 SASENUM;SASENUM;c:\arquivos de programas\SUPERAntiSpyware\SASENUM.SYS [5/8/2009 16:06 7408]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.google.com.br/
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Preencher - file://c:\arquivos de programas\Siber Systems\AI RoboForm\RoboFormComFillForms.html
TCP: {97E24F12-18C1-4029-9FD1-70E0B45398F9} = 208.67.222.222,208.67.220.220
FF - ProfilePath - c:\documents and settings\winxp\Dados de aplicativos\Mozilla\Firefox\Profiles\a57bazr6.default\
FF - component: c:\arquivos de programas\Siber Systems\AI RoboForm\Firefox\components\rfproxy_31.dll
FF - plugin: c:\arquivos de programas\Opera 10 Beta\program\plugins\npdsplay.dll
FF - plugin: c:\arquivos de programas\Opera 10 Beta\program\plugins\NPSWF32.dll
FF - plugin: c:\arquivos de programas\Opera 10 Beta\program\plugins\npwmsdrm.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\arquivos de programas\Mozilla Firefox\greprefs\all.js - pref("geo.enabled", true);
c:\arquivos de programas\Mozilla Firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-16 17:15
Windows 5.1.2600 Service Pack 3 NTFS
Procurando processos ocultos ...
Procurando entradas auto inicializáveis ocultas ...
Procurando ficheiros/arquivos ocultos ...
Varredura completada com sucesso
arquivos/ficheiros ocultos: 0
**************************************************************************
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="04F0D21-79D8-7A25-D702-433F"
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------
- - - - - - - > 'winlogon.exe'(864)
c:\arquivos de programas\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(3868)
c:\windows\system32\WININET.dll
c:\arquivos de programas\BillP Studios\WinPatrol\PATROLPRO.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Tempo para conclusão: 2009-08-16 17:16
ComboFix-quarantined-files.txt 2009-08-16 20:16
Pré-execução: 9 pasta(s) 32.520.675.328 bytes disponíveis
Pós execução: 9 pasta(s) 32.481.099.776 bytes disponíveis
225 --- E O F --- 2009-07-30 22:10
thanks! :bigthumb:
Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Virus Total
Please visit Virustotal (http://www.virustotal.com/en/indexf.html)
Copy/paste the the following file path into the window
c:\windows\system32\sfcfiles.dll
Click Submit/Send File
When the scan has finished, you can copy the URL from the browser address window and paste it in your reply.
If Virustotal is too busy please try Jotti (http://virusscan.jotti.org/)
0/41 (0%)
http://www.virustotal.com/pt/analisis/293d69ffa3f83fa1377b3ec10e12e3be6fc80a277dbb7962d6f2519dff59a99a-1250455276
thanks for your help.
I would say that we can put this down to a false positive, I've had a dig around the A-Squared forum and found the instructions for reporting them
In order to find out whether the detection is False Positive or not, please submit the flagged item to EMSI developers for analysis from the detection list.
Select the item; Right-Click and choose “Submit as false alert” from pop-up menu
More info in this thread http://forum.emsisoft.com/Default.aspx?g=posts&t=5948
Congratulations your logs look clean :)
Let's see if I can help you keep it that way
First lets tidy up
Uninstall Combofix
This will clear your System Volume Information restore points and remove all the infected files that were quarantined
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
You can also delete any logs we have produced, and empty your Recycle bin.
----------------------------------------------------------- -----------------------------------------------------------
The following is some info to help you stay safe and clean.
You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )
Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.
http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partner/71706/kavwebscan.html
!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE (http://secunia.com/software_inspector/) for details
AntiSpyware
AntiSpyware is not the same thing as Antivirus.
Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
Most of the programs in this list have a free (for Home Users ) and paid versions,
it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
Spybot - Search & Destroy (http://www.safer-networking.org/) <<< A must have program It includes host protection and registry protection A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
MalwareBytes Anti-malware (http://www.malwarebytes.org/mbam.php) <<< A New and effective program
a-squared Free (http://www.emsisoft.com/en/software/free/) <<< A good "realtime" or "on demand" scanner
superantispyware (http://www.superantispyware.com/) <<< A good "realtime" or "on demand" scanner
Prevention
These programs don't detect malware, they help stop it getting on your machine in the first place.
Each does a different job, so you can have more than one
Winpatrol (http://www.winpatrol.com) An excellent startup manager and then some !! Notifies you if programs are added to startup Allows delayed startup A must have addition
SpywareBlaster 4.0 (http://www.javacoolsoftware.com/spywareblaster.html) SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
SpywareGuard 2.2 (http://www.javacoolsoftware.com/spywareguard.html) SpywareGuard provides real-time protection against spyware. Not required if you have other "realtime" antispyware or Winpatrol
ZonedOut (http://www.funkytoad.com/index.php?option=com_content&view=article&id=15&Itemid=33) Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
MVPS HOSTS (http://www.mvps.org/winhelp2002/hosts.zip) This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial (http://www.mvps.org/winhelp2002/hosts.htm) by WinHelp2002. Not required if you are using other host file protections
Internet Browsers
Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
Using a different web browser can help stop malware getting on your machine.
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
If you are still using IE6 then either update, or get one of the following.
FireFox (http://www.mozilla.com/en-US/firefox/) With many addons available that make customization easy this is a very popular choice NoScript and AdBlockPlus addons are essential
Opera (http://www.opera.com/) Another popular alternative
Netscape (http://browser.netscape.com/addons) Another popular alternative Also has Addons available
Cleaning Temporary Internet Files and Tracking Cookies
Temporary Internet Files are mainly the files that are downloaded when you open a web page.
Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
It is a good idea to empty the Temporary Internet Files folder on a regular basis.
Tracking Cookies are files that websites use to monitor which sites you visit and how often.
A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords
Both of these can be cleaned manually, but a quicker option is to use a program
ATF Cleaner (http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25) Free and very simple to use
CCleaner (http://www.ccleaner.com/) Free and very flexible, you can chose which cookies to keep
Also PLEASE read this article.....So How Did I Get Infected In The First Place (http://forum.malwareremoval.com/viewtopic.php?t=4959)
The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.
If you follow this advice then (with a bit of luck) you will never have to hear from me again :D
If you could post back one more time to let me know everything is OK, then I can have this thread archived.
Happy surfing K'
so it's a false positive.
the system is running ok. i think that this topic can be closed.
thank you, katana!