PDA

View Full Version : (Rootkit.Agent) .sys file won't go, PC sending Spam mail when internet is on



Orwell1984
2010-03-26, 01:58
Greetings,

I noticed an unusual tray icon after using Microsoft Outlook, it was Avast's outgoing mail scanner, but I never sent any e-mail, so I moved my cursor over the icon to get a tooltip and it showed changing, weird unknown e-mail addresses, so I realized my computer was sending out Spam. I pulled the internet cable out and started Malwarebytes Anti-malware to do a Quick Scan, because I was too desperate for a full scan, and it detected 4 objects:

C:\WINDOWS\system32\drivers\rfmwzub.sys (Rootkit.Agent)
[same as above]\ighqsk.sys (Rootkit.Agent)

C:\Documents and Settings\Xgamer\Dados de aplicativos [Application Data]\avdrn.dat (Malware.Trace)

And a syspck32.exe (Trojan.Downloader) on the Start's menu start-up folder.

All were "fixed" and disappeared, except rfmwzub.sys, which requires a re-boot to remove from Avast or Malware bytes, but which will not be removed unless in safe-mode, and it always returns when booting normally.

Here's the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:43:37, on 25/3/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\runservice.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Arquivos de programas\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Arquivos de programas\NVIDIA Corporation\nTune\nTuneCmd.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Trend Micro\HijackThis\hello.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [braviax] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [braviax] (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -
O16 - DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} (WebIQ Engine Application Object) -
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
O16 - DPF: {444785F1-DE89-4295-863A-D46C3A781394} (UnityWebPlayer Control) - http://webplayer.unity3d.com/download_webplayer-2.x/UnityWebPlayer.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235270134703
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - c:\arquivos de programas\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: MGOO - Unknown owner - C:\DOCUME~1\Xgamer\CONFIG~1\Temp\MGOO.exe (file missing)
O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Arquivos de programas\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 6958 bytes

ken545
2010-03-30, 01:11
Hello

Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.




Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up
Please note: If you use online banking or are registered online with any other organizations, ensure you have memorized password and other personal information as removing cookies will temporarily disable the auto-login facility.





Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Orwell1984
2010-03-30, 05:11
Hi, thank you for assisting me, my noble sir,

As instructed I downloaded and ran ATF Cleaner with All Selected selected.

Then I ran Combofix, which soon alerted that Rootkit activity had been detected and asked me to let it reboot the PC, which I obviously allowed.

After the reboot it ran through its steps and rebooted again on its own, producing the following log:

ComboFix 10-03-29.02 - Xgamer 29/03/2010 22:28:20.3.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.3199.2720 [GMT -3:00]
Executando de: c:\documents and settings\Xgamer\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100209-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\arquivos de programas\Cheat Engine\dbk32.sys
c:\documents and settings\All Users\Documentos\pefycyburu.reg
C:\install.exe
c:\windows\system32\3230355207.dat
c:\windows\system32\csftxctl.ocx
c:\windows\system32\WINCNMD.DLL
c:\windows\system32\zlibwapi.dll
c:\windows\wiaservim.log
c:\windows\yhubap.reg

.
(((((((((((((((( Arquivos/Ficheiros criados de 2010-02-28 to 2010-03-30 ))))))))))))))))))))))))))))
.

2010-03-30 01:25 . 2006-12-06 11:41 44416 ----a-r- c:\windows\system32\drivers\JRAID_2.sys
2010-03-25 21:11 . 2010-03-25 21:11 5115824 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-25 20:41 . 2010-03-30 01:41 804864 ----a-w- c:\windows\system32\drivers\rfmwzub.sys
2010-03-20 11:35 . 2010-03-20 11:35 -------- d-----w- c:\arquivos de programas\Microsoft Hardware
2010-03-10 06:20 . 2010-03-10 06:20 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\InstallShield

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-30 01:40 . 2007-12-26 09:52 3201 --sha-w- c:\windows\system32\mmf.sys
2010-03-30 01:37 . 2008-03-30 10:43 -------- d-----w- c:\arquivos de programas\Cheat Engine
2010-03-29 17:07 . 2008-08-21 21:12 -------- d-----w- c:\arquivos de programas\Steam
2010-03-26 22:43 . 2009-07-08 06:49 -------- d-----w- c:\arquivos de programas\ArtMoney
2010-03-25 21:41 . 1782-01-19 03:14 83888 ----a-w- c:\windows\system32\perfc016.dat
2010-03-25 21:41 . 1782-01-19 03:14 479704 ----a-w- c:\windows\system32\perfh016.dat
2010-03-25 21:11 . 2009-08-19 21:43 -------- d-----w- c:\arquivos de programas\Malwarebytes' Anti-Malware
2010-03-25 20:46 . 2007-08-29 20:41 -------- d-----w- c:\arquivos de programas\Grumble
2010-03-25 20:40 . 2010-03-25 20:40 8 ----a-w- c:\documents and settings\NetworkService\Dados de aplicativos\jasltw.dat
2010-03-25 00:40 . 2008-08-25 20:49 -------- d-----w- c:\arquivos de programas\Grvid
2010-03-10 06:53 . 2004-08-04 21:04 -------- d--h--w- c:\arquivos de programas\InstallShield Installation Information
2010-03-10 06:20 . 2004-08-04 21:04 -------- d-----w- c:\arquivos de programas\Arquivos comuns\InstallShield
2010-03-09 20:54 . 2010-01-16 02:18 -------- d-----w- c:\arquivos de programas\Microsoft Silverlight
2010-02-27 06:12 . 2009-08-10 12:18 -------- d-----w- c:\arquivos de programas\Empire of Sports
2010-02-24 01:29 . 2009-10-08 15:29 -------- d-----w- c:\documents and settings\Xgamer\Dados de aplicativos\Tropico 3
2010-02-23 07:31 . 2007-08-31 18:30 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2010-02-23 07:31 . 2007-08-31 18:30 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2010-02-23 05:17 . 2010-02-23 05:17 -------- d-----w- c:\arquivos de programas\Enlight
2010-02-20 16:12 . 2010-02-20 16:12 -------- d-----w- c:\arquivos de programas\Arquivos comuns\BioWare
2010-02-11 13:02 . 2010-01-17 12:55 -------- d-----w- c:\arquivos de programas\Google
2010-02-04 14:13 . 2007-08-25 12:36 -------- d-----w- c:\documents and settings\Xgamer\Dados de aplicativos\Azureus
2010-02-02 06:05 . 2010-02-02 04:39 -------- d-----w- c:\arquivos de programas\Kalypso
2010-02-02 06:04 . 2010-02-02 04:45 -------- d-----w- c:\documents and settings\Xgamer\Dados de aplicativos\Grand Ages Rome Demo
2010-01-20 19:01 . 2010-01-20 19:01 61 --sh--w- c:\windows\cnerolf.bin
2010-01-17 14:54 . 2010-01-17 14:54 74083 ----a-r- c:\documents and settings\Xgamer\Dados de aplicativos\Microsoft\Installer\{304A07DC-4B92-49C6-BC06-DDB8044E91C1}\ARPPRODUCTICON.exe
2010-01-17 14:54 . 2010-01-17 14:54 73728 ----a-r- c:\documents and settings\Xgamer\Dados de aplicativos\Microsoft\Installer\{304A07DC-4B92-49C6-BC06-DDB8044E91C1}\ndac.exe1_0D54DE165360499A9175C95A7F3C5401.exe
2010-01-17 14:54 . 2010-01-17 14:54 73728 ----a-r- c:\documents and settings\Xgamer\Dados de aplicativos\Microsoft\Installer\{304A07DC-4B92-49C6-BC06-DDB8044E91C1}\ndac.exe_0BD1ADA496834929AD856F9834E3E161.exe
2010-01-07 19:07 . 2009-08-19 21:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 19:07 . 2009-08-19 21:43 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 22:38 . 2007-08-31 18:30 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-08-18 15:37 . 2009-08-18 15:37 18898 ----a-w- c:\arquivos de programas\Arquivos comuns\anatut.dat
2009-08-18 15:37 . 2009-08-18 15:37 18011 ----a-w- c:\arquivos de programas\Arquivos comuns\rezino._dl
2009-08-18 13:34 . 2009-08-18 13:34 2156 ----a-w- c:\arquivos de programas\rrcdcsoh.txt
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-04-01 08:14 1163264 ----a-w- c:\arquivos de programas\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-04-01 08:14 1163264 ----a-w- c:\arquivos de programas\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-04-01 08:14 1163264 ----a-w- c:\arquivos de programas\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\arquiv~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"RTHDCPL"="RTHDCPL.EXE" [2007-08-10 16384000]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]
"nwiz"="nwiz.exe" [2009-06-10 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\arquivos de programas\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Games\\Microsoft Flight Simulator X\\fsx.exe"=
"c:\\Arquivos de programas\\FSFDT\\FWInn\\FWINN.exe"=
"c:\\Arquivos de programas\\FSFDT\\Control Panel\\FSFDTCP.exe"=
"c:\\Program Files\\Atari\\Deer Hunter 2005\\DH2005.exe"=
"c:\\Arquivos de programas\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Arquivos de programas\\GameSpy Arcade\\Aphex.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\dangerous waters\\dangerouswaters.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Activision\\Bridge Commander\\stbc.exe"=
"c:\\Arquivos de programas\\Ventrilo\\Ventrilo.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\dangerous waters\\Steamrun.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\fallout 3\\Fallout3.exe"=
"c:\\Arquivos de programas\\Steam\\Steam.exe"=
"c:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=
"c:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\CRS\\Battleground Europe\\WW2.exe"=
"c:\\Program Files\\CRS\\Battleground Europe\\WW2_sse2.exe"=
"c:\\Program Files\\CRS\\Battleground Europe\\playgate_120.exe"=
"c:\\Arquivos de programas\\Java\\jre6\\bin\\java.exe"=
"c:\\Arquivos de programas\\Pando Networks\\Pando\\pando.exe"=
"c:\\Arquivos de programas\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Paradox Interactive\\Hearts of Iron III\\hoi3game.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\fallout 3\\FalloutLauncher.exe"=
"c:\\Arquivos de programas\\Empire of Sports\\ClientUpdater.exe"=
"c:\\Arquivos de programas\\Empire of Sports\\NetworkDiagnostic.exe"=
"c:\\Arquivos de programas\\Empire of Sports\\EmpireOfSports.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\dragon age origins\\bin_ship\\daupdatersvc.service.exe"=
"c:\\Program Files\\Cyanide\\Blood Bowl\\BB.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\mass effect\\Binaries\\MassEffect.exe"=
"c:\\Arquivos de programas\\FSFDT\\FSInn UI\\FSInnUI.exe"=
"c:\\Arquivos de programas\\FSFDT\\FSInn UI VVL\\FSInnUIVVL.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\empire total war\\Empire.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\tropico 3\\tropico3.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\mass effect 2\\Binaries\\MassEffect2.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\mass effect 2\\MassEffect2Launcher.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\railworks\\RailWorks.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=
"c:\\Documents and Settings\\Xgamer\\Configurações locais\\Dados de aplicativos\\F4\\ClientUpdater\\ClientUpdater.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\dragon age origins\\bin_ship\\DAOrigins.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\dragon age origins\\DAOriginsLauncher.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"59007:TCP"= 59007:TCP:Pando P2P TCP Listening Port
"59007:UDP"= 59007:UDP:Pando P2P UDP Listening Port

R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);c:\windows\system32\drivers\sfdrv01a.sys [5/7/2006 09:46 63352]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [30/3/2008 07:43 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [30/3/2008 07:43 20560]
R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [26/12/2007 06:52 2560]
R3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\drivers\nvoclock.sys [15/9/2009 12:59 38248]
S2 gupdate;Google Update Service (gupdate);c:\arquivos de programas\Google\Update\GoogleUpdate.exe [17/1/2010 09:55 135664]
S2 IcRecUsb;IC Recorder Driver;c:\windows\system32\drivers\icrecusb.sys [11/12/2007 15:28 17432]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\arquivos de programas\Steam\steamapps\common\dragon age origins\bin_ship\daupdatersvc.service.exe [10/3/2010 21:37 25832]
S3 MGOO;MGOO;c:\docume~1\Xgamer\CONFIG~1\Temp\MGOO.exe --> c:\docume~1\Xgamer\CONFIG~1\Temp\MGOO.exe [?]
S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;c:\windows\system32\drivers\SWUSBFLT.SYS [7/8/2004 20:03 3968]

--- =Outros Serviços/Drivers Na Memória ---

*Deregistered* - rfmwzub
.
Conteúdo da pasta 'Tarefas Agendadas'

2010-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2010-01-17 12:55]

2010-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2010-01-17 12:55]
.
.
------- Scan Suplementar -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {444785F1-DE89-4295-863A-D46C3A781394} - hxxp://webplayer.unity3d.com/download_webplayer-2.x/UnityWebPlayer.cab
FF - ProfilePath - c:\documents and settings\Xgamer\Dados de aplicativos\Mozilla\Firefox\Profiles\lzgqebef.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\arquivos de programas\Virtual Earth 3D\npVE3D.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORFÃOS REMOVIDOS - - - -

AddRemove-BattlEye - c:\program files\Atari\ArmA\BattlEye\UnInstallBE.exe
AddRemove-Boeing 757 - c:\planestoburn\VERYTEMP\Uninstal.exe
AddRemove-HijackThis - c:\arquivos de programas\Trend Micro\HijackThis\HijackThis.exe
AddRemove-WoS INSTALLER FSD PIPER NAVAJO-PANTHER - c:\program files\Microsoft Games\Flight Simulator 9\Uninstal.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-29 22:40
Windows 5.1.2600 Service Pack 3 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A2168E0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf766bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> 0x8a2168e0
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e6686
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e6686
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\rfmwzub]

.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

[HKEY_USERS\S-1-5-21-583907252-823518204-682003330-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:05,9e,76,9d,4e,a5,38,74,1d,ab,fc,3d,34,0f,57,77,94,a6,85,91,3a,61,0d,
ef,2c,a9,7b,ad,37,da,ec,55,82,20,a3,d9,cf,ba,9f,66,16,fb,14,5e,40,4f,6c,46,\
"??"=hex:1b,76,be,4e,19,34,99,bc,11,c6,b6,2e,a2,9f,c9,54

[HKEY_USERS\S-1-5-21-583907252-823518204-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:27,78,98,00,02,74,12,0a,29,df,c2,92,e7,f1,da,7c,33,41,26,6a,b1,
06,c8,0d,54,6b,e3,7a,60,85,19,22,fa,4c,e7,77,21,0c,56,9f,17,ca,53,5b,23,21,\
"rkeysecu"=hex:9c,2a,b0,3d,2b,ce,0d,8e,44,a3,6f,02,53,73,4a,d1

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347]
"1"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,60,bf,2f,c2,35,91,ae,
25
"2"=hex:fb,e6,50,7f,41,f4,51,a7,7f,ec,2d,f9,42,45,3a,02,3a,b7,45,15,3f,9d,8b,
c3
"3"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,5d,f5,58,d1,21,e0,48,
8b,38,57,44,9c,4e,8d,78,88,fd,f1,01,9d,86,d8,b5,cb,d9,bf,23,55,4a,bb,31,1f

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347\A62C3DF982434ABDAD414E772CEE62E6]
"1"=hex:bf,6a,73,4a,48,57,d9,26,5d,d7,11,8b,51,ce,1c,37,b2,8b,15,99,5d,9d,47,
61,6c,bf,37,a7,d1,d7,c0,b2
"2"=hex:ac,5d,cf,8a,eb,60,b6,ba
"3"=hex:34,50,2d,ac,bc,df,58,1b,d8,6c,d4,38,2b,77,45,94,bf,a0,c5,16,ee,a5,b2,
32,0b,0d,d5,9e,2c,c0,77,ca,a7,d8,1b,41,03,14,f0,02,74,dd,91,7c,34,81,25,d1,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,6a,73,4a,48,57,d9,26,5d,d7,11,8b,51,ce,1c,37,b2,8b,15,99,5d,9d,47,
61,6e,6a,1d,2f,00,6b,b9,62,3e,79,c0,6d,00,71,75,df,e6,92,bc,0e,a3,f5,1e,a9,\
"7"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,56,a7,02,9d,f0,a0,1d,
cc,28,d9,b1,18,9e,f1,8d,e8,54,e6,61,27,95,2e,52,cc,1c,f7,fa,64,bd,24,b7,82,\
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,2e,4e,96,8c,7e,a3,52,
64,ae,a5,e1,39,c0,fe,a7,12,fb,d4,fe,25,dc,00,56,48,cb,f3,0e,96,93,6e,94,4d,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:d0,71,12,cb,08,b7,a7,d6
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:72,31,07,4e,cb,fd,20,44,b0,30,08,cc,73,40,ef,7f,03,7e,08,77,1a,71,9b,
32,a0,5d,6a,56,3a,1b,9d,3f,59,3d,58,02,71,57,00,41,67,c8,8e,a7,9b,1c,40,7f,\
"13"=hex:e7,92,97,05,ba,b7,88,9e,85,16,26,36,0f,b2,e3,5a,a3,b8,1f,74,11,d9,0e,
a5,35,1f,db,4c,b4,50,ba,99,05,33,6f,ed,1c,09,d2,1f
"14"=hex:99,f7,bb,1b,0d,9d,88,b4,fa,9e,45,6c,cb,b1,2f,71
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:14,0d,2b,41,dd,9e,f3,8a,7b,48,c2,a6,21,cb,52,28
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:65,2f,cc,ba,3f,19,56,74,70,f2,06,7c,a7,ba,05,4c,3d,1f,99,31,68,53,97,
4d,b7,17,bd,cb,3d,32,2b,06,a6,c0,88,5a,37,c1,39,cd,c7,5a,e9,20,d4,28,74,87,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347\B3E62936FE1487AF4E0CC9BD2A26433C]
"1"=hex:df,c7,3a,96,ab,66,13,d2,35,84,aa,2e,3b,c4,59,82
"2"=hex:a5,2d,b1,39,25,57,b6,7c,bd,55,f5,f4,85,30,c7,12
"3"=hex:ff,71,2a,a0,e1,fa,fd,f4,76,36,05,b2,bd,c4,78,4f,17,22,25,5a,bd,6b,bb,
0b,e3,93,49,a9,ee,66,58,2f,a4,2a,9c,fe,75,da,e1,50,28,33,b2,1e,1c,f2,9a,f3,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:df,c7,3a,96,ab,66,13,d2,0e,90,72,68,c4,63,c8,bb,00,5d,70,3b,08,36,97,
bd,ee,04,c1,4a,7c,6f,fd,5f,f7,67,d1,43,f2,ef,e6,1c,89,7c,fa,9f,4c,d6,39,08,\
"7"=hex:93,41,de,56,34,94,a7,b2,13,ca,26,2f,35,a5,e0,53,1e,d5,e7,20,4a,dd,09,
c9,2d,37,7b,a2,3c,71,f4,5e,ed,02,2a,97,fd,fb,2c,72,12,5f,23,ff,c4,2a,48,c4,\
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,2e,4e,96,8c,7e,a3,52,
64,c9,4f,a5,f8,51,27,e9,29,77,5c,86,6d,0a,20,f9,c7,d7,30,8a,47,ce,07,3e,13,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:d0,71,12,cb,08,b7,a7,d6
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:eb,97,99,7a,65,b9,91,7d,ee,96,33,2e,7e,c5,12,36,66,80,5c,16,18,db,f8,
df,b9,52,b8,ee,31,34,87,75,17,33,ec,40,2b,b3,3d,07,b4,67,e7,22,9b,f8,a1,86,\
"13"=hex:bc,56,46,8c,be,fe,b0,9e,a9,c8,a6,e3,7c,a8,f0,9e,7a,b5,3a,f7,d0,9f,7f,
6b,6b,6f,9a,1a,e8,9b,87,44,36,99,a7,79,53,f4,34,26
"14"=hex:d2,08,a4,82,f1,1a,a0,b4,f5,1f,60,13,49,13,4c,d5
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:df,60,78,8d,35,eb,80,3e,82,79,f2,d5,0b,bb,7d,ee
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:b6,ff,2b,2e,0f,22,1f,03,93,0e,f3,0f,87,f9,4e,67,5c,c8,81,88,cf,56,f8,
bb,6f,5c,8c,63,35,d1,f5,5c,04,ca,19,ef,7e,c6,b8,eb,99,e8,47,13,5f,17,41,7b,\
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'explorer.exe'(3624)
c:\windows\system32\WININET.dll
c:\arquivos de programas\Dropbox\DropboxExt.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Outros Processos em Execução ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
c:\arquivos de programas\Alwil Software\Avast4\ashServ.exe
c:\arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\arquivos de programas\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\system32\wscntfy.exe
c:\arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\arquivos de programas\NVIDIA Corporation\nTune\nTuneCmd.exe
.
**************************************************************************
.
Tempo para conclusão: 2010-03-29 22:47:41 - Máquina reiniciou
ComboFix-quarantined-files.txt 2010-03-30 01:47
ComboFix2.txt 2009-05-22 15:46

Pré-execução: 23 pasta(s) 68.223.705.088 bytes disponíveis
Pós execução: 26 pasta(s) 68.302.376.960 bytes disponíveis

- - End Of File - - 48BE4EE2717BDD0B7EBD54127204A0BE

=======================
And a fresh HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:59:25, on 29/3/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\runservice.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Arquivos de programas\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Arquivos de programas\NVIDIA Corporation\nTune\nTuneCmd.exe
C:\WINDOWS\explorer.exe
C:\Arquivos de programas\Trend Micro\HijackThis\Xgamer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -
O16 - DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} (WebIQ Engine Application Object) -
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
O16 - DPF: {444785F1-DE89-4295-863A-D46C3A781394} (UnityWebPlayer Control) - http://webplayer.unity3d.com/download_webplayer-2.x/UnityWebPlayer.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235270134703
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - c:\arquivos de programas\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: MGOO - Unknown owner - C:\DOCUME~1\Xgamer\CONFIG~1\Temp\MGOO.exe (file missing)
O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Arquivos de programas\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 6648 bytes

===================
Since Avast had come back online after this reboot it eventually detected the evil and illiminable rfmwzub.sys again. It's standing there in the windows\system32\driver folder. For what this informationm is worth the minute after I created this thread I went ahead and did a full scan with an up to date malwarebytes and it only detected the rfmwzub.sys.

ken545
2010-03-30, 11:52
Hi,

I am not seeing that file on your system so Avast may have removed it.

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank




Open up Malwarebytes and go to the Report tab and copy and paste the report for me to see



Lets check for Rootkit activity, GMER is the program we want to run, defogger will just disable your CD drivers as to not interfere with the scan , be sure to re enable them when GMER is done





Please download DeFogger (http://www.jpshortstuff.247fixes.com/Defogger.exe) to your desktop.

Double click DeFogger to run the tool.

The application window will appear
Click the Disable button to disable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.





Next:

Please download GMER from one of the following locations and save it to your desktop:
Main Mirror (http://gmer.net/download.php)
This version will download a randomly named file (Recommended)
Zipped Mirror (http://gmer.net/gmer.zip)
This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.

Disconnect from the Internet and close all running programs.
Temporarily disable any real-time active protection (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html) so your security programs will not conflict with gmer's driver.
Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif

GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
Now click the Scan button. If you see a rootkit warning window, click OK.
When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
Click the Copy button and paste the results into your next reply.
Exit GMER and re-enable all active protection when done.




To re-enable your Emulation drivers, double click DeFogger to run the tool.

The application window will appear
Click the Re-enable button to re-enable your CD Emulation drivers
Click Yes to continue
A 'Finished!' message will appear
Click OK
DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

Your Emulation drivers are now re-enabled.

Orwell1984
2010-03-31, 01:52
I forgot to tell you I'm keeping the infected PC off the internet and typing this from a laptop, using a pen drive to transfer downloads and logs, until you tell me to connect. Perhaps the "virus", if I may call it that, is not completely active unless the internet is on and it can proceed sending out spam, though Avast and Malwarebytes will detect it either way.

Following your instructions, I did as told with HijackThis.

And here's the log from Malwarebytes:

Malwarebytes' Anti-Malware 1.44
Database version: 3914
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

25/3/2010 23:11:52
mbam-log-2010-03-25 (23-11-52).txt

Scan type: Full Scan (C:\|)
Objects scanned: 584165
Time elapsed: 2 hour(s), 0 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\drivers\rfmwzub.sys (Rootkit.Agent) -> Delete on reboot.

====================
Next I ran defogger without any problems, and peeking at its log just for curiosity it said it was unable to read the rfmwzub.sys file, here's the log, just for curiosity:

defogger_disable by jpshortstuff (23.02.10.1)
Log created at 14:30 on 30/03/2010 (Xgamer)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...
Unable to read rfmwzub.sys


-=E.O.F=-

====================
Then I downloaded the recommended randomly named GMER and did as instructed. It did warn of rootkit activity and offered a full scan, which I declined as instructed. Here's the log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-30 19:17:07
Windows 5.1.2600 Service Pack 3
Running: zc44s4k4.exe; Driver: C:\DOCUME~1\Xgamer\CONFIG~1\Temp\kxdyiaob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB3DB36B8] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB3DB3574] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB3DB3A52] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB3DB314C] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB3DB364E] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB3DB308C] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB3DB30F0] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB3DB376E] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB3DB372E] <-- ROOTKIT !!!
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB3DB38AE] <-- ROOTKIT !!!

---- Kernel code sections - GMER 1.0.15 ----

.pak2 C:\WINDOWS\system32\drivers\rfmwzub.sys entry point in ".pak2" section [0xB873BB97]
? C:\WINDOWS\system32\drivers\rfmwzub.sys Um dispositivo conectado ao sistema não está funcionando.
.xreloc C:\WINDOWS\system32\drivers\sfsync04.sys unknown last section [0xB86CE000, 0xC5E, 0x40000040]
PAGE Ntfs.sys B84E3E55 4 Bytes CALL 8A2B96D1
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6840360, 0x3D46A5, 0xE8000020]
.text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xB33C9300, 0x3B6D8, 0xE8000020]
.text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xB67A0300, 0x1BEE, 0xE8000020]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[592] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[592] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A16E1E0

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\atapi \Device\Ide\IdePort0 8A1E98E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 8A1E98E0
Device \Driver\atapi \Device\Ide\IdePort1 8A1E98E0
Device \Driver\atapi \Device\Ide\IdePort2 8A1E98E0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c 8A1E98E0
Device \Driver\atapi \Device\Ide\IdePort3 8A1E98E0
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-17 8A1E98E0

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] rfmwzub <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet003\Services\rfmwzub@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\rfmwzub@Start 0
Reg HKLM\SYSTEM\ControlSet003\Services\rfmwzub@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\rfmwzub@Group Boot Bus Extender
Reg HKLM\SYSTEM\CurrentControlSet\Services\rfmwzub@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\rfmwzub@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\rfmwzub@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\rfmwzub@Group Boot Bus Extender

---- Files - GMER 1.0.15 ----

File C:\Program Files\Lead Pursuit\Battlefield Operations\acmibin\balkans\demoBalkans.vhs 795713 bytes
File C:\Program Files\Lead Pursuit\Battlefield Operations\acmibin\balkans\TAPE_2008-03-23_0001.vhs 197582 bytes
File C:\Program Files\Lead Pursuit\Battlefield Operations\acmibin\balkans\TAPE_2008-03-23_0002.vhs 229646 bytes
File C:\Program Files\Lead Pursuit\Battlefield Operations\acmibin\korea\demoKorea.vhs 411607 bytes
File C:\Program Files\Lead Pursuit\Battlefield Operations\art\ckptart\Res_1600\F16MLU\Default\Common\3dckpit.dat 2570 bytes
File C:\Program Files\Lead Pursuit\Battlefield Operations\art\common\acicons.irc 3182 bytes
File C:\Program Files\Lead Pursuit\Battlefield Operations\art\common\Award.scf 2714 bytes
File C:\Program Files\Lead Pursuit\Battlefield Operations\art\common\COURT.scf 2332 bytes
File C:\Program Files\Lead Pursuit\Battlefield Operations\art\common\IMAGEIDS.ID 63 bytes
File C:\Program Files\Lead Pursuit\Battlefield Operations\art\common\IMAGERC.IRC 654 bytes
File C:\Program Files\Lead Pursuit\Battlefield Operations\art\common\KIA.scf 2487 bytes
File C:\Program Files\Lead Pursuit\Battlefield Operations\art\common\Promo.scf 2612 bytes
File C:\Program Files\Lead Pursuit\Battlefield Operations\art\common\resupply.scf 2312 bytes
File C:\Program Files\Lead Pursuit\Battlefield Operations\art\common\Scramble.scf 1567 bytes
File C:\Program Files\Lead Pursuit\Battlefield Operations\art\common\TOTIME.scf 2418 bytes
File C:\Program Files\Lead Pursuit\Battlefield Operations\art\common\TOWait.scf 2238 bytes
File C:\Program Files\Lead Pursuit\Battlefield Operations\art\common\TRUCE.scf 2938 bytes
File C:\Program Files\Lead Pursuit\Battlefield Operations\art\common\uidcp.scf 17916 bytes
File C:\Program Files\Lead Pursuit\Battlefield Operations\art\common\UIDIDS.ID 267 bytes
File C:\Program Files\Lead Pursuit\Battlefield Operations\art\common\USERIDS.ID 551 bytes
File C:\Program Files\Lead Pursuit\Battlefield Operations\art\comms\chat_pop.scf 471 bytes
File C:\Program Files\Lead Pursuit\Battlefield Operations\art\comms\Commlink.scf 3207 bytes
File C:\Program Files\Lead Pursuit\Battlefield Operations\art\comms\comms.scf 5113 bytes
File C:\Program Files\Lead Pursuit\Battlefield Operations\art\comms\commsFS.scf 4897 bytes
File C:\Program Files\Lead Pursuit\Battlefield Operations\art\comms\description.scf 2587 bytes
File C:\Program Files\Lead Pursuit\Battlefield Operations\art\comms\editinet.scf 3223 bytes
File C:\Program Files\Lead Pursuit\Battlefield Operations\art\comms\IMAGERC.IRC 140 bytes
File C:\Program Files\Lead Pursuit\Battlefield Operations\art\comms\jetnet.scf 10697 bytes
File C:\Program Files\Lead Pursuit\Battlefield Operations\art\comms\jetset.scf 5000 bytes
File C:\Program Files\Lead Pursuit\Battlefield Operations\art\comms\mplay.scf 17406 bytes
File C:\Program Files\Lead Pursuit\Battlefield Operations\art\comms\PBook.scf 22835 bytes
File C:\Program Files\Lead Pursuit\Battlefield Operations\art\comms\USERIDS.ID 4240 bytes
File C:\Program Files\Lead Pursuit\Battlefield Operations\art\dgft\load\df_head.scf 0 bytes
File C:\Program Files\Lead Pursuit\Battlefield Operations\art\dgft\load\df_load.scf 0 bytes
File C:\Program Files\Lead Pursuit\Battlefield Operations\art\dgft\load\df_pua.scf 0 bytes
File C:\Program Files\Lead Pursuit\Battlefield Operations\art\dgft\load\df_sua.scf 0 bytes
File C:\Program Files\Lead Pursuit\Battlefield Operations\art\dgft\load\df_tool.scf 0 bytes

---- EOF - GMER 1.0.15 ----


=====================
Then I re-enabled the drivers with Defogger, as told.

ken545
2010-03-31, 02:12
Keeping this computer offline is a good idea for the time being.


Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Orwell1984
2010-03-31, 02:58
Done.

Combofix's log:

ComboFix 10-03-29.04 - Xgamer 30/03/2010 20:31:55.4.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.3199.2709 [GMT -3:00]
Executando de: c:\documents and settings\Xgamer\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1368 [VPS 100209-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

(((((((((((((((( Arquivos/Ficheiros criados de 2010-02-28 to 2010-03-30 ))))))))))))))))))))))))))))
.

2010-03-30 01:25 . 2006-12-06 11:41 44416 ----a-r- c:\windows\system32\drivers\JRAID_2.sys
2010-03-25 21:11 . 2010-03-25 21:11 5115824 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-25 20:41 . 2010-03-30 23:44 804864 ----a-w- c:\windows\system32\drivers\rfmwzub.sys
2010-03-20 11:35 . 2010-03-20 11:35 -------- d-----w- c:\arquivos de programas\Microsoft Hardware
2010-03-10 06:20 . 2010-03-10 06:20 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\InstallShield

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-30 23:42 . 2007-12-26 09:52 3201 --sha-w- c:\windows\system32\mmf.sys
2010-03-30 01:37 . 2008-03-30 10:43 -------- d-----w- c:\arquivos de programas\Cheat Engine
2010-03-29 17:07 . 2008-08-21 21:12 -------- d-----w- c:\arquivos de programas\Steam
2010-03-26 22:43 . 2009-07-08 06:49 -------- d-----w- c:\arquivos de programas\ArtMoney
2010-03-25 21:41 . 1782-01-19 03:14 83888 ----a-w- c:\windows\system32\perfc016.dat
2010-03-25 21:41 . 1782-01-19 03:14 479704 ----a-w- c:\windows\system32\perfh016.dat
2010-03-25 21:11 . 2009-08-19 21:43 -------- d-----w- c:\arquivos de programas\Malwarebytes' Anti-Malware
2010-03-25 20:46 . 2007-08-29 20:41 -------- d-----w- c:\arquivos de programas\Grumble
2010-03-25 20:40 . 2010-03-25 20:40 8 ----a-w- c:\documents and settings\NetworkService\Dados de aplicativos\jasltw.dat
2010-03-25 00:40 . 2008-08-25 20:49 -------- d-----w- c:\arquivos de programas\Grvid
2010-03-10 06:53 . 2004-08-04 21:04 -------- d--h--w- c:\arquivos de programas\InstallShield Installation Information
2010-03-10 06:20 . 2004-08-04 21:04 -------- d-----w- c:\arquivos de programas\Arquivos comuns\InstallShield
2010-03-09 20:54 . 2010-01-16 02:18 -------- d-----w- c:\arquivos de programas\Microsoft Silverlight
2010-02-27 06:12 . 2009-08-10 12:18 -------- d-----w- c:\arquivos de programas\Empire of Sports
2010-02-24 01:29 . 2009-10-08 15:29 -------- d-----w- c:\documents and settings\Xgamer\Dados de aplicativos\Tropico 3
2010-02-23 07:31 . 2007-08-31 18:30 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2010-02-23 07:31 . 2007-08-31 18:30 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2010-02-23 05:17 . 2010-02-23 05:17 -------- d-----w- c:\arquivos de programas\Enlight
2010-02-20 16:12 . 2010-02-20 16:12 -------- d-----w- c:\arquivos de programas\Arquivos comuns\BioWare
2010-02-11 13:02 . 2010-01-17 12:55 -------- d-----w- c:\arquivos de programas\Google
2010-02-04 14:13 . 2007-08-25 12:36 -------- d-----w- c:\documents and settings\Xgamer\Dados de aplicativos\Azureus
2010-02-02 06:05 . 2010-02-02 04:39 -------- d-----w- c:\arquivos de programas\Kalypso
2010-02-02 06:04 . 2010-02-02 04:45 -------- d-----w- c:\documents and settings\Xgamer\Dados de aplicativos\Grand Ages Rome Demo
2010-01-20 19:01 . 2010-01-20 19:01 61 --sh--w- c:\windows\cnerolf.bin
2010-01-17 14:54 . 2010-01-17 14:54 74083 ----a-r- c:\documents and settings\Xgamer\Dados de aplicativos\Microsoft\Installer\{304A07DC-4B92-49C6-BC06-DDB8044E91C1}\ARPPRODUCTICON.exe
2010-01-17 14:54 . 2010-01-17 14:54 73728 ----a-r- c:\documents and settings\Xgamer\Dados de aplicativos\Microsoft\Installer\{304A07DC-4B92-49C6-BC06-DDB8044E91C1}\ndac.exe1_0D54DE165360499A9175C95A7F3C5401.exe
2010-01-17 14:54 . 2010-01-17 14:54 73728 ----a-r- c:\documents and settings\Xgamer\Dados de aplicativos\Microsoft\Installer\{304A07DC-4B92-49C6-BC06-DDB8044E91C1}\ndac.exe_0BD1ADA496834929AD856F9834E3E161.exe
2010-01-07 19:07 . 2009-08-19 21:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 19:07 . 2009-08-19 21:43 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 22:38 . 2007-08-31 18:30 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-08-18 15:37 . 2009-08-18 15:37 18898 ----a-w- c:\arquivos de programas\Arquivos comuns\anatut.dat
2009-08-18 15:37 . 2009-08-18 15:37 18011 ----a-w- c:\arquivos de programas\Arquivos comuns\rezino._dl
2009-08-18 13:34 . 2009-08-18 13:34 2156 ----a-w- c:\arquivos de programas\rrcdcsoh.txt
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-04-01 08:14 1163264 ----a-w- c:\arquivos de programas\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-04-01 08:14 1163264 ----a-w- c:\arquivos de programas\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-04-01 08:14 1163264 ----a-w- c:\arquivos de programas\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\arquiv~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"RTHDCPL"="RTHDCPL.EXE" [2007-08-10 16384000]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]
"nwiz"="nwiz.exe" [2009-06-10 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\arquivos de programas\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Games\\Microsoft Flight Simulator X\\fsx.exe"=
"c:\\Arquivos de programas\\FSFDT\\FWInn\\FWINN.exe"=
"c:\\Arquivos de programas\\FSFDT\\Control Panel\\FSFDTCP.exe"=
"c:\\Program Files\\Atari\\Deer Hunter 2005\\DH2005.exe"=
"c:\\Arquivos de programas\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Arquivos de programas\\GameSpy Arcade\\Aphex.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\dangerous waters\\dangerouswaters.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Activision\\Bridge Commander\\stbc.exe"=
"c:\\Arquivos de programas\\Ventrilo\\Ventrilo.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\dangerous waters\\Steamrun.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\fallout 3\\Fallout3.exe"=
"c:\\Arquivos de programas\\Steam\\Steam.exe"=
"c:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=
"c:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\CRS\\Battleground Europe\\WW2.exe"=
"c:\\Program Files\\CRS\\Battleground Europe\\WW2_sse2.exe"=
"c:\\Program Files\\CRS\\Battleground Europe\\playgate_120.exe"=
"c:\\Arquivos de programas\\Java\\jre6\\bin\\java.exe"=
"c:\\Arquivos de programas\\Pando Networks\\Pando\\pando.exe"=
"c:\\Arquivos de programas\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Paradox Interactive\\Hearts of Iron III\\hoi3game.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\fallout 3\\FalloutLauncher.exe"=
"c:\\Arquivos de programas\\Empire of Sports\\ClientUpdater.exe"=
"c:\\Arquivos de programas\\Empire of Sports\\NetworkDiagnostic.exe"=
"c:\\Arquivos de programas\\Empire of Sports\\EmpireOfSports.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\dragon age origins\\bin_ship\\daupdatersvc.service.exe"=
"c:\\Program Files\\Cyanide\\Blood Bowl\\BB.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\mass effect\\Binaries\\MassEffect.exe"=
"c:\\Arquivos de programas\\FSFDT\\FSInn UI\\FSInnUI.exe"=
"c:\\Arquivos de programas\\FSFDT\\FSInn UI VVL\\FSInnUIVVL.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\empire total war\\Empire.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\tropico 3\\tropico3.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\mass effect 2\\Binaries\\MassEffect2.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\mass effect 2\\MassEffect2Launcher.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\railworks\\RailWorks.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=
"c:\\Documents and Settings\\Xgamer\\Configurações locais\\Dados de aplicativos\\F4\\ClientUpdater\\ClientUpdater.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\dragon age origins\\bin_ship\\DAOrigins.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\dragon age origins\\DAOriginsLauncher.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"59007:TCP"= 59007:TCP:Pando P2P TCP Listening Port
"59007:UDP"= 59007:UDP:Pando P2P UDP Listening Port

R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);c:\windows\system32\drivers\sfdrv01a.sys [5/7/2006 09:46 63352]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [30/3/2008 07:43 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [30/3/2008 07:43 20560]
R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [26/12/2007 06:52 2560]
R3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\drivers\nvoclock.sys [15/9/2009 12:59 38248]
S2 gupdate;Google Update Service (gupdate);c:\arquivos de programas\Google\Update\GoogleUpdate.exe [17/1/2010 09:55 135664]
S2 IcRecUsb;IC Recorder Driver;c:\windows\system32\drivers\icrecusb.sys [11/12/2007 15:28 17432]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\arquivos de programas\Steam\steamapps\common\dragon age origins\bin_ship\daupdatersvc.service.exe [10/3/2010 21:37 25832]
S3 MGOO;MGOO;c:\docume~1\Xgamer\CONFIG~1\Temp\MGOO.exe --> c:\docume~1\Xgamer\CONFIG~1\Temp\MGOO.exe [?]
S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;c:\windows\system32\drivers\SWUSBFLT.SYS [7/8/2004 20:03 3968]

--- =Outros Serviços/Drivers Na Memória ---

*Deregistered* - rfmwzub
.
Conteúdo da pasta 'Tarefas Agendadas'

2010-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2010-01-17 12:55]

2010-03-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2010-01-17 12:55]
.
.
------- Scan Suplementar -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {444785F1-DE89-4295-863A-D46C3A781394} - hxxp://webplayer.unity3d.com/download_webplayer-2.x/UnityWebPlayer.cab
FF - ProfilePath - c:\documents and settings\Xgamer\Dados de aplicativos\Mozilla\Firefox\Profiles\lzgqebef.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-30 20:43
Windows 5.1.2600 Service Pack 3 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A28B9D8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf766bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> 0x8a28b9d8
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e6686
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e6686
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\rfmwzub]

.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

[HKEY_USERS\S-1-5-21-583907252-823518204-682003330-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:05,9e,76,9d,4e,a5,38,74,1d,ab,fc,3d,34,0f,57,77,94,a6,85,91,3a,61,0d,
ef,2c,a9,7b,ad,37,da,ec,55,82,20,a3,d9,cf,ba,9f,66,16,fb,14,5e,40,4f,6c,46,\
"??"=hex:1b,76,be,4e,19,34,99,bc,11,c6,b6,2e,a2,9f,c9,54

[HKEY_USERS\S-1-5-21-583907252-823518204-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:27,78,98,00,02,74,12,0a,29,df,c2,92,e7,f1,da,7c,33,41,26,6a,b1,
06,c8,0d,54,6b,e3,7a,60,85,19,22,fa,4c,e7,77,21,0c,56,9f,17,ca,53,5b,23,21,\
"rkeysecu"=hex:9c,2a,b0,3d,2b,ce,0d,8e,44,a3,6f,02,53,73,4a,d1

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347]
"1"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,60,bf,2f,c2,35,91,ae,
25
"2"=hex:fb,e6,50,7f,41,f4,51,a7,7f,ec,2d,f9,42,45,3a,02,3a,b7,45,15,3f,9d,8b,
c3
"3"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,5d,f5,58,d1,21,e0,48,
8b,38,57,44,9c,4e,8d,78,88,fd,f1,01,9d,86,d8,b5,cb,d9,bf,23,55,4a,bb,31,1f

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347\A62C3DF982434ABDAD414E772CEE62E6]
"1"=hex:bf,6a,73,4a,48,57,d9,26,5d,d7,11,8b,51,ce,1c,37,b2,8b,15,99,5d,9d,47,
61,6c,bf,37,a7,d1,d7,c0,b2
"2"=hex:ac,5d,cf,8a,eb,60,b6,ba
"3"=hex:34,50,2d,ac,bc,df,58,1b,d8,6c,d4,38,2b,77,45,94,bf,a0,c5,16,ee,a5,b2,
32,0b,0d,d5,9e,2c,c0,77,ca,a7,d8,1b,41,03,14,f0,02,74,dd,91,7c,34,81,25,d1,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,6a,73,4a,48,57,d9,26,5d,d7,11,8b,51,ce,1c,37,b2,8b,15,99,5d,9d,47,
61,6e,6a,1d,2f,00,6b,b9,62,3e,79,c0,6d,00,71,75,df,e6,92,bc,0e,a3,f5,1e,a9,\
"7"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,56,a7,02,9d,f0,a0,1d,
cc,28,d9,b1,18,9e,f1,8d,e8,54,e6,61,27,95,2e,52,cc,1c,f7,fa,64,bd,24,b7,82,\
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,2e,4e,96,8c,7e,a3,52,
64,ae,a5,e1,39,c0,fe,a7,12,fb,d4,fe,25,dc,00,56,48,cb,f3,0e,96,93,6e,94,4d,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:d0,71,12,cb,08,b7,a7,d6
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:72,31,07,4e,cb,fd,20,44,b0,30,08,cc,73,40,ef,7f,03,7e,08,77,1a,71,9b,
32,a0,5d,6a,56,3a,1b,9d,3f,59,3d,58,02,71,57,00,41,67,c8,8e,a7,9b,1c,40,7f,\
"13"=hex:e7,92,97,05,ba,b7,88,9e,85,16,26,36,0f,b2,e3,5a,a3,b8,1f,74,11,d9,0e,
a5,35,1f,db,4c,b4,50,ba,99,05,33,6f,ed,1c,09,d2,1f
"14"=hex:99,f7,bb,1b,0d,9d,88,b4,fa,9e,45,6c,cb,b1,2f,71
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:14,0d,2b,41,dd,9e,f3,8a,7b,48,c2,a6,21,cb,52,28
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:65,2f,cc,ba,3f,19,56,74,70,f2,06,7c,a7,ba,05,4c,3d,1f,99,31,68,53,97,
4d,b7,17,bd,cb,3d,32,2b,06,a6,c0,88,5a,37,c1,39,cd,c7,5a,e9,20,d4,28,74,87,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347\B3E62936FE1487AF4E0CC9BD2A26433C]
"1"=hex:df,c7,3a,96,ab,66,13,d2,35,84,aa,2e,3b,c4,59,82
"2"=hex:a5,2d,b1,39,25,57,b6,7c,bd,55,f5,f4,85,30,c7,12
"3"=hex:ff,71,2a,a0,e1,fa,fd,f4,76,36,05,b2,bd,c4,78,4f,17,22,25,5a,bd,6b,bb,
0b,e3,93,49,a9,ee,66,58,2f,a4,2a,9c,fe,75,da,e1,50,28,33,b2,1e,1c,f2,9a,f3,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:df,c7,3a,96,ab,66,13,d2,0e,90,72,68,c4,63,c8,bb,00,5d,70,3b,08,36,97,
bd,ee,04,c1,4a,7c,6f,fd,5f,f7,67,d1,43,f2,ef,e6,1c,89,7c,fa,9f,4c,d6,39,08,\
"7"=hex:93,41,de,56,34,94,a7,b2,13,ca,26,2f,35,a5,e0,53,1e,d5,e7,20,4a,dd,09,
c9,2d,37,7b,a2,3c,71,f4,5e,ed,02,2a,97,fd,fb,2c,72,12,5f,23,ff,c4,2a,48,c4,\
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,2e,4e,96,8c,7e,a3,52,
64,c9,4f,a5,f8,51,27,e9,29,77,5c,86,6d,0a,20,f9,c7,d7,30,8a,47,ce,07,3e,13,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:d0,71,12,cb,08,b7,a7,d6
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:eb,97,99,7a,65,b9,91,7d,ee,96,33,2e,7e,c5,12,36,66,80,5c,16,18,db,f8,
df,b9,52,b8,ee,31,34,87,75,17,33,ec,40,2b,b3,3d,07,b4,67,e7,22,9b,f8,a1,86,\
"13"=hex:bc,56,46,8c,be,fe,b0,9e,a9,c8,a6,e3,7c,a8,f0,9e,7a,b5,3a,f7,d0,9f,7f,
6b,6b,6f,9a,1a,e8,9b,87,44,36,99,a7,79,53,f4,34,26
"14"=hex:d2,08,a4,82,f1,1a,a0,b4,f5,1f,60,13,49,13,4c,d5
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:df,60,78,8d,35,eb,80,3e,82,79,f2,d5,0b,bb,7d,ee
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:b6,ff,2b,2e,0f,22,1f,03,93,0e,f3,0f,87,f9,4e,67,5c,c8,81,88,cf,56,f8,
bb,6f,5c,8c,63,35,d1,f5,5c,04,ca,19,ef,7e,c6,b8,eb,99,e8,47,13,5f,17,41,7b,\
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'explorer.exe'(428)
c:\windows\system32\WININET.dll
c:\arquivos de programas\Dropbox\DropboxExt.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Outros Processos em Execução ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
c:\arquivos de programas\Alwil Software\Avast4\ashServ.exe
c:\arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\arquivos de programas\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
c:\arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\arquivos de programas\NVIDIA Corporation\nTune\nTuneCmd.exe
.
**************************************************************************
.
Tempo para conclusão: 2010-03-30 20:50:02 - Máquina reiniciou
ComboFix-quarantined-files.txt 2010-03-30 23:50
ComboFix2.txt 2010-03-30 01:47
ComboFix3.txt 2009-05-22 15:46

Pré-execução: 25 pasta(s) 68.288.950.272 bytes disponíveis
Pós execução: 26 pasta(s) 68.252.192.768 bytes disponíveis

- - End Of File - - FD096209CA0509FA173263A8F54F4CAF

============
And Hijackthis's log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:56:10, on 30/3/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Arquivos de programas\Google\Update\GoogleUpdate.exe
C:\WINDOWS\runservice.exe
C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Arquivos de programas\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Arquivos de programas\NVIDIA Corporation\nTune\nTuneCmd.exe
C:\WINDOWS\explorer.exe
C:\Arquivos de programas\Trend Micro\HijackThis\Xgamer.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O4 - HKLM\..\Run: [avast!] C:\ARQUIV~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARQUIV~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -
O16 - DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} (WebIQ Engine Application Object) -
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab
O16 - DPF: {444785F1-DE89-4295-863A-D46C3A781394} (UnityWebPlayer Control) - http://webplayer.unity3d.com/download_webplayer-2.x/UnityWebPlayer.cab
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235270134703
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Dragon Age: Origins - Content Updater (DAUpdaterSvc) - BioWare - c:\arquivos de programas\steam\steamapps\common\dragon age origins\bin_ship\DAUpdaterSvc.Service.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Arquivos de programas\Google\Update\GoogleUpdate.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - C:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: MGOO - Unknown owner - C:\DOCUME~1\Xgamer\CONFIG~1\Temp\MGOO.exe (file missing)
O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Arquivos de programas\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 6627 bytes

ken545
2010-03-31, 04:03
Please download OTM by OldTimer (http://oldtimer.geekstogo.com/OTM.exe) and save it to your desktop.
Double click the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/OTMdesktopicon.png icon on your desktop.
Paste the following code under the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/pasteline.png area.
Do not include the word "Code".



:Processes
explorer.exe

:Services

:Reg
[-HKEY_LOCAL_MACHINE\System\ControlSet004\Services\rfmwzub]

:Files
C:\WINDOWS\system32\drivers\rfmwzub.sys


:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Push the large http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/btnmoveit.png button.
OTM may ask to reboot the machine. Please do so if asked.
Copy/Paste the contents under the http://billy-oneal.com/Canned%20Speeches/speechimages/OTM/results.png line here in your next reply.
If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.




We need to look a bit deeper into your system



Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check.
Under the Custom Scan box paste this in


netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav



Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.




Post both the OTM and OTL log please

Orwell1984
2010-03-31, 05:20
Done as instructed, here comes the logs:

OTM:

All processes killed
========== PROCESSES ==========
Process explorer.exe killed successfully!
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\System\ControlSet004\Services\rfmwzub\ not found.
========== FILES ==========
File move failed. C:\WINDOWS\system32\drivers\rfmwzub.sys scheduled to be moved on reboot.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrador
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: eMule_Secure
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 75516 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Xgamer
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 5980634 bytes
->Java cache emptied: 12585332 bytes
->FireFox cache emptied: 48029099 bytes
->Flash cache emptied: 2827440 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 4981028 bytes
%systemroot%\System32 .tmp files removed: 785305 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 122024 bytes
Windows Temp folder emptied: 16384 bytes
RecycleBin emptied: 42405 bytes

Total Files Cleaned = 72,00 mb


OTM by OldTimer - Version 3.1.10.1 log created on 03302010_222900

Files moved on Reboot...
File move failed. C:\WINDOWS\system32\drivers\rfmwzub.sys scheduled to be moved on reboot.
C:\WINDOWS\temp\Perflib_Perfdata_4b0.dat moved successfully.

Registry entries deleted on Reboot...
=============================
OTL:

OTL logfile created on: 30/3/2010 22:40:35 - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Xgamer\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000416 | Country: Brasil | Language: PTB | Date Format: d/M/yyyy

3,00 Gb Total Physical Memory | 3,00 Gb Available Physical Memory | 87,00% Memory free
5,00 Gb Paging File | 5,00 Gb Available in Paging File | 94,00% Paging File free
Paging file location(s): c:\pagefile.sys 2046 2046

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Arquivos de programas
Drive C: | 298,08 Gb Total Space | 63,63 Gb Free Space | 21,35% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: QUAD-XGAMER
Current User Name: Xgamer
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Processes (SafeList) ==========

PRC - C:\Documents and Settings\Xgamer\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Arquivos de programas\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
PRC - C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
PRC - C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
PRC - C:\Arquivos de programas\NVIDIA Corporation\nTune\nTuneService.exe (NVIDIA)
PRC - C:\Arquivos de programas\NVIDIA Corporation\nTune\nTuneCmd.exe (NVIDIA)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\WINDOWS\Runservice.exe ()
PRC - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)


========== Modules (SafeList) ==========

MOD - C:\Documents and Settings\Xgamer\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\system32\xpsp2res.dll (Microsoft Corporation)


========== Win32 Services (SafeList) ==========

SRV - (MGOO) -- File not found
SRV - (DAUpdaterSvc) -- c:\Arquivos de programas\Steam\steamapps\common\dragon age origins\bin_ship\daupdatersvc.service.exe (BioWare)
SRV - (avast! Antivirus) -- C:\Arquivos de programas\Alwil Software\Avast4\ashServ.exe (ALWIL Software)
SRV - (avast! Mail Scanner) -- C:\Arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe (ALWIL Software)
SRV - (avast! Web Scanner) -- C:\Arquivos de programas\Alwil Software\Avast4\ashWebSv.exe (ALWIL Software)
SRV - (aswUpdSv) -- C:\Arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe (ALWIL Software)
SRV - (nTuneService) -- C:\Arquivos de programas\NVIDIA Corporation\nTune\nTuneService.exe (NVIDIA)
SRV - (LicCtrlService) -- C:\WINDOWS\Runservice.exe ()
SRV - (usnjsvc) -- C:\Arquivos de programas\MSN Messenger\usnsvc.exe (Microsoft Corporation)
SRV - (IDriverT) -- C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe (Macrovision Corporation)
SRV - (ose) -- C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Source Engine\OSE.EXE (Microsoft Corporation)
SRV - (MDM) -- C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE (Microsoft Corporation)
SRV - (ICDSPTSV) -- C:\WINDOWS\system32\IcdSptSv.exe (Sony Corporation)


========== Driver Services (SafeList) ==========

DRV - (aswTdi) -- C:\WINDOWS\system32\drivers\aswTdi.sys (ALWIL Software)
DRV - (aswRdr) -- C:\WINDOWS\system32\drivers\aswRdr.sys (ALWIL Software)
DRV - (Aavmker4) -- C:\WINDOWS\system32\drivers\aavmker4.sys (ALWIL Software)
DRV - (atksgt) -- C:\WINDOWS\system32\drivers\atksgt.sys ()
DRV - (lirsgt) -- C:\WINDOWS\system32\drivers\lirsgt.sys ()
DRV - (nvoclock) -- C:\WINDOWS\system32\drivers\nvoclock.sys (NVIDIA Corp.)
DRV - (aswMon2) -- C:\WINDOWS\system32\drivers\aswmon2.sys (ALWIL Software)
DRV - (aswSP) -- C:\WINDOWS\system32\drivers\aswSP.sys (ALWIL Software)
DRV - (aswFsBlk) -- C:\WINDOWS\system32\drivers\aswFsBlk.sys (ALWIL Software)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (PnkBstrK) -- C:\WINDOWS\system32\drivers\pnkbstrk.sys ()
DRV - (HDAudBus) -- C:\WINDOWS\system32\drivers\hdaudbus.sys (Windows (R) Server 2003 DDK provider)
DRV - (IntcAzAudAddService) Service for Realtek HD Audio (WDM) -- C:\WINDOWS\system32\drivers\RtkHDAud.sys (Realtek Semiconductor Corp.)
DRV - (JRAID) -- C:\WINDOWS\system32\DRIVERS\jraid.sys (JMicron Technology Corp.)
DRV - (AsIO) -- C:\WINDOWS\system32\drivers\AsIO.sys ()
DRV - (sfsync04) StarForce Protection Synchronization Driver (version 4.x) -- C:\WINDOWS\System32\drivers\sfsync04.sys (Protection Technology (StarForce))
DRV - (sfdrv01a) StarForce Protection Environment Driver (version 1.x.a) -- C:\WINDOWS\System32\drivers\sfdrv01a.sys (Protection Technology (StarForce))
DRV - (sfhlp02) StarForce Protection Helper Driver (version 2.x) -- C:\WINDOWS\System32\drivers\sfhlp02.sys (Protection Technology (StarForce))
DRV - (sfdrv01) StarForce Protection Environment Driver (version 1.x) -- C:\WINDOWS\System32\drivers\sfdrv01.sys (Protection Technology (StarForce))
DRV - (JGOGO) -- C:\WINDOWS\system32\DRIVERS\JGOGO.sys (JMicron )
DRV - (sfvfs02) StarForce Protection VFS Driver (version 2.x) -- C:\WINDOWS\System32\drivers\sfvfs02.sys (Protection Technology)
DRV - (yukonwxp) -- C:\WINDOWS\system32\drivers\yk51x86.sys (Marvell)
DRV - (sfsync02) StarForce Protection Synchronization Driver (version 2.x) -- C:\WINDOWS\System32\drivers\sfsync02.sys (Protection Technology)
DRV - (MTsensor) -- C:\WINDOWS\system32\drivers\ASACPI.sys ()
DRV - (IcRecUsb) -- C:\WINDOWS\system32\drivers\icrecusb.sys (lecs Inc.)
DRV - (SWUSBFLT) -- C:\WINDOWS\system32\drivers\SWUSBFLT.SYS (Microsoft Corporation)
DRV - (HIDSwvd) -- C:\WINDOWS\system32\drivers\HIDSwvd.sys (Microsoft Corporation)
DRV - (GcKernel) -- C:\WINDOWS\system32\drivers\gckernel.sys (Microsoft Corporation)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "about:blank"

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.1\extensions\\Components: C:\Arquivos de programas\Mozilla Firefox\components [2008/09/20 19:08:26 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.0.1\extensions\\Plugins: C:\Arquivos de programas\Mozilla Firefox\plugins [2009/10/16 09:09:55 | 000,000,000 | ---D | M]

[2008/09/20 19:08:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Xgamer\Dados de aplicativos\Mozilla\Extensions
[2009/09/27 01:23:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Xgamer\Dados de aplicativos\Mozilla\Firefox\Profiles\lzgqebef.default\extensions
[2009/04/12 06:41:37 | 000,000,000 | ---D | M] -- C:\Arquivos de programas\Mozilla Firefox\extensions
[2009/05/19 15:30:28 | 000,239,432 | ---- | M] (Pando Networks) -- C:\Arquivos de programas\Mozilla Firefox\plugins\npPandoWebInst.dll

O1 HOSTS File: ([2010/03/30 20:43:05 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avast!] C:\Arquivos de programas\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre6\bin\npjpi160_13.dll (Sun Microsystems, Inc.)
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Arquivos de programas\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000001 [] - C:\WINDOWS\system32\nwprovau.dll (Microsoft Corporation)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {0DB074F0-617E-4EE9-912C-2965CF2AA5A4} http://download.microsoft.com/download/3/B/E/3BE57995-8452-41F1-8297-DD75EF049853/VirtualEarth3D.cab (Reg Error: Key error.)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O16 - DPF: {315B0BFB-2BD4-481B-80A3-A9B80727C61B} Reg Error: Value error. (WebIQ Engine Application Object)
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab (Reg Error: Key error.)
O16 - DPF: {444785F1-DE89-4295-863A-D46C3A781394} http://webplayer.unity3d.com/download_webplayer-2.x/UnityWebPlayer.cab (Reg Error: Key error.)
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.5.0.cab (DLM Control)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1235270134703 (WUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab (ZPA_SHVL Object)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} http://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab (MSN Games - Installer)
O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab (Java Plug-in 1.6.0_13)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Arquivos de programas\Arquivos comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Arquivos de programas\Arquivos comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Arquivos de programas\Arquivos comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Arquivos de programas\Arquivos comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Arquivos de programas\Arquivos comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Arquivos de programas\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Arquivos de programas\Arquivos comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Arquivos de programas\Arquivos comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Arquivos de programas\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop Components:0 (Minha página inicial atual) - About:Home
O28 - HKLM ShellExecuteHooks: {56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Arquivos de programas\Windows Desktop Search\MsnlNamespaceMgr.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004/08/04 16:42:04 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2009/08/19 14:08:17 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found

========== Files/Folders - Created Within 30 Days ==========

[2010/03/30 22:37:41 | 000,555,520 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Xgamer\Desktop\OTL.exe
[2010/03/30 22:29:00 | 000,000,000 | ---D | C] -- C:\_OTM
[2010/03/30 22:28:01 | 000,510,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Xgamer\Desktop\OTM.exe
[2010/03/30 22:27:48 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/03/30 20:28:17 | 000,000,000 | ---D | C] -- C:\ComboFix
[2010/03/29 22:25:00 | 000,044,416 | R--- | C] (JMicron Technology Corp.) -- C:\WINDOWS\System32\drivers\JRAID_2.sys
[2010/03/29 22:24:25 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/03/29 22:24:25 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/03/29 22:24:25 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/03/29 22:24:25 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/03/29 22:23:37 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/03/29 22:19:16 | 000,050,688 | ---- | C] (Atribune.org) -- C:\Documents and Settings\Xgamer\Desktop\ATF-Cleaner.exe
[2010/03/26 18:48:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Xgamer\Desktop\latesttext
[2010/03/22 13:43:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Xgamer\Meus documentos\Penumbra Overture
[2010/03/20 08:35:26 | 000,000,000 | ---D | C] -- C:\Arquivos de programas\Microsoft Hardware
[2010/03/11 06:18:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Xgamer\Configurações locais\Dados de aplicativos\Iron_Spine_Productions
[2010/03/10 03:20:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Dados de aplicativos\InstallShield
[2010/01/17 10:00:00 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\Google
[2010/01/17 09:55:53 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Google
[2010/01/05 21:17:21 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\NVIDIA Corporation
[2009/11/05 16:25:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Adobe
[2009/02/22 00:00:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\Microsoft
[2008/08/24 17:59:46 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Dados de aplicativos\Microsoft
[2007/10/23 22:45:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Configurações locais\Dados de aplicativos\Microsoft
[2004/08/04 16:42:02 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Dados de aplicativos\Microsoft
[1 C:\Documents and Settings\Xgamer\Desktop\*.tmp files -> C:\Documents and Settings\Xgamer\Desktop\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/03/30 22:42:03 | 000,804,864 | ---- | M] () -- C:\WINDOWS\System32\drivers\rfmwzub.sys
[2010/03/30 22:35:16 | 000,555,520 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Xgamer\Desktop\OTL.exe
[2010/03/30 22:33:01 | 018,874,368 | -H-- | M] () -- C:\Documents and Settings\Xgamer\NTUSER.DAT
[2010/03/30 22:31:28 | 000,235,289 | ---- | M] () -- C:\WINDOWS\System32\NvApps.xml
[2010/03/30 22:31:27 | 000,003,201 | -HS- | M] () -- C:\WINDOWS\System32\mmf.sys
[2010/03/30 22:31:27 | 000,001,044 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/03/30 22:31:25 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/03/30 22:31:18 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/03/30 22:30:14 | 000,000,330 | -HS- | M] () -- C:\Documents and Settings\Xgamer\ntuser.ini
[2010/03/30 22:10:05 | 000,001,048 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/03/30 22:07:46 | 000,510,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Xgamer\Desktop\OTM.exe
[2010/03/30 20:43:23 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/03/30 20:43:05 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/03/30 20:26:14 | 003,906,159 | R--- | M] () -- C:\Documents and Settings\Xgamer\Desktop\ComboFix.exe
[2010/03/30 14:30:35 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Xgamer\defogger_reenable
[2010/03/30 14:26:06 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Xgamer\Desktop\zc44s4k4.exe
[2010/03/30 14:20:22 | 000,050,477 | ---- | M] () -- C:\Documents and Settings\Xgamer\Desktop\Defogger.exe
[2010/03/29 22:11:02 | 000,050,688 | ---- | M] (Atribune.org) -- C:\Documents and Settings\Xgamer\Desktop\ATF-Cleaner.exe
[2010/03/29 14:07:06 | 000,002,241 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Steam.lnk
[2010/03/28 19:43:26 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/03/25 18:41:30 | 001,094,098 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/03/25 18:41:30 | 000,479,704 | ---- | M] () -- C:\WINDOWS\System32\perfh016.dat
[2010/03/25 18:41:30 | 000,443,724 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/03/25 18:41:30 | 000,083,888 | ---- | M] () -- C:\WINDOWS\System32\perfc016.dat
[2010/03/25 18:41:30 | 000,071,982 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/03/20 09:10:56 | 000,073,128 | ---- | M] () -- C:\Documents and Settings\Xgamer\Configurações locais\Dados de aplicativos\GDIPFONTCACHEV1.DAT
[2010/03/20 08:43:31 | 000,283,720 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/03/20 08:33:45 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
[2010/03/20 08:33:45 | 000,000,232 | -H-- | M] () -- C:\sqmdata00.sqm
[2010/03/16 11:47:20 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt19.sqm
[2010/03/16 11:47:20 | 000,000,232 | -H-- | M] () -- C:\sqmdata19.sqm
[2010/03/12 18:02:38 | 000,261,632 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2010/03/11 20:19:55 | 000,035,328 | ---- | M] () -- C:\Documents and Settings\Xgamer\Meus documentos\BolsaNota.doc
[2010/03/10 20:11:42 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt18.sqm
[2010/03/10 20:11:42 | 000,000,232 | -H-- | M] () -- C:\sqmdata18.sqm
[2010/03/10 05:28:42 | 002,648,370 | -H-- | M] () -- C:\Documents and Settings\Xgamer\Configurações locais\Dados de aplicativos\IconCache.db
[2010/03/10 03:18:06 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt17.sqm
[2010/03/10 03:18:06 | 000,000,232 | -H-- | M] () -- C:\sqmdata17.sqm
[2010/03/09 06:35:28 | 000,004,892 | ---- | M] () -- C:\Documents and Settings\Xgamer\Meus documentos\plain.pdf
[2010/03/08 00:06:59 | 000,000,232 | -H-- | M] () -- C:\sqmdata16.sqm
[2010/03/08 00:06:58 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt16.sqm
[2010/03/04 20:12:12 | 000,000,202 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/03/01 21:03:18 | 000,094,720 | ---- | M] () -- C:\Documents and Settings\Xgamer\Configurações locais\Dados de aplicativos\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/02/28 23:22:10 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt15.sqm
[2010/02/28 23:22:10 | 000,000,232 | -H-- | M] () -- C:\sqmdata15.sqm
[1 C:\Documents and Settings\Xgamer\Desktop\*.tmp files -> C:\Documents and Settings\Xgamer\Desktop\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/03/30 14:30:35 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Xgamer\defogger_reenable
[2010/03/30 14:29:45 | 000,293,376 | ---- | C] () -- C:\Documents and Settings\Xgamer\Desktop\zc44s4k4.exe
[2010/03/30 14:29:45 | 000,050,477 | ---- | C] () -- C:\Documents and Settings\Xgamer\Desktop\Defogger.exe
[2010/03/29 22:24:25 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/03/29 22:24:25 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/03/29 22:24:25 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/03/29 22:24:25 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/03/29 22:24:25 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/03/29 22:19:16 | 003,906,159 | R--- | C] () -- C:\Documents and Settings\Xgamer\Desktop\ComboFix.exe
[2010/03/25 17:41:09 | 000,804,864 | ---- | C] () -- C:\WINDOWS\System32\drivers\rfmwzub.sys
[2010/03/25 17:40:48 | 000,000,008 | ---- | C] () -- C:\Documents and Settings\NetworkService\Dados de aplicativos\jasltw.dat
[2010/03/09 06:35:28 | 000,004,892 | ---- | C] () -- C:\Documents and Settings\Xgamer\Meus documentos\plain.pdf
[2010/03/08 21:30:29 | 000,035,328 | ---- | C] () -- C:\Documents and Settings\Xgamer\Meus documentos\BolsaNota.doc
[2010/01/17 11:54:27 | 000,000,139 | ---- | C] () -- C:\Documents and Settings\Xgamer\Configurações locais\Dados de aplicativos\fusioncache.dat
[2009/10/02 21:43:19 | 000,281,760 | ---- | C] () -- C:\WINDOWS\System32\drivers\atksgt.sys
[2009/10/02 21:43:18 | 000,025,888 | ---- | C] () -- C:\WINDOWS\System32\drivers\lirsgt.sys
[2009/08/18 12:37:48 | 000,019,915 | ---- | C] () -- C:\Documents and Settings\All Users\Dados de aplicativos\sewyribuxa._sy
[2009/08/18 12:37:48 | 000,018,898 | ---- | C] () -- C:\Arquivos de programas\Arquivos comuns\anatut.dat
[2009/08/18 12:37:48 | 000,018,011 | ---- | C] () -- C:\Arquivos de programas\Arquivos comuns\rezino._dl
[2009/08/18 12:37:48 | 000,017,542 | ---- | C] () -- C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\dyzabemis.exe
[2009/08/18 12:37:48 | 000,016,443 | ---- | C] () -- C:\WINDOWS\hewuzoviny.sys
[2009/08/18 12:37:48 | 000,014,633 | ---- | C] () -- C:\Documents and Settings\All Users\Dados de aplicativos\ajorocyjo.dll
[2009/08/18 12:37:48 | 000,012,224 | ---- | C] () -- C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\kaqogaredi.exe
[2009/08/18 10:34:02 | 000,002,156 | ---- | C] () -- C:\Arquivos de programas\rrcdcsoh.txt
[2009/08/10 06:55:19 | 000,921,600 | ---- | C] () -- C:\WINDOWS\System32\vorbisenc.dll
[2009/08/10 06:55:19 | 000,237,568 | ---- | C] () -- C:\WINDOWS\System32\OggDS.dll
[2009/08/10 06:55:19 | 000,188,416 | ---- | C] () -- C:\WINDOWS\System32\vorbis.dll
[2009/08/10 06:55:19 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\ogg.dll
[2009/06/10 07:29:34 | 001,724,416 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2009/06/10 07:29:34 | 001,101,824 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2009/06/10 07:29:34 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2009/06/10 07:29:32 | 001,507,328 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2009/06/01 22:11:39 | 000,000,029 | ---- | C] () -- C:\WINDOWS\System32\WINCNMDB.DLL
[2009/04/23 12:59:03 | 000,138,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\pnkbstrk.sys
[2009/04/22 00:19:06 | 000,172,173 | ---- | C] () -- C:\WINDOWS\System32\xlive.dll.cat
[2009/04/03 03:00:54 | 000,396,176 | ---- | C] () -- C:\Documents and Settings\LocalService\Configurações locais\Dados de aplicativos\FontCache3.0.0.0.dat
[2009/02/01 15:57:52 | 000,000,270 | ---- | C] () -- C:\WINDOWS\{789289CA-F73A-4A16-A331-54D498CE069F}_WiseFW.ini
[2009/01/25 00:22:27 | 000,000,993 | ---- | C] () -- C:\WINDOWS\STBC.ini
[2008/10/07 09:13:30 | 000,197,912 | ---- | C] () -- C:\WINDOWS\System32\physxcudart_20.dll
[2008/10/07 09:13:22 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelTraditionalChinese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSwedish.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSpanish.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelSimplifiedChinese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelPortugese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelKorean.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelJapanese.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelGerman.dll
[2008/10/07 09:13:20 | 000,058,648 | ---- | C] () -- C:\WINDOWS\System32\AgCPanelFrench.dll
[2008/07/28 17:12:47 | 000,000,604 | ---- | C] () -- C:\WINDOWS\Vtw.INI
[2008/05/26 23:02:50 | 000,016,478 | ---- | C] () -- C:\WINDOWS\System32\gthrctr.ini
[2008/05/26 23:02:48 | 000,022,300 | ---- | C] () -- C:\WINDOWS\System32\idxcntrs.ini
[2008/05/26 23:02:46 | 000,015,796 | ---- | C] () -- C:\WINDOWS\System32\gsrvctr.ini
[2008/05/14 18:27:42 | 000,000,000 | ---- | C] () -- C:\WINDOWS\DVEdit.INI
[2008/05/14 18:17:46 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\IcdSptSvps.dll
[2008/05/14 18:17:45 | 000,081,920 | ---- | C] () -- C:\WINDOWS\System32\dsp_trc.dll
[2008/03/30 09:27:59 | 000,000,051 | ---- | C] () -- C:\WINDOWS\System32\adptrmyhelp.dll
[2008/03/30 07:43:50 | 001,970,176 | ---- | C] () -- C:\WINDOWS\System32\d3dx9.dll
[2007/12/26 06:52:25 | 000,048,640 | ---- | C] () -- C:\WINDOWS\mmfs.dll
[2007/12/26 06:52:25 | 000,003,201 | -HS- | C] () -- C:\WINDOWS\System32\mmf.sys
[2007/12/11 15:28:34 | 000,000,015 | ---- | C] () -- C:\WINDOWS\System32\Ve_pm.dll
[2007/12/11 15:28:34 | 000,000,007 | ---- | C] () -- C:\WINDOWS\System32\Voicech.dll
[2007/10/28 14:10:24 | 000,000,202 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2007/10/23 19:57:26 | 000,024,576 | ---- | C] () -- C:\WINDOWS\System32\AsIO.dll
[2007/10/23 19:57:26 | 000,012,664 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsIO.sys
[2007/10/23 19:57:24 | 000,012,096 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsInsHelp64.sys
[2007/10/23 19:57:24 | 000,010,304 | ---- | C] () -- C:\WINDOWS\System32\drivers\AsInsHelp32.sys
[2007/08/31 17:13:21 | 000,094,720 | ---- | C] () -- C:\Documents and Settings\Xgamer\Configurações locais\Dados de aplicativos\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2006/03/18 10:16:04 | 000,540,178 | ---- | C] () -- C:\WINDOWS\System32\x264vfw.dll
[2005/09/05 19:33:18 | 000,340,480 | ---- | C] () -- C:\WINDOWS\System32\esftchk2.dll
[2004/08/08 23:33:47 | 000,200,704 | ---- | C] () -- C:\WINDOWS\System32\teulKit.dll
[2004/08/04 19:03:31 | 000,000,421 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2004/08/04 18:00:36 | 000,034,588 | ---- | C] () -- C:\WINDOWS\Ascd_log.ini
[2004/08/04 18:00:16 | 000,034,108 | ---- | C] () -- C:\WINDOWS\Ascd_tmp.ini
[2004/08/04 18:00:14 | 000,005,810 | R--- | C] () -- C:\WINDOWS\System32\drivers\ASACPI.sys
[2004/08/04 18:00:01 | 000,010,288 | ---- | C] () -- C:\WINDOWS\System32\drivers\ASUSHWIO.SYS
[2003/07/14 20:57:20 | 000,031,744 | ---- | C] () -- C:\WINDOWS\System32\flt1chk2.dll
[2003/04/07 08:30:02 | 000,005,383 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[1997/09/17 22:00:12 | 000,010,240 | ---- | C] () -- C:\WINDOWS\System32\vidx16.dll

========== LOP Check ==========

[2009/08/01 20:02:17 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dados de aplicativos\America's Army Deploy Client
[2007/08/25 09:36:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dados de aplicativos\Azureus
[2009/11/06 08:50:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dados de aplicativos\BioWare
[2009/10/06 15:50:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dados de aplicativos\F4
[2008/05/05 22:17:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dados de aplicativos\Fugazo
[2009/11/04 10:28:27 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dados de aplicativos\Paradox Interactive
[2009/12/20 15:17:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dados de aplicativos\Stardock
[2009/10/02 21:43:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dados de aplicativos\Tages
[2009/08/03 03:37:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dados de aplicativos\TEMP
[2004/08/04 18:34:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Dados de aplicativos\WinZip
[2009/11/04 09:48:38 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Dados de aplicativos\{01B2A782-E701-40FC-9116-9D32EDF4F724}
[2009/08/03 02:58:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Xgamer\Dados de aplicativos\Atari
[2009/10/11 07:21:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Xgamer\Dados de aplicativos\avidemux
[2010/02/04 11:13:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Xgamer\Dados de aplicativos\Azureus
[2009/09/25 18:24:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Xgamer\Dados de aplicativos\Clonk
[2009/09/26 22:04:11 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Xgamer\Dados de aplicativos\Clonk Rage
[2009/05/18 05:15:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Xgamer\Dados de aplicativos\Dropbox
[2009/08/10 09:34:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Xgamer\Dados de aplicativos\F4
[2009/05/19 01:15:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Xgamer\Dados de aplicativos\GamesCafe
[2009/04/03 03:36:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Xgamer\Dados de aplicativos\GetRightToGo
[2010/02/02 03:04:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Xgamer\Dados de aplicativos\Grand Ages Rome Demo
[2007/10/03 15:28:47 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Xgamer\Dados de aplicativos\Leadertech
[2008/06/17 13:14:51 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Xgamer\Dados de aplicativos\LEGO Company
[2008/07/25 22:39:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Xgamer\Dados de aplicativos\Mount&Blade
[2010/01/17 11:54:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Xgamer\Dados de aplicativos\Navigraph
[2009/12/05 20:14:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Xgamer\Dados de aplicativos\NBSoftSolutions
[2009/11/04 09:49:19 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Xgamer\Dados de aplicativos\Stardock
[2009/08/06 04:53:31 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Xgamer\Dados de aplicativos\Stellarium
[2009/07/07 05:14:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Xgamer\Dados de aplicativos\The Creative Assembly
[2010/02/23 22:29:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Xgamer\Dados de aplicativos\Tropico 3
[2010/01/14 13:47:40 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Xgamer\Dados de aplicativos\Unity
[2008/10/07 17:36:14 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Xgamer\Dados de aplicativos\ValuSoft
[2009/02/22 00:22:13 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Xgamer\Dados de aplicativos\Windows Desktop Search
[2009/02/22 00:39:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Xgamer\Dados de aplicativos\Windows Search
[2009/05/25 20:44:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Xgamer\Dados de aplicativos\WinPatrol
[2009/01/10 16:08:46 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Xgamer\Dados de aplicativos\World-LooM

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2004/08/04 00:55:42 | 018,785,713 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/08/20 12:14:24 | 023,893,088 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2009/08/20 12:14:24 | 023,893,088 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 15:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 15:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 15:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/03 23:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2004/08/04 00:55:42 | 018,785,713 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/08/20 12:14:24 | 023,893,088 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2009/08/20 12:14:24 | 023,893,088 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 15:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 15:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 15:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\dllcache\atapi.sys
[2008/04/13 15:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008/04/13 23:20:26 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=A8CDC8DECE4735B86BBEF28460996C30 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/13 23:20:26 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=A8CDC8DECE4735B86BBEF28460996C30 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 23:20:26 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=A8CDC8DECE4735B86BBEF28460996C30 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 00:45:22 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=BD18C87A4E1EA136C44D374296B981DC -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008/04/13 23:20:34 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=49897D67B04E62F8E59EB8B1C7DF7072 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/13 23:20:34 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=49897D67B04E62F8E59EB8B1C7DF7072 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 23:20:34 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=49897D67B04E62F8E59EB8B1C7DF7072 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 00:45:26 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=82777C1BE8E9F0B1574DAC5BC29C7D6F -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2008/04/13 23:20:40 | 000,184,832 | ---- | M] (Microsoft Corporation) MD5=879E802EF4EF2405014B170EA41E552B -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/13 23:20:40 | 000,184,832 | ---- | M] (Microsoft Corporation) MD5=879E802EF4EF2405014B170EA41E552B -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 23:20:40 | 000,184,832 | ---- | M] (Microsoft Corporation) MD5=879E802EF4EF2405014B170EA41E552B -- C:\WINDOWS\system32\scecli.dll
[2004/08/04 00:45:26 | 000,183,808 | ---- | M] (Microsoft Corporation) MD5=E95230A31F912E07B19F8335D4DFF110 -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\system32\drivers\*.sys /lockedfiles >
[2010/03/30 22:51:01 | 000,804,864 | ---- | M] ()[b] Unable to obtain MD5 -- C:\WINDOWS\system32\drivers\rfmwzub.sys

< %systemroot%\System32\config\*.sav >
[2009/08/19 14:12:42 | 003,502,080 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2009/08/18 14:30:39 | 000,049,152 | ---- | M] () -- C:\WINDOWS\system32\config\security.sav
[2009/08/19 14:12:42 | 037,486,592 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2009/08/19 14:12:42 | 009,699,328 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

========== Files - Unicode (All) ==========
[2008/11/07 04:16:24 | 000,024,576 | ---- | M] ()(C:\Documents and Settings\Xgamer\Meus documentos\É nisso o que dá apostar na ??????at?a americana.doc) -- C:\Documents and Settings\Xgamer\Meus documentos\É nisso o que dá apostar na ὀχλοκρατία americana.doc
[2008/11/07 04:15:25 | 000,024,576 | ---- | C] ()(C:\Documents and Settings\Xgamer\Meus documentos\É nisso o que dá apostar na ??????at?a americana.doc) -- C:\Documents and Settings\Xgamer\Meus documentos\É nisso o que dá apostar na ὀχλοκρατία americana.doc

========== Alternate Data Streams ==========

@Alternate Data Stream - 128 bytes -> C:\Documents and Settings\All Users\Dados de aplicativos\TEMP:2E04D4FF
@Alternate Data Stream - 116 bytes -> C:\Documents and Settings\All Users\Dados de aplicativos\TEMP:436DEE1E
@Alternate Data Stream - 112 bytes -> C:\Documents and Settings\All Users\Dados de aplicativos\TEMP:B606BA34
@Alternate Data Stream - 108 bytes -> C:\Documents and Settings\All Users\Dados de aplicativos\TEMP:12EA4DC9
< End of report >

Orwell1984
2010-03-31, 05:21
Extras:

OTL Extras logfile created on: 30/3/2010 22:40:35 - Run 1
OTL by OldTimer - Version 3.1.37.3 Folder = C:\Documents and Settings\Xgamer\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000416 | Country: Brasil | Language: PTB | Date Format: d/M/yyyy

3,00 Gb Total Physical Memory | 3,00 Gb Available Physical Memory | 87,00% Memory free
5,00 Gb Paging File | 5,00 Gb Available in Paging File | 94,00% Paging File free
Paging file location(s): c:\pagefile.sys 2046 2046 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Arquivos de programas
Drive C: | 298,08 Gb Total Space | 63,63 Gb Free Space | 21,35% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: QUAD-XGAMER
Current User Name: Xgamer
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Arquivos de programas\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"59007:TCP" = 59007:TCP:*:Enabled:Pando P2P TCP Listening Port
"59007:UDP" = 59007:UDP:*:Enabled:Pando P2P UDP Listening Port

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Arquivos de programas\MSN Messenger\livecall.exe" = C:\Arquivos de programas\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Microsoft Games\Microsoft Flight Simulator X\fsx.exe" = C:\Program Files\Microsoft Games\Microsoft Flight Simulator X\fsx.exe:*:Enabled:Microsoft Flight Simulator® -- (Microsoft Corp.)
"C:\Arquivos de programas\FSFDT\FWInn\FWINN.exe" = C:\Arquivos de programas\FSFDT\FWInn\FWINN.exe:*:Enabled:FSInn Application -- ()
"C:\Arquivos de programas\FSFDT\Control Panel\FSFDTCP.exe" = C:\Arquivos de programas\FSFDT\Control Panel\FSFDTCP.exe:*:Enabled:FSFDT Control Panel -- (FS - French Dev Team)
"C:\Program Files\Atari\Deer Hunter 2005\DH2005.exe" = C:\Program Files\Atari\Deer Hunter 2005\DH2005.exe:*:Enabled:DH2005 -- ()
"C:\Arquivos de programas\Electronic Arts\EADM\Core.exe" = C:\Arquivos de programas\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager -- (Electronic Arts)
"C:\Arquivos de programas\GameSpy Arcade\Aphex.exe" = C:\Arquivos de programas\GameSpy Arcade\Aphex.exe:*:Enabled:GameSpy Arcade -- (IGN Entertainment, Inc.)
"C:\Arquivos de programas\Steam\steamapps\common\dangerous waters\dangerouswaters.exe" = C:\Arquivos de programas\Steam\steamapps\common\dangerous waters\dangerouswaters.exe:*:Enabled:S.C.S. - Dangerous Waters -- (Sonalysts Inc)
"C:\WINDOWS\system32\dpnsvr.exe" = C:\WINDOWS\system32\dpnsvr.exe:*:Enabled:Microsoft DirectPlay8 -- (Microsoft Corporation)
"C:\WINDOWS\system32\dpvsetup.exe" = C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test -- (Microsoft Corporation)
"C:\Program Files\Activision\Bridge Commander\stbc.exe" = C:\Program Files\Activision\Bridge Commander\stbc.exe:*:Enabled:stbc -- ()
"C:\Arquivos de programas\Ventrilo\Ventrilo.exe" = C:\Arquivos de programas\Ventrilo\Ventrilo.exe:*:Enabled:Ventrilo.exe -- ()
"C:\Arquivos de programas\Steam\steamapps\common\dangerous waters\Steamrun.exe" = C:\Arquivos de programas\Steam\steamapps\common\dangerous waters\Steamrun.exe:*:Enabled:Dangerous Waters -- (Sonalysts, Inc.)
"C:\Arquivos de programas\Steam\steamapps\common\fallout 3\Fallout3.exe" = C:\Arquivos de programas\Steam\steamapps\common\fallout 3\Fallout3.exe:*:Enabled:Fallout3 -- (Bethesda Softworks)
"C:\Arquivos de programas\Steam\Steam.exe" = C:\Arquivos de programas\Steam\Steam.exe:*:Enabled:Steam -- (Valve Corporation)
"C:\Arquivos de programas\MSN Messenger\livecall.exe" = C:\Arquivos de programas\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- (Microsoft Corporation)
"C:\Program Files\CRS\Battleground Europe\WW2.exe" = C:\Program Files\CRS\Battleground Europe\WW2.exe:*:Enabled:Practice Offline -- ()
"C:\Program Files\CRS\Battleground Europe\WW2_sse2.exe" = C:\Program Files\CRS\Battleground Europe\WW2_sse2.exe:*:Enabled:WW2_sse2.exe -- (Playnet, Inc.)
"C:\Program Files\CRS\Battleground Europe\playgate_120.exe" = C:\Program Files\CRS\Battleground Europe\playgate_120.exe:*:Enabled:playgate_120.exe -- ()
"C:\Arquivos de programas\Java\jre6\bin\java.exe" = C:\Arquivos de programas\Java\jre6\bin\java.exe:*:Enabled:Java(TM) Platform SE binary -- (Sun Microsystems, Inc.)
"C:\Arquivos de programas\Pando Networks\Pando\pando.exe" = C:\Arquivos de programas\Pando Networks\Pando\pando.exe:*:Enabled:Pando Application -- (Pando Networks)
"C:\Arquivos de programas\Vuze\Azureus.exe" = C:\Arquivos de programas\Vuze\Azureus.exe:*:Enabled:Azureus -- (Vuze Inc.)
"C:\Program Files\Paradox Interactive\Hearts of Iron III\hoi3game.exe" = C:\Program Files\Paradox Interactive\Hearts of Iron III\hoi3game.exe:*:Enabled:hoi3game -- ()
"C:\Arquivos de programas\Steam\steamapps\common\fallout 3\FalloutLauncher.exe" = C:\Arquivos de programas\Steam\steamapps\common\fallout 3\FalloutLauncher.exe:*:Enabled:Fallout 3 -- (Bethesda Softworks)
"C:\Arquivos de programas\Empire of Sports\ClientUpdater.exe" = C:\Arquivos de programas\Empire of Sports\ClientUpdater.exe:*:Enabled:F4 Game Client Updater -- (F4)
"C:\Arquivos de programas\Empire of Sports\NetworkDiagnostic.exe" = C:\Arquivos de programas\Empire of Sports\NetworkDiagnostic.exe:*:Enabled:Empire of Sports Network Diagnostic -- ()
"C:\Arquivos de programas\Empire of Sports\EmpireOfSports.exe" = C:\Arquivos de programas\Empire of Sports\EmpireOfSports.exe:*:Enabled:Empire of Sports -- (Empire of Sports Developments Ltd)
"C:\Arquivos de programas\Steam\steamapps\common\dragon age origins\bin_ship\daupdatersvc.service.exe" = C:\Arquivos de programas\Steam\steamapps\common\dragon age origins\bin_ship\daupdatersvc.service.exe:*:Enabled:Dragon Age Origins Updater -- (BioWare)
"C:\Program Files\Cyanide\Blood Bowl\BB.exe" = C:\Program Files\Cyanide\Blood Bowl\BB.exe:*:Enabled:Blood Bowl -- (Cyanide)
"C:\Arquivos de programas\Steam\steamapps\common\mass effect\Binaries\MassEffect.exe" = C:\Arquivos de programas\Steam\steamapps\common\mass effect\Binaries\MassEffect.exe:*:Enabled:Mass Effect -- (BioWare)
"C:\Arquivos de programas\FSFDT\FSInn UI\FSInnUI.exe" = C:\Arquivos de programas\FSFDT\FSInn UI\FSInnUI.exe:*:Enabled:FSInn UI -- (.)
"C:\Arquivos de programas\FSFDT\FSInn UI VVL\FSInnUIVVL.exe" = C:\Arquivos de programas\FSFDT\FSInn UI VVL\FSInnUIVVL.exe:*:Enabled:FSInn UI VVL -- (FS - French Dev Team)
"C:\Arquivos de programas\Steam\steamapps\common\empire total war\Empire.exe" = C:\Arquivos de programas\Steam\steamapps\common\empire total war\Empire.exe:*:Enabled:Empire: Total War -- (The Creative Assembly Ltd)
"C:\Arquivos de programas\Steam\steamapps\common\tropico 3\tropico3.exe" = C:\Arquivos de programas\Steam\steamapps\common\tropico 3\tropico3.exe:*:Enabled:Tropico 3: Steam Special Edition -- (Haemimont Games)
"C:\Arquivos de programas\Steam\steamapps\common\mass effect 2\Binaries\MassEffect2.exe" = C:\Arquivos de programas\Steam\steamapps\common\mass effect 2\Binaries\MassEffect2.exe:*:Enabled:Mass Effect 2 -- (BioWare)
"C:\Arquivos de programas\Steam\steamapps\common\mass effect 2\MassEffect2Launcher.exe" = C:\Arquivos de programas\Steam\steamapps\common\mass effect 2\MassEffect2Launcher.exe:*:Enabled:Mass Effect 2 -- (BioWare)
"C:\Arquivos de programas\Steam\steamapps\common\railworks\RailWorks.exe" = C:\Arquivos de programas\Steam\steamapps\common\railworks\RailWorks.exe:*:Enabled:RailWorks -- (RailSimulator.com)
"C:\Arquivos de programas\Steam\steamapps\common\left 4 dead\left4dead.exe" = C:\Arquivos de programas\Steam\steamapps\common\left 4 dead\left4dead.exe:*:Enabled:Left 4 Dead -- ()
"C:\Arquivos de programas\Steam\steamapps\common\left 4 dead 2\left4dead2.exe" = C:\Arquivos de programas\Steam\steamapps\common\left 4 dead 2\left4dead2.exe:*:Enabled:Left 4 Dead 2 -- ()
"C:\Documents and Settings\Xgamer\Configurações locais\Dados de aplicativos\F4\ClientUpdater\ClientUpdater.exe" = C:\Documents and Settings\Xgamer\Configurações locais\Dados de aplicativos\F4\ClientUpdater\ClientUpdater.exe:*:Enabled:F4 Game Client Updater -- (F4)
"C:\Arquivos de programas\Steam\steamapps\common\dragon age origins\bin_ship\DAOrigins.exe" = C:\Arquivos de programas\Steam\steamapps\common\dragon age origins\bin_ship\DAOrigins.exe:*:Enabled:Dragon Age: Origins -- (BioWare)
"C:\Arquivos de programas\Steam\steamapps\common\dragon age origins\DAOriginsLauncher.exe" = C:\Arquivos de programas\Steam\steamapps\common\dragon age origins\DAOriginsLauncher.exe:*:Enabled:Dragon Age: Origins -- (BioWare)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"[[FSX]] Carenado MegaPack" = [[FSX]] Carenado MegaPack
"[[FSX]] RealAir - Scout Package 2007" = [[FSX]] RealAir - Scout Package 2007
"{01339AE5-04D4-43F8-008E-13AD788DC4F7}" = SimCity 4 Rush Hour
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{05B49229-22A2-4F88-842A-BBC2EBE1CCF6}" = Microsoft Games for Windows - LIVE Redistributable
"{0CBADDF4-2CF6-4CDB-B4F5-29B8FCA7FE07}" = Microsoft .NET Framework 1.1 Brazilian Portuguese Language Pack
"{1438B41C-658C-35B7-9253-780F2E0A0B8E}" = Microsoft .NET Framework 3.5 Language Pack SP1 - ptb
"{1C5E2C25-5095-4160-9CAC-DD731863EEFE}" = PMDGMD11XF_PW_5XF
"{1DED5EFD-410A-48DB-909A-2B2022BB50D2}" = Nethergate
"{26A24AE4-039D-4CA4-87B4-2F83216013FF}" = Java(TM) 6 Update 13
"{2D87E961-577B-492B-AD54-1368680FB9A7}" = Virtual Earth 3D (Beta)
"{2EAF7E61-068E-11DF-953C-005056806466}" = Google Earth
"{304A07DC-4B92-49C6-BC06-DDB8044E91C1}" = Navigraph nDAC 3
"{350C9416-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{37FD253D-5064-4034-8CEC-CC3995F823A4}" = Windows Live Messenger
"{3898934B-05AE-41CD-96BE-70DA9BFBCE1F}" = Microsoft XNA Framework Redistributable 3.0
"{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}" = JMB36X Raid Configurer
"{3A8DED06-80E7-4555-AA1F-FF4A2A4D353C}" = Aerosoft's - DHC-6 Twin Otter X
"{3F31F3B5-C1FF-3708-8611-869DE39C0CB6}" = Microsoft .NET Framework 2.0 Service Pack 2 Language Pack - PTB
"{43602F34-1AA3-44FB-AEB2-D08C2C73743F}" = Paint.NET v3.36
"{44CE6902-84EA-11D6-887E-00609721D519}" = Voice Editing
"{4922C9E7-CD91-496A-A73B-0FDF9D54B44F}" = SAPI5_English
"{4D243BA7-9AC4-46D1-90E5-EEB88974F501}" = Microsoft Games for Windows - LIVE
"{5004A142-87B7-4CD5-AF7B-C1E536407762}" = RealSpeak_Solo_French_for_Panasonic
"{50B631C6-6E91-4D7B-A4E0-81E7FA8D5B3D}" = SAPI5_Common
"{50CB5066-3109-4FC5-B491-C1B82671B909}" = RealSpeak_Solo_Spanish_for_Panasonic
"{68E7B6EF-A939-48E5-80BB-1E8F04E8957E}" = RealSpeak_Solo_German_for_Panasonic
"{69A83D99-D41B-4396-BCC4-3DCB77DFFED0}" = WebIQ Technology Engine
"{6CCC133E-9A2F-4CAA-8866-75D029CD3AB3}" = Digital Voice Editor 3
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{79438F1E-DEC3-443D-9DCD-FECE2D68C605}" = IL-2 Sturmovik 1946
"{7A65E382-1843-4B46-861B-1BECB8354911}" = Falcon 4.0: Allied Force
"{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF}" = NVIDIA Performance
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{90110416-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edição 2003
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{93609D4E-7FF3-42D8-A6F1-BBABE9CB1FFC}" = theRestaurant v1.9.1
"{93676FC6-C7DB-45A6-A62B-74A324F17313}" = Windows Presentation Foundation Language Pack (PTB)
"{9527A496-5DF9-412A-ADC7-168BA5379CA6}" = Microsoft Flight Simulator X
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A347C572-F7B4-43A3-BD51-FFC99184F70D}" = Jurassic Park Operation Genesis
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A654A805-41D9-40C7-AA46-4AF04F044D61}" = Adobe® Photoshop® Album Starter Edition 3.2
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9729B90-D37B-4A69-B66A-7436AC1F7274}" = Microsoft Flight Simulator X: Acceleration
"{AAE21ECF-17ED-4374-A066-89B3ECF42734}" = RealSpeak_Solo_Italian_for_Panasonic
"{AB480DA0-7EE9-465D-9C12-4CDE65BF18FB}" = Pando
"{ABB4DB59-0284-414D-9346-4992E1856E7F}" = PMDGMD11X_GE_AA
"{AC76BA86-7AD7-1046-7B44-A81000000003}" = Adobe Reader 8.1.0 - Português
"{B1FA73D8-AB79-3A2E-81AC-DBBAC155B2FE}" = Microsoft .NET Framework 3.0 Service Pack 2 Language Pack - PTB
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B547CB8D-549A-436E-97B5-E79F911B11E2}" = SDP Downloader
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B7429839-9FAE-448E-8413-4888DCFE064F}" = Aerosoft's - Piper Cheyenne FSX
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C0DA8486-6C3A-4A38-AAC3-543A31F9F889}" = Translation_iTrans_for_Panasonic
"{C52BEBC0-4A0C-42FB-B7EC-FAD0A14DD64E}" = RealSpeak_Solo_Common_for_Panasonic
"{C5C1C0F0-D62F-4DBF-81D4-D7EF397C228B}" = NVIDIA PhysX
"{C950420B-4182-49EA-850A-A6A2ABF06C6B}" = Marvell Miniport Driver
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}" = WinZip 11.1
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CED6EAB9-9FFD-44B2-939A-D77905AD35F3}" = PMDG_MD11_FSX
"{D0106CC2-E34B-4FA3-B6B6-91F0ACEA2CC3}" = Hearts of Iron III
"{D050D7362D214723AD585B541FFB6C11}" = DivX Content Uploader
"{DA12E3FF-60E1-43E0-8E64-C43890A596AE}" = RealSpeak_Solo_English_for_Panasonic
"{EA450D5D-95EA-4FD0-B8B0-6D8E68FBE2C7}" = Impulse
"{EF7E931D-DC84-471B-8DB6-A83358095474}" = EA Download Manager
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F407D6FB-D3AD-44CC-B77B-5B3F0FF1F22C}" = Microsoft .NET Framework 3.0 Brazilian Portuguese Language Pack
"{F7338FA3-DAB5-49B2-900D-0AFB5760C166}" = PC Probe II
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"421CGoldenEagle12" = Flight 1 Software Cessna 441 - Conquest II 1.0
"7-Zip" = 7-Zip 4.65
"8461-7759-5462-8226" = Vuze
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Adobe® Photoshop® Album Starter Edition 3.2" = Adobe® Photoshop® Album Starter Edition 3.2
"ArtMoney SE_is1" = ArtMoney SE v7.30.3
"Audacity_is1" = Audacity 1.2.6
"avast!" = avast! Antivirus
"Avidemux 2.5" = Avidemux 2.5
"Battleground Europe: WWIIOL" = Battleground Europe: WWIIOL
"Battleground Europe: WWIIOL " = Battleground Europe: WWIIOL
"BloodBowl_is1" = Blood Bowl 1.1.3.3
"Bridge Commander" = Star Trek Bridge Commander
"Bus Driver" = Bus Driver 1.0
"CDex" = CDex extraction audio
"Cheat Engine 5.4_is1" = Cheat Engine 5.4
"Close Combat" = Microsoft Close Combat: A Bridge Too Far
"Covert Operations" = Covert Operations
"Deer Hunter 2005_is1" = Deer Hunter - The 2005 Season
"Dropbox" = Dropbox
"EoS-{5CCCD423-F673-4CD8-9464-9D950F49BBC3}" = Empire of Sports
"ERUNT_is1" = ERUNT 1.1j
"FeelThere ERJ v.2" = FeelThere ERJ v.2
"FlightSim_{A9729B90-D37B-4A69-B66A-7436AC1F7274}" = Microsoft Flight Simulator X: Acceleration
"Fort Zombie" = Fort Zombie
"FSFDT FSCopilot" = FSFDT FSCopilot
"FSFDT FSInn" = FSFDT FSInn
"GamersGate Downloader_is1" = GamersGate Downloader
"GameSpy Arcade" = GameSpy Arcade
"GIMPshop" = GIMPshop 2.2.8
"Grob SPn --- rel. 3.00" = Grob SPn --- rel. 3.00
"Hard Time Trial" = Hard Time Trial
"HijackThis" = HijackThis 2.0.2
"ie8" = Windows Internet Explorer 8
"Impulse" = Impulse
"InstallShield_{79438F1E-DEC3-443D-9DCD-FECE2D68C605}" = IL-2 Sturmovik 1946
"InstallShield_{7C7F30F4-94E7-4AA8-8941-90C4A80C68BF}" = NVIDIA Performance
"InstallShield_{9527A496-5DF9-412A-ADC7-168BA5379CA6}" = Microsoft Flight Simulator X
"InstallShield_{A347C572-F7B4-43A3-BD51-FFC99184F70D}" = Jurassic Park Operation Genesis
"InstallShield_{EF7E931D-DC84-471B-8DB6-A83358095474}" = EA Download Manager
"IrfanView" = IrfanView (remove only)
"LucasArts' X-Wing Alliance" = LucasArts' X-Wing Alliance
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.0 Brazilian Portuguese Language Pack" = Pacote de Idiomas do Português (Brasil) para Microsoft .NET Framework 3.0
"Microsoft .NET Framework 3.5 Language Pack SP1 - ptb" = Pacote de Idiomas do Microsoft .NET Framework 3.5 SP1 - PTB
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mount&Blade" = Mount&Blade
"Mozilla Firefox (3.0.1)" = Mozilla Firefox (3.0.1)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"Nero - Burning Rom!UninstallKey" = Nero 6 Ultra Edition
"Net Transport_is1" = Net Transport 1.87.258
"NVIDIA Drivers" = NVIDIA Drivers
"OpenAL" = OpenAL
"PA32R SARATOGA SP FSX" = PA32R SARATOGA SP FSX
"Piper_Warrior_2.0" = Piper Warrior 2.0
"Reach Trial" = Reach Trial
"Replay_AV_807" = Replay AV 8
"Restaurant Empire 2" = Restaurant Empire 2
"RTMshadow_{A9729B90-D37B-4A69-B66A-7436AC1F7274}" = Flight Simulator X
"SideWinder Force Feedback 2" = SideWinder Force Feedback 2
"SP1_9527A496-5DF9-412A-ADC7-168BA5379CA6" = Microsoft Flight Simulator X Service Pack 1
"SP1shadow_{A9729B90-D37B-4A69-B66A-7436AC1F7274}" = Flight Simulator X Service Pack 1
"SpaceShuttleMission2007_is1" = SpaceShuttleMission2007 PATCH v1.37
"ST6UNST #1" = Virtual E6-B 1.4
"Stardock Central" = Stardock Central
"Steam App 10500" = Empire: Total War
"Steam App 1600" = Dangerous Waters
"Steam App 17460" = Mass Effect
"Steam App 22300" = Fallout 3
"Steam App 23490" = Tropico 3: Steam Special Edition
"Steam App 24010" = RailWorks
"Steam App 24980" = Mass Effect 2
"Steam App 500" = Left 4 Dead
"Stellarium_is1" = Stellarium 0.10.2
"vasFMC_is1" = vasFMC 1.10
"VLC media player" = VideoLAN VLC media player 0.8.6c
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"WMV9_VCM" = Microsoft Windows Media Video 9 VCM
"Wrestling MPire 2008 (Career Edition) Trial" = Wrestling MPire 2008 (Career Edition) Trial
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"XPSEPSCLP" = XML Paper Specification Shared Components Language Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"035173a7f2a224dd" = vroute.info
"961737271c92f180" = GamersGate Downloader
"Bellanca Viking Collection Build 4.1" = Bellanca Viking Collection Build 4.1
"E-Jets Series (FSX)" = E-Jets Series (FSX)
"Junkers W Series for FSX" = Junkers W Series for FSX
"UnityWebPlayer" = Unity Web Player

========== Last 10 Event Log Errors ==========

[ Antivirus Events ]
Error - 13/2/2010 23:00:58 | Computer Name = QUAD-XGAMER | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\DOCUMENTS AND SETTINGS\XGAMER\CONFIGURAçõES LOCAIS\TEMPORARY INTERNET FILES\CONTENT.IE5\KSASKTCU\SEMIN%E1RIO_BANNER[1].JPG
failed, 00000005.

Error - 2/3/2010 08:38:23 | Computer Name = QUAD-XGAMER | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
C:\DOCUMENTS AND SETTINGS\XGAMER\CONFIGURAçõES LOCAIS\TEMPORARY INTERNET FILES\CONTENT.IE5\TH457GEE\HEADBG[1].JPG
failed, 00000005.

Error - 25/3/2010 17:51:57 | Computer Name = QUAD-XGAMER | Source = avast! | ID = 33554522
Description = Internal error has occurred in module basEncodeFileToSubmit failed!
, function 0000001F.

Error - 25/3/2010 19:11:22 | Computer Name = QUAD-XGAMER | Source = avast! | ID = 33554522
Description = Internal error has occurred in module basEncodeFileToSubmit failed!
, function 0000001F.

Error - 26/3/2010 17:33:59 | Computer Name = QUAD-XGAMER | Source = avast! | ID = 33554522
Description = Internal error has occurred in module basEncodeFileToSubmit failed!
, function 0000001F.

Error - 28/3/2010 18:52:13 | Computer Name = QUAD-XGAMER | Source = avast! | ID = 33554522
Description = Internal error has occurred in module basEncodeFileToSubmit failed!
, function 0000001F.

Error - 29/3/2010 13:15:13 | Computer Name = QUAD-XGAMER | Source = avast! | ID = 33554522
Description = Internal error has occurred in module basEncodeFileToSubmit failed!
, function 0000001F.

Error - 29/3/2010 21:48:36 | Computer Name = QUAD-XGAMER | Source = avast! | ID = 33554522
Description = Internal error has occurred in module basEncodeFileToSubmit failed!
, function 0000001F.

Error - 30/3/2010 12:47:56 | Computer Name = QUAD-XGAMER | Source = avast! | ID = 33554522
Description = Internal error has occurred in module basEncodeFileToSubmit failed!
, function 0000001F.

Error - 30/3/2010 19:51:22 | Computer Name = QUAD-XGAMER | Source = avast! | ID = 33554522
Description = Internal error has occurred in module basEncodeFileToSubmit failed!
, function 0000001F.

[ Application Events ]
Error - 30/3/2010 16:10:05 | Computer Name = QUAD-XGAMER | Source = Google Update | ID = 20
Description =

Error - 30/3/2010 17:10:05 | Computer Name = QUAD-XGAMER | Source = Google Update | ID = 20
Description =

Error - 30/3/2010 19:10:01 | Computer Name = QUAD-XGAMER | Source = Google Update | ID = 1
Description =

Error - 30/3/2010 19:25:49 | Computer Name = QUAD-XGAMER | Source = Google Update | ID = 20
Description =

Error - 30/3/2010 19:31:30 | Computer Name = QUAD-XGAMER | Source = Google Update | ID = 20
Description =

Error - 30/3/2010 19:40:19 | Computer Name = QUAD-XGAMER | Source = Google Update | ID = 20
Description =

Error - 30/3/2010 19:43:01 | Computer Name = QUAD-XGAMER | Source = Google Update | ID = 20
Description =

Error - 30/3/2010 19:50:25 | Computer Name = QUAD-XGAMER | Source = Google Update | ID = 20
Description =

Error - 30/3/2010 20:10:05 | Computer Name = QUAD-XGAMER | Source = Google Update | ID = 20
Description =

Error - 30/3/2010 21:10:05 | Computer Name = QUAD-XGAMER | Source = Google Update | ID = 20
Description =

[ System Events ]
Error - 30/3/2010 19:31:30 | Computer Name = QUAD-XGAMER | Source = Service Control Manager | ID = 7000
Description = Não foi possível iniciar o serviço IC Recorder Driver devido ao seguinte
erro: %%1058

Error - 30/3/2010 19:31:53 | Computer Name = QUAD-XGAMER | Source = Service Control Manager | ID = 7034
Description = O serviço LicCtrl Service foi encerrado inesperadamente. Isso aconteceu
1 vez(es).

Error - 30/3/2010 19:43:06 | Computer Name = QUAD-XGAMER | Source = Service Control Manager | ID = 7000
Description = Não foi possível iniciar o serviço IC Recorder Driver devido ao seguinte
erro: %%1058

Error - 30/3/2010 21:29:00 | Computer Name = QUAD-XGAMER | Source = Service Control Manager | ID = 7034
Description = O serviço NVIDIA Display Driver Service foi encerrado inesperadamente.
Isso aconteceu 1 vez(es).

Error - 30/3/2010 21:29:00 | Computer Name = QUAD-XGAMER | Source = Service Control Manager | ID = 7034
Description = O serviço LicCtrl Service foi encerrado inesperadamente. Isso aconteceu
1 vez(es).

Error - 30/3/2010 21:29:00 | Computer Name = QUAD-XGAMER | Source = Service Control Manager | ID = 7034
Description = O serviço Machine Debug Manager foi encerrado inesperadamente. Isso
aconteceu 1 vez(es).

Error - 30/3/2010 21:29:00 | Computer Name = QUAD-XGAMER | Source = Service Control Manager | ID = 7034
Description = O serviço PnkBstrA foi encerrado inesperadamente. Isso aconteceu
1 vez(es).

Error - 30/3/2010 21:29:00 | Computer Name = QUAD-XGAMER | Source = Service Control Manager | ID = 7034
Description = O serviço PnkBstrB foi encerrado inesperadamente. Isso aconteceu
1 vez(es).

Error - 30/3/2010 21:29:01 | Computer Name = QUAD-XGAMER | Source = Service Control Manager | ID = 7034
Description = O serviço Performance Service foi encerrado inesperadamente. Isso
aconteceu 1 vez(es).

Error - 30/3/2010 21:31:33 | Computer Name = QUAD-XGAMER | Source = Service Control Manager | ID = 7000
Description = Não foi possível iniciar o serviço IC Recorder Driver devido ao seguinte
erro: %%1058


< End of report >

ken545
2010-03-31, 11:55
Lets make sure these are gone

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::




File::
c:\windows\system32\drivers\rfmwzub.sys

Driver::
rfmwzub

Registry::
[-HKEY_LOCAL_MACHINE\System\ControlSet004\Services\rfmwzub]


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScriptB-4.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.







http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif
Download GMER Rootkit Scanner from here (http://www.gmer.net/gmer.zip) or here (http://www.majorgeeks.com/download.php?det=5198).

Extract the contents of the zipped file to desktop.
Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO.

http://i266.photobucket.com/albums/ii277/sUBs_/th_Gmer_initScan.gif (http://i266.photobucket.com/albums/ii277/sUBs_/Gmer_initScan.gif)
Click the image to enlarge it

In the right panel, you will see several boxes that have been checked. Uncheck the following ...
Sections
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)

Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.

Save it where you can easily find it, such as your desktop, and post it in your next reply.


**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Orwell1984
2010-04-01, 02:11
I did as you told and Combofix ran without problems. Here's the log:

ComboFix 10-03-29.04 - Xgamer 31/03/2010 13:16:18.5.4 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.3199.2707 [GMT -3:00]
Executando de: c:\documents and settings\Xgamer\Desktop\ComboFix.exe
Comandos utilizados :: c:\documents and settings\Xgamer\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1368 [VPS 100209-0] *On-access scanning disabled* (Outdated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\windows\system32\drivers\rfmwzub.sys"
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\rfmwzub.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_RFMWZUB
-------\Service_rfmwzub


(((((((((((((((( Arquivos/Ficheiros criados de 2010-02-28 to 2010-03-31 ))))))))))))))))))))))))))))
.

2010-03-31 01:29 . 2010-03-31 01:29 -------- d-----w- C:\_OTM
2010-03-30 01:25 . 2006-12-06 11:41 44416 ----a-r- c:\windows\system32\drivers\JRAID_2.sys
2010-03-25 21:11 . 2010-03-25 21:11 5115824 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-20 11:35 . 2010-03-20 11:35 -------- d-----w- c:\arquivos de programas\Microsoft Hardware
2010-03-10 06:20 . 2010-03-10 06:20 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\InstallShield

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-31 16:26 . 2007-12-26 09:52 3201 --sha-w- c:\windows\system32\mmf.sys
2010-03-30 01:37 . 2008-03-30 10:43 -------- d-----w- c:\arquivos de programas\Cheat Engine
2010-03-29 17:07 . 2008-08-21 21:12 -------- d-----w- c:\arquivos de programas\Steam
2010-03-26 22:43 . 2009-07-08 06:49 -------- d-----w- c:\arquivos de programas\ArtMoney
2010-03-25 21:41 . 1782-01-19 03:14 83888 ----a-w- c:\windows\system32\perfc016.dat
2010-03-25 21:41 . 1782-01-19 03:14 479704 ----a-w- c:\windows\system32\perfh016.dat
2010-03-25 21:11 . 2009-08-19 21:43 -------- d-----w- c:\arquivos de programas\Malwarebytes' Anti-Malware
2010-03-25 20:46 . 2007-08-29 20:41 -------- d-----w- c:\arquivos de programas\Grumble
2010-03-25 20:40 . 2010-03-25 20:40 8 ----a-w- c:\documents and settings\NetworkService\Dados de aplicativos\jasltw.dat
2010-03-25 00:40 . 2008-08-25 20:49 -------- d-----w- c:\arquivos de programas\Grvid
2010-03-10 06:53 . 2004-08-04 21:04 -------- d--h--w- c:\arquivos de programas\InstallShield Installation Information
2010-03-10 06:20 . 2004-08-04 21:04 -------- d-----w- c:\arquivos de programas\Arquivos comuns\InstallShield
2010-03-09 20:54 . 2010-01-16 02:18 -------- d-----w- c:\arquivos de programas\Microsoft Silverlight
2010-02-27 06:12 . 2009-08-10 12:18 -------- d-----w- c:\arquivos de programas\Empire of Sports
2010-02-24 01:29 . 2009-10-08 15:29 -------- d-----w- c:\documents and settings\Xgamer\Dados de aplicativos\Tropico 3
2010-02-23 07:31 . 2007-08-31 18:30 413696 ----a-w- c:\windows\system32\wrap_oal.dll
2010-02-23 07:31 . 2007-08-31 18:30 110592 ----a-w- c:\windows\system32\OpenAL32.dll
2010-02-23 05:17 . 2010-02-23 05:17 -------- d-----w- c:\arquivos de programas\Enlight
2010-02-20 16:12 . 2010-02-20 16:12 -------- d-----w- c:\arquivos de programas\Arquivos comuns\BioWare
2010-02-11 13:02 . 2010-01-17 12:55 -------- d-----w- c:\arquivos de programas\Google
2010-02-04 14:13 . 2007-08-25 12:36 -------- d-----w- c:\documents and settings\Xgamer\Dados de aplicativos\Azureus
2010-02-02 06:05 . 2010-02-02 04:39 -------- d-----w- c:\arquivos de programas\Kalypso
2010-02-02 06:04 . 2010-02-02 04:45 -------- d-----w- c:\documents and settings\Xgamer\Dados de aplicativos\Grand Ages Rome Demo
2010-01-20 19:01 . 2010-01-20 19:01 61 --sh--w- c:\windows\cnerolf.bin
2010-01-17 14:54 . 2010-01-17 14:54 74083 ----a-r- c:\documents and settings\Xgamer\Dados de aplicativos\Microsoft\Installer\{304A07DC-4B92-49C6-BC06-DDB8044E91C1}\ARPPRODUCTICON.exe
2010-01-17 14:54 . 2010-01-17 14:54 73728 ----a-r- c:\documents and settings\Xgamer\Dados de aplicativos\Microsoft\Installer\{304A07DC-4B92-49C6-BC06-DDB8044E91C1}\ndac.exe1_0D54DE165360499A9175C95A7F3C5401.exe
2010-01-17 14:54 . 2010-01-17 14:54 73728 ----a-r- c:\documents and settings\Xgamer\Dados de aplicativos\Microsoft\Installer\{304A07DC-4B92-49C6-BC06-DDB8044E91C1}\ndac.exe_0BD1ADA496834929AD856F9834E3E161.exe
2010-01-07 19:07 . 2009-08-19 21:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-01-07 19:07 . 2009-08-19 21:43 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-01-06 22:38 . 2007-08-31 18:30 98304 ----a-w- c:\windows\system32\CmdLineExt.dll
2009-08-18 15:37 . 2009-08-18 15:37 18898 ----a-w- c:\arquivos de programas\Arquivos comuns\anatut.dat
2009-08-18 15:37 . 2009-08-18 15:37 18011 ----a-w- c:\arquivos de programas\Arquivos comuns\rezino._dl
2009-08-18 13:34 . 2009-08-18 13:34 2156 ----a-w- c:\arquivos de programas\rrcdcsoh.txt
.

((((((((((((((((((((((((((((( SnapShot@2010-03-30_23.43.20 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-31 16:26 . 2010-03-31 16:26 16384 c:\windows\Temp\Perflib_Perfdata_55c.dat
+ 2010-03-31 16:26 . 2010-03-31 16:26 16384 c:\windows\Temp\Perflib_Perfdata_44c.dat
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-04-01 08:14 1163264 ----a-w- c:\arquivos de programas\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-04-01 08:14 1163264 ----a-w- c:\arquivos de programas\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-04-01 08:14 1163264 ----a-w- c:\arquivos de programas\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="c:\arquiv~1\ALWILS~1\Avast4\ashDisp.exe" [2009-11-24 81000]
"Adobe Reader Speed Launcher"="c:\arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"RTHDCPL"="RTHDCPL.EXE" [2007-08-10 16384000]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-06-10 13758464]
"nwiz"="nwiz.exe" [2009-06-10 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-06-10 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\arquivos de programas\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Games\\Microsoft Flight Simulator X\\fsx.exe"=
"c:\\Arquivos de programas\\FSFDT\\FWInn\\FWINN.exe"=
"c:\\Arquivos de programas\\FSFDT\\Control Panel\\FSFDTCP.exe"=
"c:\\Program Files\\Atari\\Deer Hunter 2005\\DH2005.exe"=
"c:\\Arquivos de programas\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Arquivos de programas\\GameSpy Arcade\\Aphex.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\dangerous waters\\dangerouswaters.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Activision\\Bridge Commander\\stbc.exe"=
"c:\\Arquivos de programas\\Ventrilo\\Ventrilo.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\dangerous waters\\Steamrun.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\fallout 3\\Fallout3.exe"=
"c:\\Arquivos de programas\\Steam\\Steam.exe"=
"c:\\Arquivos de programas\\MSN Messenger\\msnmsgr.exe"=
"c:\\Arquivos de programas\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\CRS\\Battleground Europe\\WW2.exe"=
"c:\\Program Files\\CRS\\Battleground Europe\\WW2_sse2.exe"=
"c:\\Program Files\\CRS\\Battleground Europe\\playgate_120.exe"=
"c:\\Arquivos de programas\\Java\\jre6\\bin\\java.exe"=
"c:\\Arquivos de programas\\Pando Networks\\Pando\\pando.exe"=
"c:\\Arquivos de programas\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Paradox Interactive\\Hearts of Iron III\\hoi3game.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\fallout 3\\FalloutLauncher.exe"=
"c:\\Arquivos de programas\\Empire of Sports\\ClientUpdater.exe"=
"c:\\Arquivos de programas\\Empire of Sports\\NetworkDiagnostic.exe"=
"c:\\Arquivos de programas\\Empire of Sports\\EmpireOfSports.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\dragon age origins\\bin_ship\\daupdatersvc.service.exe"=
"c:\\Program Files\\Cyanide\\Blood Bowl\\BB.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\mass effect\\Binaries\\MassEffect.exe"=
"c:\\Arquivos de programas\\FSFDT\\FSInn UI\\FSInnUI.exe"=
"c:\\Arquivos de programas\\FSFDT\\FSInn UI VVL\\FSInnUIVVL.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\empire total war\\Empire.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\tropico 3\\tropico3.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\mass effect 2\\Binaries\\MassEffect2.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\mass effect 2\\MassEffect2Launcher.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\railworks\\RailWorks.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\left 4 dead 2\\left4dead2.exe"=
"c:\\Documents and Settings\\Xgamer\\Configurações locais\\Dados de aplicativos\\F4\\ClientUpdater\\ClientUpdater.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\dragon age origins\\bin_ship\\DAOrigins.exe"=
"c:\\Arquivos de programas\\Steam\\steamapps\\common\\dragon age origins\\DAOriginsLauncher.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"59007:TCP"= 59007:TCP:Pando P2P TCP Listening Port
"59007:UDP"= 59007:UDP:Pando P2P UDP Listening Port

R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);c:\windows\system32\drivers\sfdrv01a.sys [5/7/2006 09:46 63352]
R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [30/3/2008 07:43 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [30/3/2008 07:43 20560]
R2 LicCtrlService;LicCtrl Service;c:\windows\Runservice.exe [26/12/2007 06:52 2560]
R3 nvoclock;NVIDIA Enthusiasts Platform KDM;c:\windows\system32\drivers\nvoclock.sys [15/9/2009 12:59 38248]
S2 gupdate;Google Update Service (gupdate);c:\arquivos de programas\Google\Update\GoogleUpdate.exe [17/1/2010 09:55 135664]
S2 IcRecUsb;IC Recorder Driver;c:\windows\system32\drivers\icrecusb.sys [11/12/2007 15:28 17432]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\arquivos de programas\Steam\steamapps\common\dragon age origins\bin_ship\daupdatersvc.service.exe [10/3/2010 21:37 25832]
S3 MGOO;MGOO;c:\docume~1\Xgamer\CONFIG~1\Temp\MGOO.exe --> c:\docume~1\Xgamer\CONFIG~1\Temp\MGOO.exe [?]
S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;c:\windows\system32\drivers\SWUSBFLT.SYS [7/8/2004 20:03 3968]
.
Conteúdo da pasta 'Tarefas Agendadas'

2010-03-31 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2010-01-17 12:55]

2010-03-31 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\arquivos de programas\Google\Update\GoogleUpdate.exe [2010-01-17 12:55]
.
.
------- Scan Suplementar -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {444785F1-DE89-4295-863A-D46C3A781394} - hxxp://webplayer.unity3d.com/download_webplayer-2.x/UnityWebPlayer.cab
FF - ProfilePath - c:\documents and settings\Xgamer\Dados de aplicativos\Mozilla\Firefox\Profiles\lzgqebef.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-31 13:27
Windows 5.1.2600 Service Pack 3 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A2448E0]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf766bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> 0x8a2448e0
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e6686
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e6686
ParseProcedure -> ntoskrnl.exe @ 0x8057b6b1
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
Warning: possible MBR rootkit infection !
user & kernel MBR OK

**************************************************************************
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

[HKEY_USERS\S-1-5-21-583907252-823518204-682003330-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:05,9e,76,9d,4e,a5,38,74,1d,ab,fc,3d,34,0f,57,77,94,a6,85,91,3a,61,0d,
ef,2c,a9,7b,ad,37,da,ec,55,82,20,a3,d9,cf,ba,9f,66,16,fb,14,5e,40,4f,6c,46,\
"??"=hex:1b,76,be,4e,19,34,99,bc,11,c6,b6,2e,a2,9f,c9,54

[HKEY_USERS\S-1-5-21-583907252-823518204-682003330-1003\Software\SecuROM\License information*]
"datasecu"=hex:27,78,98,00,02,74,12,0a,29,df,c2,92,e7,f1,da,7c,33,41,26,6a,b1,
06,c8,0d,54,6b,e3,7a,60,85,19,22,fa,4c,e7,77,21,0c,56,9f,17,ca,53,5b,23,21,\
"rkeysecu"=hex:9c,2a,b0,3d,2b,ce,0d,8e,44,a3,6f,02,53,73,4a,d1

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347]
"1"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,60,bf,2f,c2,35,91,ae,
25
"2"=hex:fb,e6,50,7f,41,f4,51,a7,7f,ec,2d,f9,42,45,3a,02,3a,b7,45,15,3f,9d,8b,
c3
"3"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,5d,f5,58,d1,21,e0,48,
8b,38,57,44,9c,4e,8d,78,88,fd,f1,01,9d,86,d8,b5,cb,d9,bf,23,55,4a,bb,31,1f

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347\A62C3DF982434ABDAD414E772CEE62E6]
"1"=hex:bf,6a,73,4a,48,57,d9,26,5d,d7,11,8b,51,ce,1c,37,b2,8b,15,99,5d,9d,47,
61,6c,bf,37,a7,d1,d7,c0,b2
"2"=hex:ac,5d,cf,8a,eb,60,b6,ba
"3"=hex:34,50,2d,ac,bc,df,58,1b,d8,6c,d4,38,2b,77,45,94,bf,a0,c5,16,ee,a5,b2,
32,0b,0d,d5,9e,2c,c0,77,ca,a7,d8,1b,41,03,14,f0,02,74,dd,91,7c,34,81,25,d1,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:bf,6a,73,4a,48,57,d9,26,5d,d7,11,8b,51,ce,1c,37,b2,8b,15,99,5d,9d,47,
61,6e,6a,1d,2f,00,6b,b9,62,3e,79,c0,6d,00,71,75,df,e6,92,bc,0e,a3,f5,1e,a9,\
"7"=hex:6a,0b,56,13,c1,93,dc,9c,fb,61,a2,a0,e4,ff,91,20,56,a7,02,9d,f0,a0,1d,
cc,28,d9,b1,18,9e,f1,8d,e8,54,e6,61,27,95,2e,52,cc,1c,f7,fa,64,bd,24,b7,82,\
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,2e,4e,96,8c,7e,a3,52,
64,ae,a5,e1,39,c0,fe,a7,12,fb,d4,fe,25,dc,00,56,48,cb,f3,0e,96,93,6e,94,4d,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:d0,71,12,cb,08,b7,a7,d6
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:72,31,07,4e,cb,fd,20,44,b0,30,08,cc,73,40,ef,7f,03,7e,08,77,1a,71,9b,
32,a0,5d,6a,56,3a,1b,9d,3f,59,3d,58,02,71,57,00,41,67,c8,8e,a7,9b,1c,40,7f,\
"13"=hex:e7,92,97,05,ba,b7,88,9e,85,16,26,36,0f,b2,e3,5a,a3,b8,1f,74,11,d9,0e,
a5,35,1f,db,4c,b4,50,ba,99,05,33,6f,ed,1c,09,d2,1f
"14"=hex:99,f7,bb,1b,0d,9d,88,b4,fa,9e,45,6c,cb,b1,2f,71
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:14,0d,2b,41,dd,9e,f3,8a,7b,48,c2,a6,21,cb,52,28
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:65,2f,cc,ba,3f,19,56,74,70,f2,06,7c,a7,ba,05,4c,3d,1f,99,31,68,53,97,
4d,b7,17,bd,cb,3d,32,2b,06,a6,c0,88,5a,37,c1,39,cd,c7,5a,e9,20,d4,28,74,87,\

[HKEY_LOCAL_MACHINE\software\LicCtrl\LicCtrl\LicCtrl\LicCtrl*lkzs$i&#&y@^t! #^$ g9^$&pgb SDB36o \D25BC253F035D347\B3E62936FE1487AF4E0CC9BD2A26433C]
"1"=hex:df,c7,3a,96,ab,66,13,d2,35,84,aa,2e,3b,c4,59,82
"2"=hex:a5,2d,b1,39,25,57,b6,7c,bd,55,f5,f4,85,30,c7,12
"3"=hex:ff,71,2a,a0,e1,fa,fd,f4,76,36,05,b2,bd,c4,78,4f,17,22,25,5a,bd,6b,bb,
0b,e3,93,49,a9,ee,66,58,2f,a4,2a,9c,fe,75,da,e1,50,28,33,b2,1e,1c,f2,9a,f3,\
"4"=hex:2f,ad,a2,e7,8a,bf,05,5e
"5"=hex:bf,e5,23,7b,b0,66,d6,fc,b8,e8,6b,a0,96,52,f7,32,80,09,8f,24,b7,b3,55,
1a,98,d1,47,16,02,43,61,1c,b9,d5,8f,2a,7b,81,b1,fb,95,22,f8,b3,2c,53,9d,ae,\
"6"=hex:df,c7,3a,96,ab,66,13,d2,0e,90,72,68,c4,63,c8,bb,00,5d,70,3b,08,36,97,
bd,ee,04,c1,4a,7c,6f,fd,5f,f7,67,d1,43,f2,ef,e6,1c,89,7c,fa,9f,4c,d6,39,08,\
"7"=hex:93,41,de,56,34,94,a7,b2,13,ca,26,2f,35,a5,e0,53,1e,d5,e7,20,4a,dd,09,
c9,2d,37,7b,a2,3c,71,f4,5e,ed,02,2a,97,fd,fb,2c,72,12,5f,23,ff,c4,2a,48,c4,\
"8"=hex:9d,9e,b2,b9,a7,a5,f4,ae,4d,29,c2,a3,c0,78,c4,c5,2e,4e,96,8c,7e,a3,52,
64,c9,4f,a5,f8,51,27,e9,29,77,5c,86,6d,0a,20,f9,c7,d7,30,8a,47,ce,07,3e,13,\
"9"=hex:81,20,8f,ab,28,6a,52,9c
"18"=hex:d0,71,12,cb,08,b7,a7,d6
"10"=hex:81,20,8f,ab,28,6a,52,9c
"11"=hex:81,20,8f,ab,28,6a,52,9c
"12"=hex:eb,97,99,7a,65,b9,91,7d,ee,96,33,2e,7e,c5,12,36,66,80,5c,16,18,db,f8,
df,b9,52,b8,ee,31,34,87,75,17,33,ec,40,2b,b3,3d,07,b4,67,e7,22,9b,f8,a1,86,\
"13"=hex:bc,56,46,8c,be,fe,b0,9e,a9,c8,a6,e3,7c,a8,f0,9e,7a,b5,3a,f7,d0,9f,7f,
6b,6b,6f,9a,1a,e8,9b,87,44,36,99,a7,79,53,f4,34,26
"14"=hex:d2,08,a4,82,f1,1a,a0,b4,f5,1f,60,13,49,13,4c,d5
"24"=hex:81,20,8f,ab,28,6a,52,9c
"26"=hex:81,20,8f,ab,28,6a,52,9c
"27"=hex:81,20,8f,ab,28,6a,52,9c
"19"=hex:df,60,78,8d,35,eb,80,3e,82,79,f2,d5,0b,bb,7d,ee
"22"=hex:81,20,8f,ab,28,6a,52,9c
"15"=hex:b6,ff,2b,2e,0f,22,1f,03,93,0e,f3,0f,87,f9,4e,67,5c,c8,81,88,cf,56,f8,
bb,6f,5c,8c,63,35,d1,f5,5c,04,ca,19,ef,7e,c6,b8,eb,99,e8,47,13,5f,17,41,7b,\
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'explorer.exe'(2536)
c:\windows\system32\WININET.dll
c:\arquivos de programas\Dropbox\DropboxExt.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Outros Processos em Execução ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\arquivos de programas\Alwil Software\Avast4\aswUpdSv.exe
c:\arquivos de programas\Alwil Software\Avast4\ashServ.exe
c:\arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\arquivos de programas\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\PnkBstrA.exe
c:\windows\system32\PnkBstrB.exe
c:\arquivos de programas\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\system32\wscntfy.exe
c:\arquivos de programas\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\arquivos de programas\NVIDIA Corporation\nTune\nTuneCmd.exe
.
**************************************************************************
.
Tempo para conclusão: 2010-03-31 13:32:59 - Máquina reiniciou
ComboFix-quarantined-files.txt 2010-03-31 16:32
ComboFix2.txt 2010-03-30 23:50
ComboFix3.txt 2010-03-30 01:47
ComboFix4.txt 2009-05-22 15:46

Pré-execução: 26 pasta(s) 68.285.128.704 bytes disponíveis
Pós execução: 27 pasta(s) 68.246.224.896 bytes disponíveis

- - End Of File - - DF4C262A0E925C9320F523A582E40D7F


=============================
On the other hand, GMER ran fine for many, many hours, until when it apparently finished the job (I could see no more file path lines on the lower GUI), and then the ASUS's on-board sound-card software popped up, as it usually does when you connect or disconnect a cable from its colored jacks, and then error messages started appearing, about 4, "invalid input", something else, I clicked Save on GMER's window, which was behind this window, but instead of a file I got an hour-glass cursor. I waited a few minutes, and then started clicking OK on ASUS's error messages, which was the only button available, after which I immediately disconnected the 2 pieces of hardware related to sound: a microphone and my speaker's console. Nothing happened, I waited some more. After about 6 minutes total I got a BSOD: something terrible happened, windows shut down to prevent damage, etc.etc., some hex memory address, and down at the bottom a counter for Dumping Memory to Disk, which after reaching 100 rebooted the PC.

On the good side GMER never warned at any moment of rootkit activity as it did back when the .sys file existed, nor is Avast picking it up, which it always used to do, even with auto-protect turned off (nor can I find it in the sys32\driver folder, looking for it myself).

The PC rebooted normally and I decided to test connecting the microphone and the sound console back, and everything worked perfectly fine, but I'll keep the microphone disconnected just for safety.

Now unless GMER auto-saved the log somewhere, it is lost and I'll have to run it again. For the moment though, have the combofix log above and rejoice in the great news of the vanishing of that damned .sys file. I should have a GMER log in 4 hours, hopefully.

ken545
2010-04-01, 03:00
Yep, its gone :bigthumb:

Try this instead of GMER, it will go a bit softer on you

Please download RootRepeal from one of these locations and save it to your desktop
Here (http://ad13.geekstogo.com/RootRepeal.exe)
Here (http://download.bleepingcomputer.com/rootrepeal/RootRepeal.exe)
Here (http://rootrepeal.psikotick.com/RootRepeal.exe)

Open http://billy-oneal.com/forums/rootRepeal/rootRepealDesktopIcon.png on your desktop.
Click the http://billy-oneal.com/forums/rootRepeal/reportTab.png tab.
Click the http://billy-oneal.com/forums/rootRepeal/btnScan.png button.
Check just these boxes:
http://forums.whatthetech.com/uploads/monthly_08_2009/post-75503-1250480183.gif
Push Ok
Check the box for your main system drive (Usually C:, and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the http://billy-oneal.com/forums/rootRepeal/saveReport.png button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your post.

Orwell1984
2010-04-01, 08:18
After about 5 hours GMER appeared to be done, the file paths were gone again. But when I clicked Save I got an error about not having enough system resources available, and shortly after the desktop froze, and I just pressed the reset button.

I then tried scanning only one option at a time, thinking one of them was responsible for the problem, and that worked without hanging, except for Files which I didn't try because it would take another 5 hours. Then I did a scan with every option activated except for Files, and it worked, and here's that log (If this is unsatisfactory I can try running a scan only with Files and see how that goes):

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-01 02:13:25
Windows 5.1.2600 Service Pack 3
Running: zc44s4k4.exe; Driver: C:\DOCUME~1\Xgamer\CONFIG~1\Temp\kxdyiaob.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB4DF76B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB4DF7574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB4DF7A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB4DF714C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB4DF764E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB4DF708C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB4DF70F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB4DF776E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB4DF772E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB4DF78AE]

---- Kernel code sections - GMER 1.0.15 ----

.xreloc C:\WINDOWS\system32\drivers\sfsync04.sys unknown last section [0xF74F6000, 0xC5E, 0x40000040]
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB77A4360, 0x3D46A5, 0xE8000020]
.text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xB430A300, 0x3B6D8, 0xE8000020]
.text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xF777F300, 0x1BEE, 0xE8000020]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[580] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[580] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\atapi \Device\Ide\IdePort0 8A1E98E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 8A1E98E8
Device \Driver\atapi \Device\Ide\IdePort1 8A1E98E8
Device \Driver\atapi \Device\Ide\IdePort2 8A1E98E8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c 8A1E98E8
Device \Driver\atapi \Device\Ide\IdePort3 8A1E98E8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-17 8A1E98E8

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- EOF - GMER 1.0.15 ----


========================
Then I ran the other tool anyway, according to instructions, and here's the log as well:

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/04/01 02:15
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB4DAF000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79E5000 Size: 8192 File Visible: No Signed: -
Status: -

Name: kxdyiaob.sys
Image Path: C:\DOCUME~1\Xgamer\CONFIG~1\Temp\kxdyiaob.sys
Address: 0xB3B19000 Size: 93056 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB4B17000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 025 Function Name: NtClose
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb4df76b8

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb4df7574

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb4df7a52

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb4df714c

#: 119 Function Name: NtOpenKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb4df764e

#: 122 Function Name: NtOpenProcess
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb4df708c

#: 128 Function Name: NtOpenThread
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb4df70f0

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb4df776e

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb4df772e

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\System32\Drivers\aswSP.SYS" at address 0xb4df78ae

==EOF==

ken545
2010-04-01, 11:58
You need to enable windows to show all files and folders, instructions Here (http://www.bleepingcomputer.com/tutorials/tutorial62.html)

kxdyiaob.sys <--Do a search for this file and submit it to VirusTotal

C:\DOCUME~1\Xgamer\CONFIG~1\Temp\kxdyiaob.sys

Go to VirusTotal (http://www.virustotal.com/) and submit these files for analysis, just use the BROWSE feature and then Send File , you will get a report back, post the report into this thread for me to see.

Orwell1984
2010-04-01, 17:05
The sniffing dog can't find that file anywhere on C: drive, nor can I when pasting the folder address on Windows Explorer.

But since I thought I'd have to upload something I went ahead and connected to the internet, and there's no Spam being sent this time. I even opened Outlook and still no spam.

ken545
2010-04-01, 17:23
Great, looks like we took care of it.


Lets see if there is anything else we need to remove

Please run this free online virus scanner from ESET (http://www.eset.com/onlinescan/)

Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

Orwell1984
2010-04-01, 20:38
This latest dig seems to have unearthed a bunch of worms, but I think they are mostly old stuff or already quarantined, except for a trainer and cheat engine which were harmless enough, though no big loss if they are to be deleted (wm2008ce_v1-1-dm.exe I don't even recall what might be). Here's the log, my noble helper:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=31efc002b3f7344ca208606e753cc608
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-04-01 05:19:45
# local_time=2010-04-01 02:19:45 (-0300, Hora oficial do Brasil)
# country="Brazil"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 26479450 26479450 0 0
# compatibility_mode=769 16775141 100 98 0 205503725 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=457505
# found=15
# cleaned=15
# scan_time=9017
C:\Arquivos de programas\Mozilla Firefox\DOWNLOADS\wm2008ce_v1-1-dm.exe Win32/Adware.Trymedia application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\All Users\Dados de aplicativos\Spybot - Search & Destroy\Recovery\FraudAntiMalwares.zip Win32/Bagle.gen.zip worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Eidos\Hitman Blood Money\EnableHitman1.2Cheats.exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Arquivos de programas\Cheat Engine\dbk32.sys.vir probably a variant of Win32/Genetik trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\rfmwzub.sys.vir Win32/Rootkit.Kryptik.AF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{3331B449-BD5D-4804-8D93-10C46EA8D30C}\RP135\A0027719.exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{3331B449-BD5D-4804-8D93-10C46EA8D30C}\RP144\A0029103.exe Win32/TrojanClicker.Agent.NFX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{3331B449-BD5D-4804-8D93-10C46EA8D30C}\RP144\A0029111.exe Win32/Adware.Trymedia application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{3331B449-BD5D-4804-8D93-10C46EA8D30C}\RP144\A0029114.exe Win32/Adware.Trymedia application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{3331B449-BD5D-4804-8D93-10C46EA8D30C}\RP144\A0029173.exe probably a variant of Win32/Hupigon trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{3331B449-BD5D-4804-8D93-10C46EA8D30C}\RP144\A0029207.exe probably a variant of Win32/Genetik trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{3331B449-BD5D-4804-8D93-10C46EA8D30C}\RP201\A0035542.sys probably a variant of Win32/Genetik trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{3331B449-BD5D-4804-8D93-10C46EA8D30C}\RP202\A0036951.sys Win32/Rootkit.Kryptik.AF trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{3331B449-BD5D-4804-8D93-10C46EA8D30C}\RP202\A0041963.exe Win32/Adware.Trymedia application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{3331B449-BD5D-4804-8D93-10C46EA8D30C}\RP202\A0041964.exe probably a variant of Win32/Agent trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

ken545
2010-04-01, 21:02
Yep, most of that stuff where backups of what has been removed and some where in your System Restore.

System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points

Turn off System Restore.


Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore on all Drives.
Click Apply, and then click OK.


Reboot your computer

Turn ON System Restore.


Right-click My Computer.
ClickProperties.
Click the System Restore tab.
UN-Check Turn off System Restore on all Drives.
Click Apply, and then click OK.


Create a new Restore Point <-- Very Important


Go to Start> All Programs> Assesories> System Tools> System Restore and create a New Restore Point

System Restore Tutorial (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- If you need it




Now to remove most of the tools that we have used in fixing your machine:
Make sure you have an Internet Connection.
Download OTC (http://oldtimer.geekstogo.com/OTC.exe) to your desktop and run it
A list of tool components used in the cleanup of malware will be downloaded.
If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
Click Yes to begin the cleanup process and remove these components, including this application.
You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.




How are things running now ???

Orwell1984
2010-04-01, 22:41
All done, things are running as good as ever, if not better. I wrote a big post thanking you and expressing my gratitude and happiness, but I forgot to keep it in the clipboard and by the time I hit the Submit Reply I had been unlogged and lost it.

So please, consider yourself deeply thanked, and perhaps it's better this way, so as to not waste your time with unecessary wordiness.

What would you like me to do next?

ken545
2010-04-02, 01:23
Your very welcome, your good to go, stay safe and lets hope we don't see you back here.

Some info and free tools for you.


How did I get infected in the first place ?
Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)





Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .


Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.6 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.

IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 3 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.



Safe Surfn
Ken

ken545
2010-04-05, 11:51
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.