[Arquivado] virus!

[shanjay 0]

Eu vi em outro topico para postar junto o log do hijack e do combofix, então eu postei os dois.

desde ja agradeço a todos.

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:51:21, on 16/01/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wbem\wmiapsrv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\System32\alg.exe

C:\Arquivos de programas\VPN - SSP-GO\bin\openvpn-gui.exe

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\WINDOWS\Help\seguracas.exe

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

C:\WINDOWS\systemq.exe

C:\WINDOWS\system32\ree1.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Help\Firewall.exe

C:\HijackThis\HiJackThis.exe

C:\WINDOWS\System32\wbem\wmiprvse.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = &http://home.microsoft.com/intl/br/access/allinone.asp

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.11.0.13:3128

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = intranet;*.tst.gov.br;<local>

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: (no name) - {0199F80B-C612-46F0-8D48-D18F7FE86212} - C:\WINDOWS\system32\wgkuisab.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre6\bin\ssv.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll (file missing)

O2 - BHO: (no name) - {CD559F99-640C-4E58-B3A0-632495C9B66A} - c:\windows\system32\fsshtae.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [openvpn-gui] C:\Arquivos de programas\VPN - SSP-GO\bin\openvpn-gui.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [seguracas] C:\WINDOWS\Help\seguracas.exe

O4 - HKLM\..\Run: [AVP] "C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"

O4 - HKCU\..\Run: [amva] C:\WINDOWS\system32\amvo.exe

O4 - HKCU\..\Run: [NitroPC] "C:\Documents and Settings\Administrador\Meus documentos\NitroPC\NitroPC.exe" -minimized

O4 - HKCU\..\Run: [explorer] C:\WINDOWS\systemq.exe

O4 - HKCU\..\Run: [iexplorerskut] C:\WINDOWS\system32\ree1.exe

O4 - HKCU\..\Run: [star1] C:\WINDOWS\system32\Winrun.exe

O4 - HKCU\..\Run: [star2] C:\WINDOWS\system32\ischot.exe

O4 - HKCU\..\Run: [star3] C:\WINDOWS\system32\Xred1.exe

O4 - HKCU\..\Run: [star4] C:\WINDOWS\system32\Zred2.exe

O4 - HKCU\..\Run: [star6] C:\WINDOWS\system32\MscheldB.exe

O4 - HKCU\..\Run: [star7] C:\WINDOWS\system32\Mscheldncx.exe

O4 - HKCU\..\Run: [star8] C:\WINDOWS\system32\svscheld.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Estatísticas do Antivírus da Web - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ssp-go.sspj.go.gov.br

O17 - HKLM\Software\..\Telephony: DomainName = ssp-go.sspj.go.gov.br

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ssp-go.sspj.go.gov.br

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ssp-go.sspj.go.gov.br

O20 - AppInit_DLLs: C:\WINDOWS\System32\cryptdll32.dll

O20 - Winlogon Notify: 14f6a245511 - C:\WINDOWS\

O20 - Winlogon Notify: jmparwfr - C:\WINDOWS\SYSTEM32\fsshtae.dll

O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Arquivos de programas\VPN - SSP-GO\bin\openvpnserv.exe

O24 - Desktop Component 0: (no name) - file:///C:/WINDOWS/TEMP/msohtml1/01/clip_image001.gif

 

--

End of file - 6668 bytes

 

LOG DO COMBOFIX.

 

ComboFix 09-01-15.01 - Administrador 2009-01-17 0:13:57.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.247.93 [GMT -2:00]

Executando de: C:\Documents and Settings\Administrador\Desktop\ComboFix.exe

AV: Kaspersky Anti-Virus *On-access scanning disabled* (Outdated)

* Criado um novo ponto de restauro

 

ATENÇAO - ESTA MAQUINA NAO TEM O CONSOLE DE RECUPERAÇÃO INSTALADA !!

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Arquivos de programas\Mjcore

C:\Autorun.inf

C:\Documents and Settings\Administrador\Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll', PChar('Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll

C:\Documents and Settings\Administrador\Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll', PChar('Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll\desktop.ini

C:\Documents and Settings\Administrador\Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll', PChar('Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll\FP_AX_CAB_INSTALLER.exe

C:\Documents and Settings\Administrador\Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll', PChar('Abn.gpc, Cef.gpc, gbieh.gmd, gbiehuni.dll , GBIEHCEF.DLL , gbiehabn.dll, gbpdist.dll\swflash.inf

C:\Documents and Settings\Administrador\Dados de aplicativos\020000008beb06f3511C.manifest

C:\Documents and Settings\Administrador\Dados de aplicativos\020000008beb06f3511O.manifest

C:\Documents and Settings\Administrador\Dados de aplicativos\020000008beb06f3511P.manifest

C:\Documents and Settings\Administrador\Dados de aplicativos\020000008beb06f3511S.manifest

C:\WINDOWS\GnuHashes.ini

C:\WINDOWS\IE4 Error Log.txt

C:\WINDOWS\ponto2.DLL

C:\WINDOWS\system32\GroupPolicy000.dat

C:\WINDOWS\system32\GroupPolicyManifest

C:\WINDOWS\system32\GroupPolicyManifest\14.music.mp3

C:\WINDOWS\system32\GroupPolicyManifest\14.music.mp3.kwd

C:\WINDOWS\system32\GroupPolicyManifest\15.crack.zip.kwd

C:\WINDOWS\system32\GroupPolicyManifest\16.video.zip.kwd

C:\WINDOWS\system32\GroupPolicyManifest\17.setup.zip.kwd

C:\WINDOWS\system32\GroupPolicyManifest\18.unpack.zip.kwd

C:\WINDOWS\system32\GroupPolicyManifest\19.keygen.zip.kwd

C:\WINDOWS\system32\GroupPolicyManifest\20.serial.zip.kwd

C:\WINDOWS\system32\GroupPolicyManifest\21.mpgvideo.mpg

C:\WINDOWS\system32\GroupPolicyManifest\21.mpgvideo.mpg.kwd

C:\WINDOWS\system32\instsrv.exe

C:\WINDOWS\TRANSFORMERS.DLL

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_FCI

-------\Legacy_SXBNYCII

-------\Service_sxbnycii

 

 

(((((((((((((((( Arquivos/Ficheiros criados de 2008-12-17 to 2009-01-17 ))))))))))))))))))))))))))))

.

 

2009-01-16 23:28 . 2009-01-16 23:28 <DIR> d-------- C:\Documents and Settings\Administrador\Dados de aplicativos\tnkwojci

2009-01-16 13:49 . 2009-01-16 23:51 <DIR> d-------- C:\HijackThis

2009-01-13 23:36 . 2009-01-14 00:44 96,976 --a------ C:\WINDOWS\system32\drivers\klin.dat

2009-01-13 23:36 . 2009-01-14 00:44 87,855 --a------ C:\WINDOWS\system32\drivers\klick.dat

2009-01-13 23:34 . 2009-01-16 13:29 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Kaspersky Lab

2009-01-13 23:34 . 2009-01-13 23:34 <DIR> d-------- C:\Arquivos de programas\Kaspersky Lab

2009-01-13 23:34 . 2009-01-17 00:30 1,202,464 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat

2009-01-13 23:34 . 2009-01-17 00:29 41,248 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat

2009-01-13 23:34 . 2009-01-17 00:24 17,108 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx

2009-01-13 23:34 . 2009-01-17 00:24 4,868 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx

2009-01-13 23:28 . 2009-01-13 23:28 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Kaspersky Lab Setup Files

2009-01-13 18:36 . 2009-01-13 18:36 <DIR> d-------- C:\WINDOWS\Sun

2009-01-13 15:31 . 2009-01-13 15:31 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\Avg8

2009-01-13 15:31 . 2009-01-13 15:31 262,144 --a------ C:\Documents and Settings\IN241E~8

2009-01-13 15:29 . 2009-01-13 15:29 262,144 --a------ C:\Documents and Settings\IN241E~7

2009-01-13 15:21 . 2009-01-13 15:21 262,144 --a------ C:\Documents and Settings\IN241E~6

2009-01-13 15:06 . 2009-01-13 15:06 <DIR> d-------- C:\Documents and Settings\Administrador\Dados de aplicativos\IObit

2009-01-13 15:06 . 2009-01-13 15:06 <DIR> d-------- C:\Arquivos de programas\IObit

2009-01-13 15:06 . 2008-04-17 16:19 90,668 --a------ C:\WINDOWS\system32\vobis32.dll

2009-01-12 22:41 . 2009-01-13 15:14 <DIR> d-------- C:\Documents and Settings\Administrador\Dados de aplicativos\AVGTOOLBAR

2009-01-12 22:34 . 2009-01-12 22:43 8,192 --a------ C:\Documents and Settings\IN241E~5

2009-01-12 22:32 . 2009-01-12 22:32 <DIR> d-------- C:\Arquivos de programas\ESET

2009-01-12 22:30 . 2009-01-12 22:30 262,144 --a------ C:\Documents and Settings\IN241E~4

2009-01-09 00:27 . 2009-01-09 07:34 <DIR> d---s---- C:\WINDOWS\Downloaded Program Files

2009-01-07 11:58 . 2009-01-07 11:58 <DIR> d-------- C:\Documents and Settings\All Users\Dados de aplicativos\ESET

2009-01-05 14:11 . 2009-01-05 14:11 974 --a------ C:\WINDOWS\HP

2009-01-05 14:11 . 2009-01-05 20:07 59 --a------ C:\WINDOWS\plugin.fax

2009-01-05 14:11 . 2009-01-05 14:11 8 --a------ C:\WINDOWS\control.ctr

2009-01-05 13:44 . 2009-01-06 13:30 <DIR> d-------- C:\WINDOWS\system32\Prefetchxs

2009-01-05 13:44 . 2009-01-05 13:44 853,091 ---hs---- C:\WINDOWS\system32\ree1.exe

2009-01-05 13:44 . 2009-01-05 13:44 360,300 ---hs---- C:\WINDOWS\systemq.exe

2009-01-05 00:37 . 2009-01-05 00:37 <DIR> d-------- C:\Arquivos de programas\Microsoft Games

2009-01-04 02:32 . 2008-12-05 13:24 106,607 -r-hs---- C:\iqosrtk.bat

2009-01-04 02:28 . 2009-01-04 02:28 262,144 --a------ C:\Documents and Settings\IN241E~3

2009-01-04 02:24 . 2009-01-04 02:28 8,192 --a------ C:\Documents and Settings\IN241E~2

2009-01-03 16:10 . 2009-01-04 02:33 <DIR> d-a------ C:\Documents and Settings\All Users\Dados de aplicativos\TEMP

2009-01-01 16:26 . 2009-01-01 16:26 373,760 --ahs---- C:\WINDOWS\system32\8B.tmp

2008-12-31 13:33 . 2009-01-01 19:02 <DIR> d-------- C:\Documents and Settings\Administrador\Dados de aplicativos\LimeWire

2008-12-31 13:29 . 2008-12-31 13:28 410,984 --a------ C:\WINDOWS\system32\deploytk.dll

2008-12-31 13:29 . 2008-12-31 13:28 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl

2008-12-31 13:27 . 2008-12-31 13:27 <DIR> d-------- C:\Arquivos de programas\Java

2008-12-31 12:52 . 2008-12-31 12:52 <DIR> d-------- C:\Sun

2008-12-30 07:39 . 2006-10-04 12:06 1,197,294 -----c--- C:\WINDOWS\system32\dllcache\sysmain.sdb

2008-12-30 07:38 . 2008-12-30 07:38 <DIR> d-------- C:\Arquivos de programas\Windows Media Connect 2

2008-12-30 07:33 . 2008-12-30 07:35 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF

2008-12-25 21:17 . 2008-12-25 21:17 <DIR> d-------- C:\Arquivos de programas\Arquivos comuns\SWF Studio

2008-12-22 14:51 . 2009-01-13 10:07 <DIR> d-------- C:\Arquivos de programas\AVIConverter

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-16 20:15 --------- d-----w C:\Arquivos de programas\Arquivos comuns\Mozilla Shared

2009-01-14 02:45 112,144 ----a-w C:\WINDOWS\system32\drivers\kl1.sys

2009-01-09 09:51 --------- d-----w C:\Arquivos de programas\Alwil Software

2009-01-01 17:46 73,728 ----a-w C:\WINDOWS\Help\Firewall.exe

2009-01-01 17:46 65,536 ----a-w C:\WINDOWS\Help\seguracas.exe

2008-12-12 16:34 --------- d-----w C:\Arquivos de programas\VPN - SSP-GO

2004-12-09 16:22 27,136 -c--a-w C:\Documents and Settings\Administrador\envupdat.dll

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0199F80B-C612-46F0-8D48-D18F7FE86212}]

2003-04-08 10:00 143872 --a------ C:\WINDOWS\system32\wgkuisab.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD559F99-640C-4E58-B3A0-632495C9B66A}]

2003-04-08 10:00 105984 --a------ c:\windows\system32\fsshtae.dll

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"iexplorerskut"="C:\WINDOWS\system32\ree1.exe" [2009-01-05 13:44 853091]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"openvpn-gui"="C:\Arquivos de programas\VPN - SSP-GO\bin\openvpn-gui.exe" [2008-06-23 17:33 99328]

"SunJavaUpdateSched"="C:\Arquivos de programas\Java\jre6\bin\jusched.exe" [2008-12-31 13:28 136600]

"seguracas"="C:\WINDOWS\Help\seguracas.exe" [2009-01-01 15:46 65536]

"AVP"="C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2008-02-08 18:36 227856]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 05:45 15360]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableCAD"= 1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jmparwfr]

2003-04-08 10:00 105984 C:\WINDOWS\system32\fsshtae.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=C:\WINDOWS\System32\cryptdll32.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.X264"= x264vfw.dll

"VIDC.DIV3"= DivXc32.dll

"VIDC.DIV4"= DivXc32f.dll

"VIDC.3iv2"= 3ivxVfWCodec.dll

"VIDC.HFYU"= huffyuv.dll

"vidc.i263"= i263_32.drv

"VIDC.VP31"= vp31vfw.dll

"msacm.l3fhg"= mp3fhg.acm

"msacm.divxa32"= divxa32.acm

"msacm.imc"= imc32.acm

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^HP Digital Imaging Monitor.lnk]

path=C:\Documents and Settings\All Users\Menu Iniciar\Programas\Inicializar\HP Digital Imaging Monitor.lnk

backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

--a------ 2004-08-04 05:45 15360 C:\WINDOWS\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

--a------ 2003-07-10 05:13 114688 C:\WINDOWS\system32\hkcmd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2005-05-12 00:12 49152 C:\Arquivos de programas\HP\HP Software Update\hpwuSchd2.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

--a------ 2003-07-10 05:25 155648 C:\WINDOWS\system32\igfxtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]

--a------ 2007-08-30 16:06 136512 C:\Arquivos de programas\McAfee\Common Framework\UdaterUI.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Naldesk]

--a------ 2002-11-04 12:22 16384 C:\Publico\Script\Exe\NalInit.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WinVNC4"=2 (0x2)

"Windows Packager"=2 (0x2)

"Pml Driver HPZ12"=2 (0x2)

"ose"=3 (0x3)

"OracleClientCache80"=3 (0x3)

"OCS INVENTORY"=2 (0x2)

"MDM"=2 (0x2)

"McAfeeFramework"=2 (0x2)

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

 

R0 wdjylyyf;wdjylyyf;C:\WINDOWS\system32\drivers\wdjylyyf.sys [2003-04-08 10:00:00 23424]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\drivers\klim5.sys [2007-12-13 13:28:40 24592]

R3 tap0801;TAP-Win32 Adapter V8;C:\WINDOWS\system32\drivers\tap0801.sys [2008-06-23 17:33:30 26624]

R4 sxbnycii;Microcode Update Controller;C:\WINDOWS\System32\svchost.exe -k netsvcs [2003-04-08 10:00:00 14336]

S4 OCS INVENTORY;OCS INVENTORY SERVICE;C:\Arquivos de programas\OCS Inventory Agent\OcsService.exe [2008-04-21 10:03:22 69632]

S4 OracleClientCache80;OracleClientCache80;C:\Software\Oradev\BIN\ONRSD80.EXE --> C:\Software\Oradev\BIN\ONRSD80.EXE [?]

S4 Windows Packager;Windows Packager;C:\WINDOWS\system32\Srvany.exe [2005-10-19 15:47:44 8464]

 

--- ---

 

*NewlyCreated* - SXBNYCII

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{889326bc-49ec-11dd-b316-00112588021d}]

\Shell\AutoRun\command - 1u0o8bnq.cmd

\Shell\explore\Command - 1u0o8bnq.cmd

\Shell\open\Command - 1u0o8bnq.cmd

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bc4d56ca-9146-11dd-b3f0-00112588021d}]

\Shell\AutoRun\command - F:\dp.cmd

\Shell\explore\Command - F:\dp.cmd

\Shell\open\Command - F:\dp.cmd

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c86ea9c5-7298-11dd-b391-00112588021d}]

\Shell\AutoRun\command - F:\reswdd.exe

\Shell\explore\Command - F:\reswdd.exe

\Shell\open\Command - F:\reswdd.exe

.

- - - - ORFÃOS REMOVIDOS - - - -

 

HKCU-Run-NitroPC - C:\Documents and Settings\Administrador\Meus documentos\NitroPC\NitroPC.exe

HKCU-Run-star1 - C:\WINDOWS\system32\Winrun.exe

HKCU-Run-star2 - C:\WINDOWS\system32\ischot.exe

HKCU-Run-star3 - C:\WINDOWS\system32\Xred1.exe

HKCU-Run-star4 - C:\WINDOWS\system32\Zred2.exe

HKCU-Run-star6 - C:\WINDOWS\system32\MscheldB.exe

HKCU-Run-star7 - C:\WINDOWS\system32\Mscheldncx.exe

HKCU-Run-star8 - C:\WINDOWS\system32\svscheld.exe

Notify-14f6a245511 - (no file)

MSConfigStartUp-bne3 - C:\WINDOWS\system32\Bradesco_Pessoa_Jurídica.exe

MSConfigStartUp-msnmesseger - C:\Arquivos de programas\msnmmensser.exe

MSConfigStartUp-Somefox - C:\WINDOWS\TEMP\94.tmp.exe

 

 

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.google.com.br/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = 10.11.0.13:3128

uInternet Settings,ProxyOverride = intranet;*.tst.gov.br;<local>

IE: E&xportar para o Microsoft Excel - C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

 

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab

C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

FF - ProfilePath - C:\Documents and Settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\i87ycxiq.default\

FF - prefs.js: network.proxy.type - 4

FF - plugin: C:\Arquivos de programas\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll

FF - plugin: C:\Arquivos de programas\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

 

---- FIREFOX POLICIES ----

C:\Arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

.

.

------- Associação de arquivos/ficheiros -------

.

.

[DigRam 144]

Boa Noite! shanjay

 

Insira sua(s) unidade(s) removíveis,caso às possua,na entrada USB. ( pendrive,mp3,mp4,iPods,etc... )

<@> Selecione e copie,todo o conteúdo que está na área do QUOTE,para o Bloco de Notas.

<@> Salve-o,no Desktop,com o nome: CFScript.txt

 

File::

C:\WINDOWS\system32\drivers\wdjylyyf.sys

C:\Documents and Settings\IN241E~3

C:\Documents and Settings\IN241E~2

C:\WINDOWS\system32\8B.tmp

C:\WINDOWS\system32\deploytk.dll

C:\WINDOWS\Help\Firewall.exe

C:\WINDOWS\Help\seguracas.exe

c:\windows\system32\fsshtae.dll

C:\WINDOWS\system32\wgkuisab.dll

C:\WINDOWS\system32\ree1.exe

C:\WINDOWS\systemq.exe

C:\iqosrtk.bat

F:\dp.cmd

F:\reswdd.exe

Registry::

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{889326bc-49ec-11dd-b316-00112588021d}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bc4d56ca-9146-11dd-b3f0-00112588021d}]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c86ea9c5-7298-11dd-b391-00112588021d}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0199F80B-C612-46F0-8D48-D18F7FE86212}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD559F99-640C-4E58-B3A0-632495C9B66A}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jmparwfr]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"iexplorerskut"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"seguracas"=-

Folder::

C:\WINDOWS\system32\Prefetchxs

Dirlook::

C:\WINDOWS\Help

Driver::

"wdjylyyf"

"sxbnycii"

Netsvc::

"sxbnycii"

<@> Arraste,o CFScript.txt para o ícone/interior do ComboFix.

<@> Veja a demonstração!

 

 

<@> Atenda à solicitação,que deverá surgir,para rodar o ComboFix.

<@> Ps: Faça o arraste,até surgir essa solicitação! ( janela )

<@> Terminando,poste os relatórios: C:\ComboFix.txt + HijackThis,atualizado.

 

Abraços!

[shanjay 0]

novo log do hijack e combofix

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 08:47:19, on 24/01/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\VPN - SSP-GO\bin\openvpn-gui.exe

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wbem\wmiapsrv.exe

C:\WINDOWS\System32\svchost.exe

C:\HijackThis\HiJackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.11.0.13:3128

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = intranet;*.tst.gov.br;<local>

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: (no name) - {0160E942-F852-47A1-9A2E-20D4B4DC1382} - C:\WINDOWS\system32\wgkuisab.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre6\bin\ssv.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll (file missing)

O2 - BHO: (no name) - {CD559F99-640C-4E58-B3A0-632495C9B66A} - c:\windows\system32\fsshtae.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [openvpn-gui] C:\Arquivos de programas\VPN - SSP-GO\bin\openvpn-gui.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [AVP] "C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"

O4 - HKCU\..\Run: [NitroPC] "C:\Documents and Settings\Administrador\Meus documentos\NitroPC\NitroPC.exe" -minimized

O4 - HKCU\..\Run: [star1] C:\WINDOWS\system32\Winrun.exe

O4 - HKCU\..\Run: [star2] C:\WINDOWS\system32\ischot.exe

O4 - HKCU\..\Run: [star3] C:\WINDOWS\system32\Xred1.exe

O4 - HKCU\..\Run: [star4] C:\WINDOWS\system32\Zred2.exe

O4 - HKCU\..\Run: [star6] C:\WINDOWS\system32\MscheldB.exe

O4 - HKCU\..\Run: [star7] C:\WINDOWS\system32\Mscheldncx.exe

O4 - HKCU\..\Run: [star8] C:\WINDOWS\system32\svscheld.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Estatísticas do Antivírus da Web - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ssp-go.sspj.go.gov.br

O17 - HKLM\Software\..\Telephony: DomainName = ssp-go.sspj.go.gov.br

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ssp-go.sspj.go.gov.br

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ssp-go.sspj.go.gov.br

O20 - AppInit_DLLs: C:\WINDOWS\System32\cryptdll32.dll

O20 - Winlogon Notify: 14f6a245511 - C:\WINDOWS\

O20 - Winlogon Notify: jmparwfr - C:\WINDOWS\SYSTEM32\fsshtae.dll

O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Arquivos de programas\VPN - SSP-GO\bin\openvpnserv.exe

O24 - Desktop Component 0: (no name) - file:///C:/WINDOWS/TEMP/msohtml1/01/clip_image001.gif

 

--

End of file - 5832 bytes

 

ComboFix 09-01-21.04 - Administrador 2009-01-24 1:53:08.3 - NTFSx86

Executando de: c:\documents and settings\Administrador\Desktop\ComboFix.exe

Comandos utilizados :: c:\documents and settings\Administrador\Desktop\CFScript.txt.txt

AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated)

* Criado um novo ponto de restauro

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

c:\windows\system32\Prefetchxs

c:\windows\system32\Prefetchxs\shanjaymn@hotmail.com

c:\windows\system32\Prefetchxs\uid=10043715449779570612

c:\windows\system32\Prefetchxs\uid=14673768659218286715

c:\windows\system32\Prefetchxs\uid=3018144004897920139

c:\windows\system32\Prefetchxs\uid=4646528306636213025

c:\windows\system32\Prefetchxs\uid=8106920110471117013

c:\windows\system32\Prefetchxs\uid=9506841594734489469

c:\windows\system32\wgkuisab.dll . . . . falha na exclusão

 

.

((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

-------\Legacy_WDJYLYYF

-------\Service_wdjylyyf

 

 

(((((((((((((((( Arquivos/Ficheiros criados de 2008-12-24 to 2009-01-24 ))))))))))))))))))))))))))))

.

 

2009-01-23 14:55 . 2009-01-23 14:55 <DIR> d-------- c:\arquivos de programas\AVIConverter

2009-01-23 09:37 . 2009-01-23 09:37 <DIR> d-------- c:\documents and settings\NetworkService\Dados de aplicativos\tnkwojci

2009-01-19 04:38 . 2009-01-19 04:38 <DIR> d-------- c:\documents and settings\Administrador\Dados de aplicativos\tnkwojci

2009-01-17 12:59 . 2009-01-17 12:59 <DIR> d-------- c:\windows\WinAVI Video Converter 9.0

2009-01-17 12:59 . 2009-01-17 12:59 <DIR> d-------- c:\arquivos de programas\WinAVI Video Converter 9.0

2009-01-16 13:49 . 2009-01-16 23:51 <DIR> d-------- C:\HijackThis

2009-01-13 23:36 . 2009-01-14 00:44 96,976 --a------ c:\windows\system32\drivers\klin.dat

2009-01-13 23:36 . 2009-01-14 00:44 87,855 --a------ c:\windows\system32\drivers\klick.dat

2009-01-13 23:34 . 2009-01-24 00:44 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Kaspersky Lab

2009-01-13 23:34 . 2009-01-13 23:34 <DIR> d-------- c:\arquivos de programas\Kaspersky Lab

2009-01-13 23:34 . 2009-01-24 02:06 1,453,344 --ahs---- c:\windows\system32\drivers\fidbox.dat

2009-01-13 23:34 . 2009-01-24 02:04 53,792 --ahs---- c:\windows\system32\drivers\fidbox2.dat

2009-01-13 23:34 . 2009-01-24 02:03 20,492 --ahs---- c:\windows\system32\drivers\fidbox.idx

2009-01-13 23:34 . 2009-01-24 02:03 6,068 --ahs---- c:\windows\system32\drivers\fidbox2.idx

2009-01-13 23:28 . 2009-01-13 23:28 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Kaspersky Lab Setup Files

2009-01-13 18:36 . 2009-01-13 18:36 <DIR> d-------- c:\windows\Sun

2009-01-13 15:31 . 2009-01-13 15:31 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Avg8

2009-01-13 15:31 . 2009-01-13 15:31 262,144 --a------ c:\documents and settings\IN241E~8

2009-01-13 15:29 . 2009-01-13 15:29 262,144 --a------ c:\documents and settings\IN241E~7

2009-01-13 15:21 . 2009-01-13 15:21 262,144 --a------ c:\documents and settings\IN241E~6

2009-01-13 15:06 . 2009-01-13 15:06 <DIR> d-------- c:\documents and settings\Administrador\Dados de aplicativos\IObit

2009-01-13 15:06 . 2009-01-13 15:06 <DIR> d-------- c:\arquivos de programas\IObit

2009-01-13 15:06 . 2008-04-17 16:19 90,668 --a------ c:\windows\system32\vobis32.dll

2009-01-12 22:41 . 2009-01-13 15:14 <DIR> d-------- c:\documents and settings\Administrador\Dados de aplicativos\AVGTOOLBAR

2009-01-12 22:34 . 2009-01-12 22:43 8,192 --a------ c:\documents and settings\IN241E~5

2009-01-12 22:32 . 2009-01-12 22:32 <DIR> d-------- c:\arquivos de programas\ESET

2009-01-12 22:30 . 2009-01-12 22:30 262,144 --a------ c:\documents and settings\IN241E~4

2009-01-09 00:27 . 2009-01-09 07:34 <DIR> d---s---- c:\windows\Downloaded Program Files

2009-01-07 11:58 . 2009-01-07 11:58 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\ESET

2009-01-05 14:11 . 2009-01-05 14:11 974 --a------ c:\windows\HP

2009-01-05 14:11 . 2009-01-05 20:07 59 --a------ c:\windows\plugin.fax

2009-01-05 14:11 . 2009-01-05 14:11 8 --a------ c:\windows\control.ctr

2009-01-05 13:44 . 2009-01-05 13:44 853,091 ---hs---- c:\windows\system32\ree1.exe

2009-01-05 00:37 . 2009-01-05 00:37 <DIR> d-------- c:\arquivos de programas\Microsoft Games

2009-01-04 02:28 . 2009-01-04 02:28 262,144 --a------ c:\documents and settings\IN241E~3

2009-01-04 02:24 . 2009-01-04 02:28 8,192 --a------ c:\documents and settings\IN241E~2

2009-01-03 16:10 . 2009-01-04 02:33 <DIR> d-a------ c:\documents and settings\All Users\Dados de aplicativos\TEMP

2009-01-01 16:26 . 2009-01-01 16:26 373,760 --ahs---- c:\windows\system32\8B.tmp

2008-12-31 13:33 . 2009-01-01 19:02 <DIR> d-------- c:\documents and settings\Administrador\Dados de aplicativos\LimeWire

2008-12-31 13:29 . 2008-12-31 13:28 410,984 --a------ c:\windows\system32\deploytk.dll

2008-12-31 13:29 . 2008-12-31 13:28 73,728 --a------ c:\windows\system32\javacpl.cpl

2008-12-31 13:27 . 2008-12-31 13:27 <DIR> d-------- c:\arquivos de programas\Java

2008-12-31 12:52 . 2008-12-31 12:52 <DIR> d-------- C:\Sun

2008-12-30 07:39 . 2006-10-04 12:06 1,197,294 -----c--- c:\windows\system32\dllcache\sysmain.sdb

2008-12-30 07:38 . 2008-12-30 07:38 <DIR> d-------- c:\arquivos de programas\Windows Media Connect 2

2008-12-30 07:33 . 2008-12-30 07:35 <DIR> d-------- c:\windows\system32\drivers\UMDF

2008-12-25 21:17 . 2008-12-25 21:17 <DIR> d-------- c:\arquivos de programas\Arquivos comuns\SWF Studio

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-24 03:35 105,984 ----a-w c:\windows\system32\jjlkpny.dll

2009-01-14 02:45 112,144 ----a-w c:\windows\system32\drivers\kl1.sys

2009-01-09 09:51 --------- d-----w c:\arquivos de programas\Alwil Software

2009-01-01 17:46 73,728 ----a-w c:\windows\Help\Firewall.exe

2009-01-01 17:46 65,536 ----a-w c:\windows\Help\seguracas.exe

2008-12-12 16:34 --------- d-----w c:\arquivos de programas\VPN - SSP-GO

2004-12-09 16:22 27,136 -c--a-w c:\documents and settings\Administrador\envupdat.dll

.

 

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

---- Directory of c:\windows\Help ----

 

2009-01-01 15:46 73728 --a------ c:\windows\Help\Firewall.exe

2009-01-01 15:46 65536 --a------ c:\windows\Help\seguracas.exe

2009-01-01 15:46 0 --a------ c:\windows\Help\atualizado.log

2008-07-22 18:47 10820 --ah-c--- c:\windows\Help\windows.GID

2006-10-30 22:40 368873 --------- c:\windows\Help\wmp11.chm

2005-10-18 18:30 8628 --ah-c--- c:\windows\Help\aclui.GID

2005-10-18 18:29 71071 --a--c--- c:\windows\Help\aclui.chw

2005-10-18 18:22 42474 --a--c--- c:\windows\Help\regedit.chw

2005-05-26 04:16 76732 --a--c--- c:\windows\Help\wuauhelp.chm

2004-12-03 17:50 23433 --a--c--- c:\windows\Help\javasec.hlp

2004-12-03 17:50 12233 --a--c--- c:\windows\Help\javaperm.hlp

2004-08-04 05:47 83312 --a--c--- c:\windows\Help\apps.chm

2004-08-04 05:47 299146 --a--c--- c:\windows\Help\apps_sp.chm

2004-08-04 05:45 34816 --a------ c:\windows\Help\sniffpol.dll

2004-08-04 05:45 33280 --a------ c:\windows\Help\sstub.dll

2004-08-04 05:45 279040 --a------ c:\windows\Help\tshoot.dll

2004-07-24 02:41 187773 --a--c--- c:\windows\Help\inetres.chm

2004-07-19 23:53 996266 --a--c--- c:\windows\Help\windows.chq

2004-07-19 23:53 86339 --a--c--- c:\windows\Help\langbar.chm

2004-07-19 23:53 46512 -----c--- c:\windows\Help\twclient.chm

2004-07-19 23:53 38353 --a--c--- c:\windows\Help\input.chm

2004-07-19 23:53 329846 --a--c--- c:\windows\Help\cpanel.chq

2004-07-19 23:53 26121 --a--c--- c:\windows\Help\regopt.chm

2004-07-19 23:53 24907 --a--c--- c:\windows\Help\input.hlp

2004-07-19 23:53 15637 -----c--- c:\windows\Help\hardware.hlp

2004-07-19 23:53 12321 -----c--- c:\windows\Help\twclient.hlp

2004-07-18 03:54 9412 --a--c--- c:\windows\Help\Tours\htmlTour\start_windows.htm

2004-07-18 03:54 8947 --a--c--- c:\windows\Help\Tours\htmlTour\start_control.htm

2004-07-18 03:54 8784 --a--c--- c:\windows\Help\Tours\htmlTour\connected_multiple.htm

2004-07-18 03:54 8706 --a--c--- c:\windows\Help\Tours\htmlTour\start_menu.htm

2004-07-18 03:54 8680 --a--c--- c:\windows\Help\Tours\htmlTour\start_icons.htm

2004-07-18 03:54 8599 --a--c--- c:\windows\Help\Tours\htmlTour\unlock_playing.htm

2004-07-18 03:54 8591 --a--c--- c:\windows\Help\Tours\htmlTour\start_taskbar.htm

2004-07-18 03:54 8555 --a--c--- c:\windows\Help\Tours\htmlTour\connected_networks.htm

2004-07-18 03:54 84955 --a--c--- c:\windows\Help\ntdef.chm

2004-07-18 03:54 8231 --a--c--- c:\windows\Help\Tours\htmlTour\connected_wizard.htm

2004-07-18 03:54 8199 --a--c--- c:\windows\Help\Tours\htmlTour\start_files.htm

2004-07-18 03:54 8188 --a--c--- c:\windows\Help\Tours\htmlTour\start_ending.htm

2004-07-18 03:54 8091 --a--c--- c:\windows\Help\Tours\htmlTour\best_road.htm

2004-07-18 03:54 8054 --a--c--- c:\windows\Help\Tours\htmlTour\start_desktop.htm

2004-07-18 03:54 7949 --a--c--- c:\windows\Help\Tours\htmlTour\best_robust.htm

2004-07-18 03:54 7945 --a--c--- c:\windows\Help\Tours\htmlTour\safe_better.htm

2004-07-18 03:54 7878 --a--c--- c:\windows\Help\Tours\htmlTour\best_secure.htm

2004-07-18 03:54 7583 --a--c--- c:\windows\Help\Tours\htmlTour\connected_data.htm

2004-07-18 03:54 7303 --a--c--- c:\windows\Help\Tours\htmlTour\safe_easier.htm

2004-07-18 03:54 7265 --a--c--- c:\windows\Help\Tours\htmlTour\unlock_optimized.htm

2004-07-18 03:54 7210 --a--c--- c:\windows\Help\Tours\htmlTour\unlock_built.htm

2004-07-18 03:54 7068 --a--c--- c:\windows\Help\Tours\htmlTour\safe_faster.htm

2004-07-18 03:54 65673 -----c--- c:\windows\Help\update1.chm

2004-07-18 03:54 422 --a--c--- c:\windows\Help\Tours\htmlTour\start_fr.htm

2004-07-18 03:54 4149 --a--c--- c:\windows\Help\Tours\htmlTour\default.htm

2004-07-18 03:54 408 --a--c--- c:\windows\Help\Tours\htmlTour\connected_fr.htm

2004-07-18 03:54 405 --a--c--- c:\windows\Help\Tours\htmlTour\safe_fr.htm

2004-07-18 03:54 404 --a--c--- c:\windows\Help\Tours\htmlTour\unlock_fr.htm

2004-07-18 03:54 395 --a--c--- c:\windows\Help\Tours\htmlTour\best_fr.htm

2004-07-18 03:54 312297 --a--c--- c:\windows\Help\system.chm

2004-07-18 03:54 26943 --a--c--- c:\windows\Help\wmplay.chm

2004-07-18 03:54 22176 -----c--- c:\windows\Help\wuau.chm

2004-07-18 03:54 1683 --a--c--- c:\windows\Help\Tours\htmlTour\footer.htm

2004-07-18 03:54 16053 --a--c--- c:\windows\Help\conf1.chm

2004-07-17 16:35 90082 --a--c--- c:\windows\Help\infrared.chm

2004-07-17 16:35 86847 --a--c--- c:\windows\Help\filefold.chm

2004-07-17 16:35 86626 --a--c--- c:\windows\Help\misc.chm

2004-07-17 16:35 84411 --a--c--- c:\windows\Help\plyr_err.chm

2004-07-17 16:35 81809 -----c--- c:\windows\Help\mail\smtpsnap.hlp

2004-07-17 16:35 79362 --a--c--- c:\windows\Help\evconcepts.chm

2004-07-17 16:35 74730 --a--c--- c:\windows\Help\mstsc.chm

2004-07-17 16:35 659766 --a--c--- c:\windows\Help\wmplayer.chm

2004-07-17 16:35 61817 --a--c--- c:\windows\Help\mode.chm

2004-07-17 16:35 59659 --a--c--- c:\windows\Help\dskquoui.chm

2004-07-17 16:35 569133 --a--c--- c:\windows\Help\netcfg.chm

2004-07-17 16:35 53665 --a--c--- c:\windows\Help\file_srv.chm

2004-07-17 16:35 52797 -----c--- c:\windows\Help\blutooth.chm

2004-07-17 16:35 52131 --a--c--- c:\windows\Help\rsop.chm

2004-07-17 16:35 51613 --a--c--- c:\windows\Help\howto.chm

2004-07-17 16:35 50091 --a--c--- c:\windows\Help\msinfo32.chm

2004-07-17 16:35 49141 --a--c--- c:\windows\Help\whatsnew.chm

2004-07-17 16:35 40826 --a--c--- c:\windows\Help\iis.chm

2004-07-17 16:35 40398 --a--c--- c:\windows\Help\mstask.chm

2004-07-17 16:35 39847 --a--c--- c:\windows\Help\rdesktop.chm

2004-07-17 16:35 38959 --a--c--- c:\windows\Help\sysrestore.chm

2004-07-17 16:35 368 -----c--- c:\windows\Help\mail\smtpsnap.cnt

2004-07-17 16:35 36710 --a--c--- c:\windows\Help\sys_srv.chm

2004-07-17 16:35 34197 --a--c--- c:\windows\Help\hardware.chm

2004-07-17 16:35 34027 --a--c--- c:\windows\Help\license.chm

2004-07-17 16:35 28196 -----c--- c:\windows\Help\wschelp.chm

2004-07-17 16:35 274279 --a--c--- c:\windows\Help\msoe.chm

2004-07-17 16:35 271711 --a--c--- c:\windows\Help\nusrmgr.chm

2004-07-17 16:35 25200 --a--c--- c:\windows\Help\dxdiag.chm

2004-07-17 16:35 245430 --a--c--- c:\windows\Help\ipsecconcepts.chm

2004-07-17 16:35 24396 --a--c--- c:\windows\Help\atm.chm

2004-07-17 16:35 23107 --a--c--- c:\windows\Help\password.chm

2004-07-17 16:35 226504 --a--c--- c:\windows\Help\spconcepts.chm

2004-07-17 16:35 221390 --a--c--- c:\windows\Help\iexplore.chm

2004-07-17 16:35 21485 --a--c--- c:\windows\Help\ntchowto.chm

2004-07-17 16:35 21213 --a--c--- c:\windows\Help\remasst.chm

2004-07-17 16:35 20653 -----c--- c:\windows\Help\spad.chm

2004-07-17 16:35 20219 --a--c--- c:\windows\Help\sendcmsg.chm

2004-07-17 16:35 19835 --a--c--- c:\windows\Help\datetime.chm

2004-07-17 16:35 17623 --a--c--- c:\windows\Help\sr_ui.chm

2004-07-17 16:35 17291 --a--c--- c:\windows\Help\webpub.chm

2004-07-17 16:35 170894 --a--c--- c:\windows\Help\ipv6.chm

2004-07-17 16:35 138172 --a--c--- c:\windows\Help\spolsconcepts.chm

2004-07-17 16:35 118474 --a--c--- c:\windows\Help\network.chm

2004-07-17 16:35 111010 --a--c--- c:\windows\Help\printing.chm

2004-07-17 16:34 552541 --a--c--- c:\windows\Help\msmqconcepts.chm

2004-07-17 16:34 295440 --a--c--- c:\windows\Help\comexp.chm

2003-04-08 10:00 999 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Img\Btn\bktrh.gif

2003-04-08 10:00 98641 --a--c--- c:\windows\Help\iexplore.hlp

2003-04-08 10:00 9585 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Css\controls.css

2003-04-08 10:00 954243 --a--c--- c:\windows\Help\windows.chm

2003-04-08 10:00 94101 --a--c--- c:\windows\Help\sceconcepts.chm

2003-04-08 10:00 9309 --a--c--- c:\windows\Help\agt0413.hlp

2003-04-08 10:00 9251 --a--c--- c:\windows\Help\agt041d.hlp

2003-04-08 10:00 9041 --a--c--- c:\windows\Help\agt041f.hlp

2003-04-08 10:00 9001 --a--c--- c:\windows\Help\agt0408.hlp

2003-04-08 10:00 8987 --a--c--- c:\windows\Help\agt040e.hlp

2003-04-08 10:00 8975 --a--c--- c:\windows\Help\agt0405.hlp

2003-04-08 10:00 8931 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Cnt\contents.htm

2003-04-08 10:00 8917 --a--c--- c:\windows\Help\agt0415.hlp

2003-04-08 10:00 8882 --a--c--- c:\windows\Help\agt040c.hlp

2003-04-08 10:00 8856 --a--c--- c:\windows\Help\agt0407.hlp

2003-04-08 10:00 8830 --a--c--- c:\windows\Help\agt0c0a.hlp

2003-04-08 10:00 8799 --a--c--- c:\windows\Help\agt0816.hlp

2003-04-08 10:00 8799 --a--c--- c:\windows\Help\agt0419.hlp

2003-04-08 10:00 8783 --a--c--- c:\windows\Help\agt0406.hlp

2003-04-08 10:00 8758 --a--c--- c:\windows\Help\agt0416.hlp

2003-04-08 10:00 8746 --a--c--- c:\windows\Help\agt0410.hlp

2003-04-08 10:00 8677 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Img\WMarks\wm7.gif

2003-04-08 10:00 8662 --a--c--- c:\windows\Help\agt040b.hlp

2003-04-08 10:00 8654 --a--c--- c:\windows\Help\agt0414.hlp

2003-04-08 10:00 8648 --a--c--- c:\windows\Help\agt0409.hlp

2003-04-08 10:00 86449 --a--c--- c:\windows\Help\ipsecsnp.hlp

2003-04-08 10:00 8631 --a--c--- c:\windows\Help\ident.hlp

2003-04-08 10:00 86196 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Audio\Wav\wmpaud5.wav

2003-04-08 10:00 86180 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Audio\Wav\wmpaud4.wav

2003-04-08 10:00 86180 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Audio\Wav\wmpaud2.wav

2003-04-08 10:00 855 --a--c--- c:\windows\Help\Tours\htmlTour\nav_blank.gif

2003-04-08 10:00 8546 --a--c--- c:\windows\Help\signin.hlp

2003-04-08 10:00 853883 --a--c--- c:\windows\Help\ntcmds.chm

2003-04-08 10:00 83294 --a--c--- c:\windows\Help\ntbackup.chm

2003-04-08 10:00 807 --a--c--- c:\windows\Help\Tours\mmTour\intro.txt

2003-04-08 10:00 799 --a--c--- c:\windows\Help\Tours\mmTour\segment5.txt

2003-04-08 10:00 7951 --a--c--- c:\windows\Help\Tours\htmlTour\best_road.jpg

2003-04-08 10:00 7892 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Img\WMarks\wm9.gif

2003-04-08 10:00 779 --a--c--- c:\windows\Help\progman.cnt

2003-04-08 10:00 77688 --a--c--- c:\windows\Help\Tours\htmlTour\img136.jpg

2003-04-08 10:00 77604 --a--c--- c:\windows\Help\wab.chm

2003-04-08 10:00 77303 --a--c--- c:\windows\Help\msmq.chm

2003-04-08 10:00 773 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Img\Btn\cnth.gif

2003-04-08 10:00 773 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Img\Btn\cnt.gif

2003-04-08 10:00 772 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Img\Btn\cntd.gif

2003-04-08 10:00 772 --a--c--- c:\windows\Help\Tours\mmTour\segment2.txt

2003-04-08 10:00 7679963 --a--c--- c:\windows\Help\Tours\mmTour\segment5.swf

2003-04-08 10:00 7636 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Img\WMarks\wm2.gif

2003-04-08 10:00 761 --a--c--- c:\windows\Help\Tours\htmlTour\nav_start_here_down.gif

2003-04-08 10:00 760 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Img\Btn\cloapph.gif

2003-04-08 10:00 757717 --a--c--- c:\windows\Help\Tours\mmTour\intro.swf

2003-04-08 10:00 747 --a--c--- c:\windows\Help\Tours\mmTour\segment1.txt

2003-04-08 10:00 7369 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Img\WMarks\wm4.gif

2003-04-08 10:00 7236 --a--c--- c:\windows\Help\Tours\htmlTour\connected_networks.jpg

2003-04-08 10:00 7192 --a--c--- c:\windows\Help\Tours\htmlTour\connected_multiple.jpg

2003-04-08 10:00 717 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Img\Btn\cloapp.gif

2003-04-08 10:00 717 --a--c--- c:\windows\Help\Tours\mmTour\segment3.txt

2003-04-08 10:00 7108 --a--c--- c:\windows\Help\Tours\htmlTour\unlock_playing.jpg

2003-04-08 10:00 6913 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Scr\controls.js

2003-04-08 10:00 69 --a--c--- c:\windows\Help\winhlp32.cnt

2003-04-08 10:00 68237 --a--c--- c:\windows\Help\sysdm.hlp

2003-04-08 10:00 6782 --a--c--- c:\windows\Help\Tours\htmlTour\safe_easy_faster.jpg

2003-04-08 10:00 6778 --a--c--- c:\windows\Help\Tours\htmlTour\connected_wizard.jpg

2003-04-08 10:00 66739 --a--c--- c:\windows\Help\digiras.chm

2003-04-08 10:00 6645 --a--c--- c:\windows\Help\Tours\htmlTour\best_secure.jpg

2003-04-08 10:00 6616 --a--c--- c:\windows\Help\Tours\htmlTour\img014.jpg

2003-04-08 10:00 6566 --a--c--- c:\windows\Help\Tours\htmlTour\ul_logo.jpg

2003-04-08 10:00 65188 --a--c--- c:\windows\Help\devmgr.hlp

2003-04-08 10:00 6514 --a--c--- c:\windows\Help\Tours\htmlTour\unlock_built.jpg

2003-04-08 10:00 6452 --a--c--- c:\windows\Help\Tours\htmlTour\best_robust.jpg

2003-04-08 10:00 644 --a--c--- c:\windows\Help\Tours\htmlTour\gradient.jpg

2003-04-08 10:00 6416 --a--c--- c:\windows\Help\Tours\htmlTour\safe_easy_better.jpg

2003-04-08 10:00 64 --a--c--- c:\windows\Help\windows.cnt

2003-04-08 10:00 63801 --a--c--- c:\windows\Help\wininstl.chm

2003-04-08 10:00 633 --a--c--- c:\windows\Help\Tours\mmTour\segment4.txt

2003-04-08 10:00 6293 --a--c--- c:\windows\Help\Tours\htmlTour\safe_easy_easier.jpg

2003-04-08 10:00 6290 --a--c--- c:\windows\Help\Tours\htmlTour\unlock_optimized.jpg

2003-04-08 10:00 6253 --a--c--- c:\windows\Help\Tours\htmlTour\best_road_ghost.jpg

2003-04-08 10:00 6241 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Img\WMarks\wm3.gif

2003-04-08 10:00 6222 --a--c--- c:\windows\Help\Tours\htmlTour\connected_data.jpg

2003-04-08 10:00 61837 --a--c--- c:\windows\Help\encrypt.chm

2003-04-08 10:00 61760 --a--c--- c:\windows\Help\rsmconcepts.chm

2003-04-08 10:00 61535 --a--c--- c:\windows\Help\wsecedit.hlp

2003-04-08 10:00 60999 --a--c--- c:\windows\Help\sysmon.hlp

2003-04-08 10:00 6060 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Img\WMarks\wm6.gif

2003-04-08 10:00 5971 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Scr\events.js

2003-04-08 10:00 59414 --a--c--- c:\windows\Help\Tours\htmlTour\desktop_screen_shot.jpg

2003-04-08 10:00 57939 --a--c--- c:\windows\Help\msoe.hlp

2003-04-08 10:00 5789 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Img\WMarks\wm1.gif

2003-04-08 10:00 57346 --a--c--- c:\windows\Help\ntbackup.hlp

2003-04-08 10:00 57216 --a--c--- c:\windows\Help\devmgr.chm

2003-04-08 10:00 5709 --a--c--- c:\windows\Help\Tours\htmlTour\unlock_playing_ghost.jpg

2003-04-08 10:00 5683 --a--c--- c:\windows\Help\Tours\htmlTour\connected_multiple_ghost.jpg

2003-04-08 10:00 56344 --a--c--- c:\windows\Help\aclui.chm

2003-04-08 10:00 5628 --a--c--- c:\windows\Help\Tours\htmlTour\connected_networks_ghost.jpg

2003-04-08 10:00 55484 --a--c--- c:\windows\Help\tcpip.chm

2003-04-08 10:00 53599 --a--c--- c:\windows\Help\scmconcepts.chm

2003-04-08 10:00 5330 --a--c--- c:\windows\Help\Tours\htmlTour\safe_easy_faster_ghost.jpg

2003-04-08 10:00 5314 --a--c--- c:\windows\Help\Tours\htmlTour\connected_wizard_ghost.jpg

2003-04-08 10:00 53 --a--c--- c:\windows\Help\Tours\htmlTour\bot_bar.gif

2003-04-08 10:00 5290 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Img\vidsamp.gif

2003-04-08 10:00 5249 --a--c--- c:\windows\Help\Tours\htmlTour\best_secure_ghost.jpg

2003-04-08 10:00 52446 --a--c--- c:\windows\Help\Tours\htmlTour\img033.jpg

2003-04-08 10:00 52255 --a--c--- c:\windows\Help\wmic.chm

2003-04-08 10:00 51711 --a--c--- c:\windows\Help\filefold.hlp

2003-04-08 10:00 5159 --a--c--- c:\windows\Help\Tours\htmlTour\safe_easy_better_ghost.jpg

2003-04-08 10:00 5135 --a--c--- c:\windows\Help\Tours\htmlTour\unlock_optimized_ghost.jpg

2003-04-08 10:00 5065 --a--c--- c:\windows\Help\Tours\htmlTour\best_robust_ghost.jpg

2003-04-08 10:00 5063 --a--c--- c:\windows\Help\Tours\htmlTour\unlock_built_ghost.jpg

2003-04-08 10:00 50546 --a--c--- c:\windows\Help\Tours\htmlTour\img033a.jpg

2003-04-08 10:00 5040 --a--c--- c:\windows\Help\Tours\htmlTour\safe_easy_easier_ghost.jpg

2003-04-08 10:00 50387 --a--c--- c:\windows\Help\regedit.chm

2003-04-08 10:00 50305 --a--c--- c:\windows\Help\display.chm

2003-04-08 10:00 4967 --a--c--- c:\windows\Help\Tours\htmlTour\connected_data_ghost.jpg

2003-04-08 10:00 49258 --a--c--- c:\windows\Help\mspaint.chm

2003-04-08 10:00 491101 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Video\copycd.wmv

2003-04-08 10:00 48856 --a--c--- c:\windows\Help\wbemtest.chm

2003-04-08 10:00 48780 --a--c--- c:\windows\Help\comexp.hlp

2003-04-08 10:00 48567 --a--c--- c:\windows\Help\localsec.chm

2003-04-08 10:00 48479 --a--c--- c:\windows\Help\sysdm.chm

2003-04-08 10:00 48336 --a--c--- c:\windows\Help\Tours\htmlTour\img004b.jpg

2003-04-08 10:00 48327 --a--c--- c:\windows\Help\display.hlp

2003-04-08 10:00 47214 --a--c--- c:\windows\Help\Tours\htmlTour\img089.jpg

2003-04-08 10:00 46811 --a--c--- c:\windows\Help\speech.chm

2003-04-08 10:00 4651 --a--c--- c:\windows\Help\Tours\htmlTour\logo.jpg

2003-04-08 10:00 46230 --a--c--- c:\windows\Help\connect.hlp

2003-04-08 10:00 45830 --a--c--- c:\windows\Help\snmpconcepts.chm

2003-04-08 10:00 4507 --a--c--- c:\windows\Help\newfeat5.hlp

2003-04-08 10:00 4507 --a--c--- c:\windows\Help\newfeat4.hlp

2003-04-08 10:00 4507 --a--c--- c:\windows\Help\newfeat3.hlp

2003-04-08 10:00 4507 --a--c--- c:\windows\Help\newfeat2.hlp

2003-04-08 10:00 44357 --a--c--- c:\windows\Help\hschelp.chm

2003-04-08 10:00 4407 --a--c--- c:\windows\Help\Tours\htmlTour\control_up.jpg

2003-04-08 10:00 4399 --a--c--- c:\windows\Help\Tours\htmlTour\end_up.jpg

2003-04-08 10:00 43826 --a--c--- c:\windows\Help\dialer.chm

2003-04-08 10:00 43667 --a--c--- c:\windows\Help\Tours\htmlTour\img109.jpg

2003-04-08 10:00 4366 --a--c--- c:\windows\Help\Tours\htmlTour\window_up.jpg

2003-04-08 10:00 4337 --a--c--- c:\windows\Help\Tours\htmlTour\start_up.jpg

2003-04-08 10:00 4326 --a--c--- c:\windows\Help\Tours\htmlTour\folder_up.jpg

2003-04-08 10:00 4322 --a--c--- c:\windows\Help\Tours\htmlTour\icon_up.jpg

2003-04-08 10:00 43 --a--c--- c:\windows\Help\Tours\htmlTour\spacer.gif

2003-04-08 10:00 42914 --a--c--- c:\windows\Help\Tours\htmlTour\img074a.jpg

2003-04-08 10:00 4232 --a--c--- c:\windows\Help\Tours\htmlTour\desktop_up.jpg

2003-04-08 10:00 4222 --a--c--- c:\windows\Help\Tours\htmlTour\taskbar_up.jpg

2003-04-08 10:00 42196 --a--c--- c:\windows\Help\bootcons.chm

2003-04-08 10:00 42046 --a--c--- c:\windows\Help\mmc_dlg.hlp

2003-04-08 10:00 420 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Cnt\wmploc.js

2003-04-08 10:00 41993 --a--c--- c:\windows\Help\clipbrd.hlp

2003-04-08 10:00 4193 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Img\WMarks\wm8.gif

2003-04-08 10:00 41039 --a--c--- c:\windows\Help\secsetconcepts.chm

2003-04-08 10:00 409549 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Video\mdlib.wmv

2003-04-08 10:00 407 --a--c--- c:\windows\Help\Tours\mmTour\nav.txt

2003-04-08 10:00 40188 --a--c--- c:\windows\Help\Tours\htmlTour\img100.jpg

2003-04-08 10:00 38743 --a--c--- c:\windows\Help\tapi.chm

2003-04-08 10:00 38603 --a--c--- c:\windows\Help\secauth.hlp

2003-04-08 10:00 38401 --a--c--- c:\windows\Help\hypertrm.chm

2003-04-08 10:00 38238 --a--c--- c:\windows\Help\els.hlp

2003-04-08 10:00 38053 --a--c--- c:\windows\Help\Tours\htmlTour\img103.jpg

2003-04-08 10:00 379885 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Video\nuskin.wmv

2003-04-08 10:00 37744 --a--c--- c:\windows\Help\saferconcepts.chm

2003-04-08 10:00 37641 --a--c--- c:\windows\Help\admtools.chm

2003-04-08 10:00 37605 --a--c--- c:\windows\Help\nwdoc.chm

2003-04-08 10:00 37367 --a--c--- c:\windows\Help\taskbar.chm

2003-04-08 10:00 37023 --a--c--- c:\windows\Help\lpeconcepts.chm

2003-04-08 10:00 36841 --a--c--- c:\windows\Help\dkconcepts.chm

2003-04-08 10:00 36720 --a--c--- c:\windows\Help\odbcjet.chm

2003-04-08 10:00 36588 --a--c--- c:\windows\Help\Tours\htmlTour\img060.jpg

2003-04-08 10:00 365 --a--c--- c:\windows\Help\ratings.cnt

2003-04-08 10:00 36372 --a--c--- c:\windows\Help\soundrec.chm

2003-04-08 10:00 36327 --a--c--- c:\windows\Help\taskmgr.chm

2003-04-08 10:00 36213 --a--c--- c:\windows\Help\audit.chm

2003-04-08 10:00 35908 --a--c--- c:\windows\Help\ieshared.chm

2003-04-08 10:00 35836 --a--c--- c:\windows\Help\sysprop.chm

2003-04-08 10:00 35665 --a--c--- c:\windows\Help\rrc.chm

2003-04-08 10:00 35559 --a--c--- c:\windows\Help\wordpad.chm

2003-04-08 10:00 354468 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Audio\Wav\wmpaud1.wav

2003-04-08 10:00 352295 --a------ c:\windows\Help\tshoot.chm

2003-04-08 10:00 35172 --a--c--- c:\windows\Help\access.chm

2003-04-08 10:00 34363 --a--c--- c:\windows\Help\rsm.hlp

2003-04-08 10:00 343204 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Audio\Wav\wmpaud7.wav

2003-04-08 10:00 343204 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Audio\Wav\wmpaud6.wav

2003-04-08 10:00 33862 --a--c--- c:\windows\Help\Tours\htmlTour\img121.jpg

2003-04-08 10:00 337878 --a--c--- c:\windows\Help\ntshared.chm

2003-04-08 10:00 3374640 --a--c--- c:\windows\Help\Tours\mmTour\tour.exe

2003-04-08 10:00 33697 --a--c--- c:\windows\Help\pwrmn.chm

2003-04-08 10:00 33378 --a--c--- c:\windows\Help\diagboot.chm

2003-04-08 10:00 33305 --a--c--- c:\windows\Help\imgprev.chm

2003-04-08 10:00 33236 --a--c--- c:\windows\Help\mqsnap.hlp

2003-04-08 10:00 33121 --a--c--- c:\windows\Help\fxsshare.chm

2003-04-08 10:00 32964 --a--c--- c:\windows\Help\usercpl.chm

2003-04-08 10:00 32857 --a--c--- c:\windows\Help\filemgmt.hlp

2003-04-08 10:00 32786 --a--c--- c:\windows\Help\icwdial.chm

2003-04-08 10:00 32501 --a--c--- c:\windows\Help\telnet.chm

2003-04-08 10:00 32403 --a--c--- c:\windows\Help\access.hlp

2003-04-08 10:00 32059 --a--c--- c:\windows\Help\ddeshare.hlp

2003-04-08 10:00 31930 --a--c--- c:\windows\Help\find.chm

2003-04-08 10:00 3187 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Scr\tour.js

2003-04-08 10:00 31762 --a--c--- c:\windows\Help\omc.chm

2003-04-08 10:00 315 --a--c--- c:\windows\Help\ciadmin.htm

2003-04-08 10:00 309466 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Video\rtuner.wmv

2003-04-08 10:00 30702 --a--c--- c:\windows\Help\diskmgmt.hlp

2003-04-08 10:00 30400 --a--c--- c:\windows\Help\conf.hlp

2003-04-08 10:00 30279 --a--c--- c:\windows\Help\nmwhiteb.chm

2003-04-08 10:00 30236 --a--c--- c:\windows\Help\fxscover.chm

2003-04-08 10:00 29713 --a--c--- c:\windows\Help\sce.chm

2003-04-08 10:00 29690 --a--c--- c:\windows\Help\scm.chm

2003-04-08 10:00 29504 --a--c--- c:\windows\Help\camera.hlp

2003-04-08 10:00 29232 --a--c--- c:\windows\Help\secsettings.chm

2003-04-08 10:00 29146 --a--c--- c:\windows\Help\mstask.hlp

2003-04-08 10:00 29080 --a--c--- c:\windows\Help\wab.hlp

2003-04-08 10:00 28943 --a--c--- c:\windows\Help\dialer.hlp

2003-04-08 10:00 28879 --a--c--- c:\windows\Help\Tours\htmlTour\img040.jpg

2003-04-08 10:00 28479 --a--c--- c:\windows\Help\calc.hlp

2003-04-08 10:00 284769 --a--c--- c:\windows\Help\netcfg.hlp

2003-04-08 10:00 28119 --a--c--- c:\windows\Help\oe_msgr.chm

2003-04-08 10:00 28061 --a--c--- c:\windows\Help\offlinefolders.chm

2003-04-08 10:00 28022 --a--c--- c:\windows\Help\lpe.chm

2003-04-08 10:00 27972 --a--c--- c:\windows\Help\ratings.hlp

2003-04-08 10:00 27947 --a--c--- c:\windows\Help\fxsclnt.hlp

2003-04-08 10:00 2794421 --a--c--- c:\windows\Help\Tours\mmTour\segment4.swf

2003-04-08 10:00 27897 --a--c--- c:\windows\Help\ade.hlp

2003-04-08 10:00 2778 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Img\mplogoh.gif

2003-04-08 10:00 276884 --a--c--- c:\windows\Help\windows.hlp

2003-04-08 10:00 27685 --a--c--- c:\windows\Help\folderop.chm

2003-04-08 10:00 27683 --a--c--- c:\windows\Help\gpedit.hlp

2003-04-08 10:00 275 --a--c--- c:\windows\Help\mshearts.cnt

2003-04-08 10:00 27445 --a--c--- c:\windows\Help\Tours\htmlTour\img046.jpg

2003-04-08 10:00 27413 --a--c--- c:\windows\Help\wscript.chm

2003-04-08 10:00 27402 --a--c--- c:\windows\Help\newfeat1.chm

2003-04-08 10:00 27363 --a--c--- c:\windows\Help\notepad.chm

2003-04-08 10:00 2720 --a--c--- c:\windows\Help\migwiz.htm

2003-04-08 10:00 270913 --a--c--- c:\windows\Help\Glossary.chm

2003-04-08 10:00 26997 --a--c--- c:\windows\Help\objsel.hlp

2003-04-08 10:00 26834 --a--c--- c:\windows\Help\key.chm

2003-04-08 10:00 26547 --a--c--- c:\windows\Help\certmgr.hlp

2003-04-08 10:00 26510 --a--c--- c:\windows\Help\wpa.chm

2003-04-08 10:00 26299 --a--c--- c:\windows\Help\clipbrd.chm

2003-04-08 10:00 2626 --a--c--- c:\windows\Help\Tours\htmlTour\question_icon.jpg

2003-04-08 10:00 25968 --a--c--- c:\windows\Help\calc.chm

2003-04-08 10:00 2595 --a--c--- c:\windows\Help\Tours\htmlTour\style.css

2003-04-08 10:00 2580 --a--c--- c:\windows\Help\Tours\htmlTour\pen_icon.jpg

2003-04-08 10:00 2578054 --a--c--- c:\windows\Help\article.chm

2003-04-08 10:00 25524 --a--c--- c:\windows\Help\hypertrm.hlp

2003-04-08 10:00 2545 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Img\mplogo.gif

2003-04-08 10:00 25420 --a--c--- c:\windows\Help\Tours\htmlTour\intro_logo.jpg

2003-04-08 10:00 25309 --a--c--- c:\windows\Help\eudcedit.chm

2003-04-08 10:00 2487 --a--c--- c:\windows\Help\ixqlang.htm

2003-04-08 10:00 24775 --a--c--- c:\windows\Help\reader.chm

2003-04-08 10:00 2477 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Img\WMarks\wm5.gif

2003-04-08 10:00 2469 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Img\Btn\tplay.gif

2003-04-08 10:00 2450 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Img\Btn\tpause.gif

2003-04-08 10:00 24183 --a--c--- c:\windows\Help\localsec.hlp

2003-04-08 10:00 23995 --a--c--- c:\windows\Help\evntwin.hlp

2003-04-08 10:00 23829 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Img\tourbg.gif

2003-04-08 10:00 2375 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Img\Btn\tplayh.gif

2003-04-08 10:00 2371 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Img\Btn\tpauseh.gif

2003-04-08 10:00 23576 --a--c--- c:\windows\Help\camera.chm

2003-04-08 10:00 23455 --a--c--- c:\windows\Help\halftone.hlp

2003-04-08 10:00 22936 --a--c--- c:\windows\Help\win_dos.chm

2003-04-08 10:00 226673 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Video\viz.wmv

2003-04-08 10:00 22661 --a--c--- c:\windows\Help\gpedit.chm

2003-04-08 10:00 22391 --a--c--- c:\windows\Help\pwrmn.hlp

2003-04-08 10:00 2215 --a--c--- c:\windows\Help\mplayer2.cnt

2003-04-08 10:00 22028 --a--c--- c:\windows\Help\iesupp.chm

2003-04-08 10:00 21987 --a--c--- c:\windows\Help\Tours\htmlTour\img116.jpg

2003-04-08 10:00 21987 --a--c--- c:\windows\Help\mouse.chm

2003-04-08 10:00 21614 --a--c--- c:\windows\Help\iewebhlp.chm

2003-04-08 10:00 21580 --a--c--- c:\windows\Help\nthelp.chm

2003-04-08 10:00 21568 --a--c--- c:\windows\Help\mfcuix.hlp

2003-04-08 10:00 21563 --a--c--- c:\windows\Help\ciquery.htm

2003-04-08 10:00 21546 --a--c--- c:\windows\Help\packager.chm

2003-04-08 10:00 21417 --a--c--- c:\windows\Help\colormgt.chm

2003-04-08 10:00 21414 --a--c--- c:\windows\Help\cdmedia.chm

2003-04-08 10:00 21399 --a--c--- c:\windows\Help\tapi.hlp

2003-04-08 10:00 21370 --a--c--- c:\windows\Help\drwtsn32.chm

2003-04-08 10:00 21352 --a--c--- c:\windows\Help\Tours\htmlTour\best_road_big.jpg

2003-04-08 10:00 21264 --a--c--- c:\windows\Help\lang.chm

2003-04-08 10:00 21179 --a--c--- c:\windows\Help\sounds.chm

2003-04-08 10:00 21102 --a--c--- c:\windows\Help\Tours\htmlTour\img072.jpg

2003-04-08 10:00 211 --a--c--- c:\windows\Help\update.cnt

2003-04-08 10:00 21070 --a--c--- c:\windows\Help\modem.hlp

2003-04-08 10:00 21058 --a--c--- c:\windows\Help\Tours\htmlTour\img034.jpg

2003-04-08 10:00 21048 --a--c--- c:\windows\Help\magnify.chm

2003-04-08 10:00 2103945 --a--c--- c:\windows\Help\Tours\mmTour\segment1.swf

2003-04-08 10:00 20967 --a--c--- c:\windows\Help\timesrv.chm

2003-04-08 10:00 20929 --a--c--- c:\windows\Help\compmgmt.chm

2003-04-08 10:00 20873 --a--c--- c:\windows\Help\printfnd.chm

2003-04-08 10:00 20865 --a--c--- c:\windows\Help\hs.chm

2003-04-08 10:00 20836 --a--c--- c:\windows\Help\osk.chm

2003-04-08 10:00 20762 --a--c--- c:\windows\Help\Tours\htmlTour\img123.jpg

2003-04-08 10:00 20676 --a--c--- c:\windows\Help\cpanel.chm

2003-04-08 10:00 20586 --a--c--- c:\windows\Help\dijoy.hlp

2003-04-08 10:00 20486 --a--c--- c:\windows\Help\soundrec.hlp

2003-04-08 10:00 20477 --a--c--- c:\windows\Help\dsclient.hlp

2003-04-08 10:00 20253 --a--c--- c:\windows\Help\recycle.chm

2003-04-08 10:00 20023 --a--c--- c:\windows\Help\joy.chm

2003-04-08 10:00 19979 --a--c--- c:\windows\Help\blurbs.chm

2003-04-08 10:00 19861 --a--c--- c:\windows\Help\mobsync.chm

2003-04-08 10:00 19846 --a--c--- c:\windows\Help\brief.chm

2003-04-08 10:00 19745 --a--c--- c:\windows\Help\smlogcfg.chm

2003-04-08 10:00 19629 --a--c--- c:\windows\Help\ratings.chm

2003-04-08 10:00 19598 --a--c--- c:\windows\Help\msoeacct.hlp

2003-04-08 10:00 195197 --a--c--- c:\windows\Help\mpconcepts.chm

2003-04-08 10:00 19452 --a--c--- c:\windows\Help\ddeshare.chm

2003-04-08 10:00 19306 --a--c--- c:\windows\Help\Tours\htmlTour\img110.jpg

2003-04-08 10:00 19306 --a--c--- c:\windows\Help\Tours\htmlTour\img068.jpg

2003-04-08 10:00 19264 --a--c--- c:\windows\Help\sysmon.chm

2003-04-08 10:00 19225 --a--c--- c:\windows\Help\ipsecsnp.chm

2003-04-08 10:00 19044 --a--c--- c:\windows\Help\fonts.hlp

2003-04-08 10:00 18901 --a--c--- c:\windows\Help\winchat.chm

2003-04-08 10:00 1882 --a--c--- c:\windows\Help\migwiz2.htm

2003-04-08 10:00 18782 --a--c--- c:\windows\Help\Tours\htmlTour\img126.jpg

2003-04-08 10:00 18590 --a--c--- c:\windows\Help\intellimirror.chm

2003-04-08 10:00 185623 --a--c--- c:\windows\Help\mail.chm

2003-04-08 10:00 18496 --a--c--- c:\windows\Help\compstui.hlp

2003-04-08 10:00 18334 --a--c--- c:\windows\Help\keyshort.chm

2003-04-08 10:00 18246 --a--c--- c:\windows\Help\shell.hlp

2003-04-08 10:00 18175 --a--c--- c:\windows\Help\phowto.chm

2003-04-08 10:00 18151 --a--c--- c:\windows\Help\Tours\htmlTour\safe_easy_faster_big.jpg

2003-04-08 10:00 18137 --a--c--- c:\windows\Help\Tours\htmlTour\connected_networks_big.jpg

2003-04-08 10:00 181 --a--c--- c:\windows\Help\msnauth.cnt

2003-04-08 10:00 18040 --a--c--- c:\windows\Help\gen.chm

2003-04-08 10:00 18037 --a--c--- c:\windows\Help\progman.hlp

2003-04-08 10:00 18035 --a--c--- c:\windows\Help\dfs.hlp

2003-04-08 10:00 17905 --a--c--- c:\windows\Help\sc.chm

2003-04-08 10:00 17859 --a--c--- c:\windows\Help\supp_ed.chm

2003-04-08 10:00 17851 --a--c--- c:\windows\Help\utilmgr.chm

2003-04-08 10:00 17841 --a--c--- c:\windows\Help\msconfig.chm

2003-04-08 10:00 17838 --a--c--- c:\windows\Help\compfldr.chm

2003-04-08 10:00 17813 --a--c--- c:\windows\Help\mls_trb.chm

2003-04-08 10:00 17801 --a--c--- c:\windows\Help\fonts.chm

2003-04-08 10:00 17777 --a--c--- c:\windows\Help\Tours\htmlTour\best_secure_big.jpg

2003-04-08 10:00 17751 --a--c--- c:\windows\Help\winhlp32.hlp

2003-04-08 10:00 1771 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Css\wmptour.css

2003-04-08 10:00 17647 --a--c--- c:\windows\Help\dskquoui.hlp

2003-04-08 10:00 175759 --a--c--- c:\windows\Help\Tours\mmTour\nav.swf

2003-04-08 10:00 17489 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Img\videobg.gif

2003-04-08 10:00 17462 --a--c--- c:\windows\Help\aclui.hlp

2003-04-08 10:00 17437 --a--c--- c:\windows\Help\common.chm

2003-04-08 10:00 17289 --a--c--- c:\windows\Help\sndvol32.chm

2003-04-08 10:00 172196 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Audio\Wav\wmpaud9.wav

2003-04-08 10:00 172196 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Audio\Wav\wmpaud8.wav

2003-04-08 10:00 172196 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Audio\Wav\wmpaud3.wav

2003-04-08 10:00 17214 --a--c--- c:\windows\Help\Tours\htmlTour\connected_wizard_big.jpg

2003-04-08 10:00 17180 --a--c--- c:\windows\Help\Tours\htmlTour\unlock_playing_big.jpg

2003-04-08 10:00 17059 --a--c--- c:\windows\Help\Tours\htmlTour\connected_multiple_big.jpg

2003-04-08 10:00 16973 --a--c--- c:\windows\Help\keyb.chm

2003-04-08 10:00 169099 --a--c--- c:\windows\Help\diskmgmt.chm

2003-04-08 10:00 16764 --a--c--- c:\windows\Help\nwdoc.hlp

2003-04-08 10:00 166134 --a--c--- c:\windows\Help\mmc.chm

2003-04-08 10:00 166 --a--c--- c:\windows\Help\Tours\htmlTour\bluearrow.gif

2003-04-08 10:00 16508 --a--c--- c:\windows\Help\fde.hlp

2003-04-08 10:00 16457 --a--c--- c:\windows\Help\odbcinst.chm

2003-04-08 10:00 16441 --a--c--- c:\windows\Help\mobsync.hlp

2003-04-08 10:00 16378 --a--c--- c:\windows\Help\newfeat1.hlp

2003-04-08 10:00 1637375 --a--c--- c:\windows\Help\Tours\mmTour\segment2.swf

2003-04-08 10:00 1635503 --a--c--- c:\windows\Help\Tours\mmTour\segment3.swf

2003-04-08 10:00 16318 --a--c--- c:\windows\Help\mouse.hlp

2003-04-08 10:00 16306 --a--c--- c:\windows\Help\snmpsnap.hlp

2003-04-08 10:00 16275 --a--c--- c:\windows\Help\sfmmgr.hlp

2003-04-08 10:00 16223 --a--c--- c:\windows\Help\nmchat.chm

2003-04-08 10:00 16089 --a--c--- c:\windows\Help\msdasc.chm

2003-04-08 10:00 15902 --a--c--- c:\windows\Help\wordpad.hlp

2003-04-08 10:00 15882 --a--c--- c:\windows\Help\addremov.chm

2003-04-08 10:00 157852 --a--c--- c:\windows\Help\fxsclnt.chm

2003-04-08 10:00 15707 --a--c--- c:\windows\Help\Tours\htmlTour\safe_easy_easier_big.jpg

2003-04-08 10:00 15612 --a--c--- c:\windows\Help\ixhelp.hlp

2003-04-08 10:00 15534 --a--c--- c:\windows\Help\msorcl32.chm

2003-04-08 10:00 15517 --a--c--- c:\windows\Help\certmgr.chm

2003-04-08 10:00 15466 --a--c--- c:\windows\Help\is.chm

2003-04-08 10:00 15409 --a--c--- c:\windows\Help\suptools.chm

2003-04-08 10:00 1535 --a--c--- c:\windows\Help\Tours\htmlTour\read_icon.jpg

2003-04-08 10:00 15334 --a--c--- c:\windows\Help\mspaint.hlp

2003-04-08 10:00 152576 --a------ c:\windows\Help\bnts.dll

2003-04-08 10:00 15139 --a--c--- c:\windows\Help\els.chm

2003-04-08 10:00 14998 --a--c--- c:\windows\Help\rsm.chm

2003-04-08 10:00 1496 --a--c--- c:\windows\Help\Tours\htmlTour\nav_gray.gif

2003-04-08 10:00 14855 --a--c--- c:\windows\Help\gptext.hlp

2003-04-08 10:00 14808 --a--c--- c:\windows\Help\telnet.hlp

2003-04-08 10:00 14770 --a--c--- c:\windows\Help\Tours\htmlTour\unlock_built_big.jpg

2003-04-08 10:00 14685 --a--c--- c:\windows\Help\cscui.hlp

2003-04-08 10:00 14656 --a--c--- c:\windows\Help\acc_dis.chm

2003-04-08 10:00 14544 --a--c--- c:\windows\Help\eudcedit.hlp

2003-04-08 10:00 14494 --a--c--- c:\windows\Help\verifier.hlp

2003-04-08 10:00 14433 --a--c--- c:\windows\Help\Tours\htmlTour\connected_data_big.jpg

2003-04-08 10:00 14407 --a--c--- c:\windows\Help\reskit.chm

2003-04-08 10:00 14307 --a--c--- c:\windows\Help\drwtsn32.hlp

2003-04-08 10:00 143 --a--c--- c:\windows\Help\connect.cnt

2003-04-08 10:00 14201 --a--c--- c:\windows\Help\scarddlg.hlp

2003-04-08 10:00 14175 --a--c--- c:\windows\Help\infrared.hlp

2003-04-08 10:00 14093 --a--c--- c:\windows\Help\Tours\htmlTour\unlock_optimized_big.jpg

2003-04-08 10:00 14014 --a--c--- c:\windows\Help\accessib.chm

2003-04-08 10:00 1398 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Img\Btn\taon.gif

2003-04-08 10:00 13956 --a--c--- c:\windows\Help\rsopsnp.chm

2003-04-08 10:00 13855 --a--c--- c:\windows\Help\secedit.chm

2003-04-08 10:00 1380 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Img\Btn\taonh.gif

2003-04-08 10:00 1380 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Img\Btn\taoff.gif

2003-04-08 10:00 1367 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Img\Btn\taoffh.gif

2003-04-08 10:00 13667 --a--c--- c:\windows\Help\Tours\htmlTour\best_robust_big.jpg

2003-04-08 10:00 13582 --a--c--- c:\windows\Help\wshconcepts.chm

2003-04-08 10:00 13516 --a--c--- c:\windows\Help\rktools.chm

2003-04-08 10:00 13390 --a--c--- c:\windows\Help\defrag.chm

2003-04-08 10:00 13378 --a--c--- c:\windows\Help\Tours\htmlTour\safe_easy_better_big.jpg

2003-04-08 10:00 13268 --a--c--- c:\windows\Help\taskmgr.hlp

2003-04-08 10:00 13216 --a--c--- c:\windows\Help\safer.chm

2003-04-08 10:00 13180 --a--c--- c:\windows\Help\users.hlp

2003-04-08 10:00 13046 --a--c--- c:\windows\Help\ieeula.chm

2003-04-08 10:00 13018 --a--c--- c:\windows\Help\regedit.hlp

2003-04-08 10:00 12908 --a--c--- c:\windows\Help\qosconcepts.chm

2003-04-08 10:00 12839 --a--c--- c:\windows\Help\ntshrui.hlp

2003-04-08 10:00 12817 --a--c--- c:\windows\Help\drvvfp.chm

2003-04-08 10:00 12776 --a--c--- c:\windows\Help\tcpmon.hlp

2003-04-08 10:00 12684 --a--c--- c:\windows\Help\notepad.hlp

2003-04-08 10:00 12629 --a--c--- c:\windows\Help\splash.chm

2003-04-08 10:00 12617 --a--c--- c:\windows\Help\defrag.hlp

2003-04-08 10:00 12576 --a--c--- c:\windows\Help\wscript.hlp

2003-04-08 10:00 12486 --a--c--- c:\windows\Help\osk.hlp

2003-04-08 10:00 12482 --a--c--- c:\windows\Help\wmifltr.chm

2003-04-08 10:00 12434 --a--c--- c:\windows\Help\winchat.hlp

2003-04-08 10:00 12411 --a--c--- c:\windows\Help\utilmgr.hlp

2003-04-08 10:00 123868 --a--c--- c:\windows\Help\isconcepts.chm

2003-04-08 10:00 1237 --a--c--- c:\windows\Help\Tours\htmlTour\nav_unlock.gif

2003-04-08 10:00 1237 --a--c--- c:\windows\Help\Tours\htmlTour\nav_safe_easy.gif

2003-04-08 10:00 12327 --a--c--- c:\windows\Help\sigverif.hlp

2003-04-08 10:00 1225153 --a--c--- c:\windows\Help\ntart.chm

2003-04-08 10:00 1221 --a--c--- c:\windows\Help\Tours\htmlTour\nav_best.gif

2003-04-08 10:00 12162 --a--c--- c:\windows\Help\magnify.hlp

2003-04-08 10:00 1211 --a--c--- c:\windows\Help\Tours\htmlTour\nav_connected.gif

2003-04-08 10:00 12019 --a--c--- c:\windows\Help\sendcmsg.hlp

2003-04-08 10:00 11969 --a--c--- c:\windows\Help\reader.hlp

2003-04-08 10:00 118838 --a--c--- c:\windows\Help\ieakmmc.chm

2003-04-08 10:00 11859 --a--c--- c:\windows\Help\chnscsvr.hlp

2003-04-08 10:00 11825 --a--c--- c:\windows\Help\ieos.chm

2003-04-08 10:00 1179 --a--c--- c:\windows\Help\Tours\htmlTour\nav_connected_down.gif

2003-04-08 10:00 11778 --a--c--- c:\windows\Help\spider.hlp

2003-04-08 10:00 1176 --a--c--- c:\windows\Help\Tours\htmlTour\nav_safe_easy_down.gif

2003-04-08 10:00 11729 --a--c--- c:\windows\Help\cdmedia.hlp

2003-04-08 10:00 11653 --a--c--- c:\windows\Help\iismmc.chm

2003-04-08 10:00 11623 --a--c--- c:\windows\Help\sysrestore.hlp

2003-04-08 10:00 1161 --a--c--- c:\windows\Help\Tours\htmlTour\nav_best_down.gif

2003-04-08 10:00 11572 --a--c--- c:\windows\Help\nofts.chm

2003-04-08 10:00 1148 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Audio\snd.htm

2003-04-08 10:00 11455 --a--c--- c:\windows\Help\audiocdc.hlp

2003-04-08 10:00 1135 --a--c--- c:\windows\Help\Tours\htmlTour\scripts.js

2003-04-08 10:00 11325 --a--c--- c:\windows\Help\chooser.hlp

2003-04-08 10:00 11324 --a--c--- c:\windows\Help\sndvol32.hlp

2003-04-08 10:00 1131 --a--c--- c:\windows\Help\Tours\htmlTour\nav_unlock_down.gif

2003-04-08 10:00 1130 --a--c--- c:\windows\Help\Tours\htmlTour\nav_start_here.gif

2003-04-08 10:00 11251 --a--c--- c:\windows\Help\mshearts.hlp

2003-04-08 10:00 11245 --a--c--- c:\windows\Help\mpnetwrk.hlp

2003-04-08 10:00 111 --a--c--- c:\windows\Help\conf.cnt

2003-04-08 10:00 11033 --a--c--- c:\windows\Help\newfeat5.chm

2003-04-08 10:00 11033 --a--c--- c:\windows\Help\newfeat4.chm

2003-04-08 10:00 11031 --a--c--- c:\windows\Help\newfeat3.chm

2003-04-08 10:00 11031 --a--c--- c:\windows\Help\newfeat2.chm

2003-04-08 10:00 109847 --a--c--- c:\windows\Help\conf.chm

2003-04-08 10:00 10757 --a--c--- c:\windows\Help\cyzcoins.chm

2003-04-08 10:00 10704 --a--c--- c:\windows\Help\msnauth.hlp

2003-04-08 10:00 105249 --a--c--- c:\windows\Help\cmconcepts.chm

2003-04-08 10:00 10507 --a--c--- c:\windows\Help\cyycoins.chm

2003-04-08 10:00 104962 --a--c--- c:\windows\Help\adprop.hlp

2003-04-08 10:00 10486 --a--c--- c:\windows\Help\sapicpl.hlp

2003-04-08 10:00 10457 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\wmptour.hta

2003-04-08 10:00 103058 --a--c--- c:\windows\Help\mplayer2.hlp

2003-04-08 10:00 101 --a--c--- c:\windows\Help\nocontnt.cnt

2003-04-08 10:00 100686 --a--c--- c:\windows\Help\Tours\htmlTour\img149.jpg

2003-04-08 10:00 1005 --a--c--- c:\windows\Help\Tours\WindowsMediaPlayer\Img\Btn\bktr.gif

1997-09-08 01:37 17086 --a--c--- c:\windows\Help\inetcomm.hlp

1997-01-21 00:00 9991 --a--c--- c:\windows\Help\SCANPST.HLP

1997-01-21 00:00 96 --a--c--- c:\windows\Help\EXCHNG.CNT

1997-01-21 00:00 80643 --a--c--- c:\windows\Help\EXCHNG.HLP

1997-01-21 00:00 40927 --a--c--- c:\windows\Help\INT-MAIL.HLP

1997-01-21 00:00 35958 --a--c--- c:\windows\Help\MSFS.HLP

1997-01-21 00:00 1496 --a--c--- c:\windows\Help\MSFS.CNT

1997-01-21 00:00 1438 --a--c--- c:\windows\Help\INT-MAIL.CNT

 

 

((((((((((((((((((((((((((((( snapshot@2009-01-17_ 0.31.34.80 )))))))))))))))))))))))))))))))))))))))))

.

- 2009-01-15 22:14:48 32,768 -c--a-w c:\windows\system32\config\systemprofile\Configurações locais\Histórico\History.IE5\index.dat

+ 2009-01-24 02:41:08 32,768 -c--a-w c:\windows\system32\config\systemprofile\Configurações locais\Histórico\History.IE5\index.dat

- 2009-01-15 22:14:48 32,768 -c--a-w c:\windows\system32\config\systemprofile\Configurações locais\Temporary Internet Files\Content.IE5\index.dat

+ 2009-01-24 02:41:08 32,768 -c--a-w c:\windows\system32\config\systemprofile\Configurações locais\Temporary Internet Files\Content.IE5\index.dat

- 2009-01-15 22:14:48 16,384 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-01-24 02:41:08 16,384 -c--a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2009-01-17 02:28:22 53,248 ----a-w c:\windows\Temp\catchme.dll

+ 2009-01-24 04:05:39 53,248 ----a-w c:\windows\Temp\catchme.dll

+ 2009-01-24 04:05:04 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_71c.dat

+ 2009-01-17 14:59:46 451,072 ----a-w c:\windows\WinAVI Video Converter 9.0\uninstall.exe

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0160E942-F852-47A1-9A2E-20D4B4DC1382}]

2003-04-08 10:00 143872 --a------ c:\windows\system32\wgkuisab.dll

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD559F99-640C-4E58-B3A0-632495C9B66A}]

2009-01-24 01:35 105984 --a------ c:\windows\system32\fsshtae.dll

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NitroPC"="c:\documents and settings\Administrador\Meus documentos\NitroPC\NitroPC.exe" [bU]

"star1"="c:\windows\system32\Winrun.exe" [bU]

"star2"="c:\windows\system32\ischot.exe" [bU]

"star3"="c:\windows\system32\Xred1.exe" [bU]

"star4"="c:\windows\system32\Zred2.exe" [bU]

"star6"="c:\windows\system32\MscheldB.exe" [bU]

"star7"="c:\windows\system32\Mscheldncx.exe" [bU]

"star8"="c:\windows\system32\svscheld.exe" [bU]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"openvpn-gui"="c:\arquivos de programas\VPN - SSP-GO\bin\openvpn-gui.exe" [2008-06-23 99328]

"SunJavaUpdateSched"="c:\arquivos de programas\Java\jre6\bin\jusched.exe" [2008-12-31 136600]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableCAD"= 1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\14f6a245511]

[bU]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jmparwfr]

2009-01-24 01:35 105984 c:\windows\system32\fsshtae.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\System32\cryptdll32.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.X264"= x264vfw.dll

"VIDC.DIV3"= DivXc32.dll

"VIDC.DIV4"= DivXc32f.dll

"VIDC.3iv2"= 3ivxVfWCodec.dll

"VIDC.HFYU"= huffyuv.dll

"vidc.i263"= i263_32.drv

"VIDC.VP31"= vp31vfw.dll

"msacm.l3fhg"= mp3fhg.acm

"msacm.divxa32"= divxa32.acm

"msacm.imc"= imc32.acm

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bne3]

c:\windows\system32\Bradesco_Pessoa_Jurídica.exe [bU]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

--a------ 2004-08-04 05:45 15360 c:\windows\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

--a------ 2003-07-10 05:13 114688 c:\windows\system32\hkcmd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2005-05-12 00:12 49152 c:\arquivos de programas\HP\HP Software Update\hpwuSchd2.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

--a------ 2003-07-10 05:25 155648 c:\windows\system32\igfxtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]

--a------ 2007-08-30 16:06 136512 c:\arquivos de programas\McAfee\Common Framework\UdaterUI.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmesseger]

c:\arquivos de programas\msnmmensser.exe [bU]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Naldesk]

--a------ 2002-11-04 12:22 16384 c:\publico\Script\Exe\NalInit.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Somefox]

c:\windows\TEMP\94.tmp.exe [bU]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WinVNC4"=2 (0x2)

"Windows Packager"=2 (0x2)

"Pml Driver HPZ12"=2 (0x2)

"ose"=3 (0x3)

"OracleClientCache80"=3 (0x3)

"OCS INVENTORY"=2 (0x2)

"MDM"=2 (0x2)

"McAfeeFramework"=2 (0x2)

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=

 

R0 wdjylyyf;wdjylyyf;c:\windows\system32\drivers\wdjylyyf.sys [2003-04-08 23424]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2007-12-13 24592]

R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [2008-06-23 26624]

S4 OCS INVENTORY;OCS INVENTORY SERVICE;c:\arquivos de programas\OCS Inventory Agent\OcsService.exe [2008-04-21 69632]

S4 OracleClientCache80;OracleClientCache80;c:\software\Oradev\BIN\ONRSD80.EXE --> c:\software\Oradev\BIN\ONRSD80.EXE [?]

S4 Windows Packager;Windows Packager;c:\windows\system32\Srvany.exe [2005-10-19 8464]

 

--- ---

 

*NewlyCreated* - WDJYLYYF

.

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.google.com.br/

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = 10.11.0.13:3128

uInternet Settings,ProxyOverride = intranet;*.tst.gov.br;<local>

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\i87ycxiq.default\

FF - prefs.js: network.proxy.type - 4

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

 

---- FIREFOX POLICIES ----

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-24 02:05:39

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

 

- - - - - - - > 'winlogon.exe'(1348)

c:\arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\miscr3.dll

c:\windows\system32\klogon.dll

 

- - - - - - - > 'lsass.exe'(1404)

c:\arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\dnsq.dll

c:\arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\miscr3.dll

c:\arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\fssync.dll

 

- - - - - - - > 'explorer.exe'(3016)

c:\arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\miscr3.dll

c:\arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\fssync.dll

c:\arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\scrchpg.dll

.

------------------------ Outros Processos em Execução ------------------------

.

c:\arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

c:\arquivos de programas\Java\jre6\bin\jqs.exe

c:\windows\system32\wbem\wmiapsrv.exe

.

**************************************************************************

.

Tempo para conclusão: 2009-01-24 2:15:58 - Máquina reiniciou

ComboFix-quarantined-files.txt 2009-01-24 04:15:36

ComboFix2.txt 2009-01-24 03:45:25

 

Pré-execução: 24 pasta(s) 16.185.712.640 bytes disponíveis

Pós execução: 24 pasta(s) 16,171,515,904 bytes disponíveis

 

824

[DigRam 144]

Bom Dia! shanjay

 

<@> Vá em Iniciar --> Executar --> Digite ou cole: combofix.exe /u --> Clique OK.

<@> Abrir-se-á,a seguinte janela: ( Abrir arquivo - Aviso de Segurança )

<@> Clique em Executar --> Aguarde!

<@> Surgirá,finalmente,a mensagem: "ComboFix está desinstalado" --> Clique OK.

<@> Caso encontre,apague: C:\ComboFix <-- A pasta! + C:\ComboFix.txt <-- Relatório!

-----------------------------

<@> Vá a este link,e baixe: < alwarebytes >

<@> Atualize o programa!

<@> Escolha o escaneamento Rápido!

<@> Desabilite programas de proteção,ao executar o malwarebytes.

<@> Procure enviar os ítens detectados para a quarentena,clicando em Remover itens.

<@> Para maiores detalhes: < Link >

-----------------------------

<@> Poste,os relatórios: mbam-log-2009-xx-xx (00-00-00).txt + HijackThis,atualizado.

 

Abraços!

[shanjay 0]

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 23:01:52, on 24/01/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe

C:\Arquivos de programas\VPN - SSP-GO\bin\openvpn-gui.exe

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

C:\WINDOWS\System32\wbem\wmiapsrv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\HijackThis\HiJackThis.exe

 

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.11.0.13:3128

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = intranet;*.tst.gov.br

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre6\bin\ssv.dll

O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\Downloaded Program Files\gbieh.dll (file missing)

O2 - BHO: (no name) - {CD559F99-640C-4E58-B3A0-632495C9B66A} - c:\windows\system32\fsshtae.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [openvpn-gui] C:\Arquivos de programas\VPN - SSP-GO\bin\openvpn-gui.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [AVP] "C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"

O4 - HKCU\..\Run: [NitroPC] "C:\Documents and Settings\Administrador\Meus documentos\NitroPC\NitroPC.exe" -minimized

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Estatísticas do Antivírus da Web - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ssp-go.sspj.go.gov.br

O17 - HKLM\Software\..\Telephony: DomainName = ssp-go.sspj.go.gov.br

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ssp-go.sspj.go.gov.br

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ssp-go.sspj.go.gov.br

O20 - AppInit_DLLs: C:\WINDOWS\System32\cryptdll32.dll

O20 - Winlogon Notify: 14f6a245511 - C:\WINDOWS\

O20 - Winlogon Notify: jmparwfr - C:\WINDOWS\SYSTEM32\fsshtae.dll

O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Arquivos de programas\VPN - SSP-GO\bin\openvpnserv.exe

O24 - Desktop Component 0: (no name) - file:///C:/WINDOWS/TEMP/msohtml1/01/clip_image001.gif

 

--

End of file - 5475 bytes

 

Malwarebytes' Anti-Malware 1.33

Versão do banco de dados: 1690

Windows 5.1.2600 Service Pack 2

 

24/01/2009 22:51:21

mbam-log-2009-01-24 (22-51-21).txt

 

Tipo de Verificação: Rápida

Objetos verificados: 48775

Tempo decorrido: 9 minute(s), 29 second(s)

 

Processos da Memória infectados: 0

Módulos de Memória Infectados: 0

Chaves do Registro infectadas: 6

Valores do Registro infectados: 7

Ítens do Registro infectados: 0

Pastas infectadas: 1

Arquivos infectados: 2

 

Processos da Memória infectados:

(Nenhum ítem malicioso foi detectado)

 

Módulos de Memória Infectados:

(Nenhum ítem malicioso foi detectado)

 

Chaves do Registro infectadas:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{cd559f99-640c-4e58-b3a0-632495c9b66a} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\jmparwfr (Trojan.Vundo.H) -> Delete on reboot.

HKEY_CLASSES_ROOT\CLSID\{cd559f99-640c-4e58-b3a0-632495c9b66a} (Trojan.Vundo.H) -> Delete on reboot.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0160e942-f852-47a1-9a2e-20d4b4dc1382} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CLASSES_ROOT\CLSID\{0160e942-f852-47a1-9a2e-20d4b4dc1382} (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Webtools (Malware.Trace) -> Quarantined and deleted successfully.

 

Valores do Registro infectados:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\star1 (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\star2 (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\star3 (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\star4 (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\star6 (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\star7 (Trojan.Agent) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\star8 (Trojan.Agent) -> Quarantined and deleted successfully.

 

Ítens do Registro infectados:

(Nenhum ítem malicioso foi detectado)

 

Pastas infectadas:

C:\Arquivos de programas\Webtools (Trojan.Agent) -> Quarantined and deleted successfully.

 

Arquivos infectados:

c:\WINDOWS\system32\fsshtae.dll (Trojan.Vundo.H) -> Delete on reboot.

C:\WINDOWS\system32\wgkuisab.dll (Trojan.Vundo.H) -> Delete on reboot.

[DigRam 144]

Boa Noite! shanjay

 

<@> Baixe: < EliStarA >

<@> Na página,clique no botão: Descargar EliStarA v xx.xx,que fica situado ao pé da página.

<@> Salve-a no desktop! <-- Aloque-a em uma pasta própria!

<@> Baixe: < ELINOTIF.DLL >

<@> Salve-o no desktop,na mesma pasta criada para EliStarA. <-- Importante!

<@> Desabilite a proteção residente,de seu antivírus ou antispyware.

<@> Reinicie o computador em Modo de Segurança!

<@> Vá ao ícone de EliStarA e execute-a. --> Aguarde!

<@> Aceite o escaneamento exploratório e,se houver,o reboot.

<@> Por opção,será deletada sua página inicial.

<@> Terminando,será gerado no Disco local (C),o relatório. ( infoSat.txt )

<@> Reinicie em Modo Normal!

<@> Poste: infoSat.txt + HijackThis,atualizado.

 

Abraços!

[shanjay 0]

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 16:05:54, on 25/01/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\VPN - SSP-GO\bin\openvpn-gui.exe

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wbem\wmiapsrv.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe

C:\HijackThis\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.11.0.13:3128

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = intranet;*.tst.gov.br

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {CD559F99-640C-4E58-B3A0-632495C9B66A} - c:\windows\system32\fsshtae.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [openvpn-gui] C:\Arquivos de programas\VPN - SSP-GO\bin\openvpn-gui.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [AVP] "C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"

O4 - HKCU\..\Run: [NitroPC] "C:\Documents and Settings\Administrador\Meus documentos\NitroPC\NitroPC.exe" -minimized

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Estatísticas do Antivírus da Web - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ssp-go.sspj.go.gov.br

O17 - HKLM\Software\..\Telephony: DomainName = ssp-go.sspj.go.gov.br

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ssp-go.sspj.go.gov.br

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ssp-go.sspj.go.gov.br

O20 - Winlogon Notify: 14f6a245511 - C:\WINDOWS\

O20 - Winlogon Notify: jmparwfr - C:\WINDOWS\SYSTEM32\fsshtae.dll

O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Arquivos de programas\VPN - SSP-GO\bin\openvpnserv.exe

O24 - Desktop Component 0: (no name) - file:///C:/WINDOWS/TEMP/msohtml1/01/clip_image001.gif

 

--

End of file - 4968 bytes

 

 

--------------------------------------------------

Lista de Acciones (por Acción Directa):

C:\Documents and Settings\All Users\Desktop\TJ.LNK --> Eliminado (Fichero Complementario).

Eliminada Class, "{C41A1C0E-EA6C-11D4-B1B8-444553540000}" -> C:\WINDOWS\Downloaded Program Files\gbieh.dll

Eliminada Class, "{E37CB5F0-51F5-4395-A808-5FA49E399F83}" -> C:\WINDOWS\Downloaded Program Files\gbieh.dll

Eliminada Carpeta "%Application Data%\GbPlugin"

No detectado SP3 de Windows XP

Eliminadas las Paginas de Inicio y de Busqueda del IE

Eliminados Ficheros Temporales del IE

 

Sun Jan 25 15:39:52 2009

EliStartPage v17.86 ©2009 S.G.H. / Satinfo S.L. (Actualizado el 23 de Enero del 2009)

--------------------------------------------------

Lista de Acciones (por Exploración):

Explorando "C:\"

C:\Arquivos de programas\WinAVI Video Converter 9.0\SIMPLEEXT.DLL --> Eliminado, AutoRun.K

C:\WUTemp\marciel\Cavalgada 2008\Web\AUTORUN.INF --> Eliminado, AutoRun.AAJ(inf)

 

Nº Total de Directorios: 2249

Nº Total de Ficheros: 27992

Nº de Ficheros Analizados: 14436

Nº de Ficheros Infectados: 2

Nº de Ficheros Limpiados: 2

[DigRam 144]

Bom Dia! shanjay

 

<@> Copie estas informações,entre os XXXXXXX....,para o Bloco de Notas.

<@> Salve-as,no desktop,como: CFScript <-- Texto!

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

File::

c:\windows\system32\wgkuisab.dll

c:\windows\system32\fsshtae.dll

c:\windows\system32\jjlkpny.dll

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0160E942-F852-47A1-9A2E-20D4B4DC1382}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD559F99-640C-4E58-B3A0-632495C9B66A}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\14f6a245511]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jmparwfr]

Driver::

"wdjylyyf"

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

<@> Arraste o CFScript.txt,para o ícone do ComboFix.

<@> Arraste-o,até que surja uma solicitação para executar o ComboFix.exe.

<@> Terminando,poste: ComboFix.txt + HijackThis,atualizado.

 

Abraços!

[shanjay 0]

bom dia!

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 09:34:49, on 30/01/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wbem\wmiapsrv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Arquivos de programas\VPN - SSP-GO\bin\openvpn-gui.exe

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\explorer.exe

C:\HijackThis\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.11.0.13:3128

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = intranet;*.tst.gov.br

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {CD559F99-640C-4E58-B3A0-632495C9B66A} - c:\windows\system32\fsshtae.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [openvpn-gui] C:\Arquivos de programas\VPN - SSP-GO\bin\openvpn-gui.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Estatísticas do Antivírus da Web - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ssp-go.sspj.go.gov.br

O17 - HKLM\Software\..\Telephony: DomainName = ssp-go.sspj.go.gov.br

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ssp-go.sspj.go.gov.br

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ssp-go.sspj.go.gov.br

O20 - Winlogon Notify: jmparwfr - C:\WINDOWS\SYSTEM32\fsshtae.dll

O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Arquivos de programas\VPN - SSP-GO\bin\openvpnserv.exe

O24 - Desktop Component 0: (no name) - file:///C:/WINDOWS/TEMP/msohtml1/01/clip_image001.gif

 

--

End of file - 5253 bytes

 

 

ComboFix 09-01-21.04 - Administrador 2009-01-30 9:10:45.4 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1046.18.247.86 [GMT -2:00]

Executando de: c:\documents and settings\Administrador\Desktop\ComboFix.exe

Comandos utilizados :: c:\documents and settings\Administrador\Desktop\CFScript.txt

AV: Kaspersky Anti-Virus *On-access scanning disabled* (Updated)

.

 

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\InfoSat.txt

 

.

(((((((((((((((( Arquivos/Ficheiros criados de 2008-12-28 to 2009-01-30 ))))))))))))))))))))))))))))

.

 

2009-01-24 23:08 . 2009-01-29 22:23 54,156 --ah----- c:\windows\QTFont.qfn

2009-01-24 23:08 . 2009-01-24 23:08 1,409 --a------ c:\windows\QTFont.for

2009-01-24 22:33 . 2009-01-24 22:33 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Malwarebytes

2009-01-24 22:33 . 2009-01-24 22:33 <DIR> d-------- c:\documents and settings\Administrador\Dados de aplicativos\Malwarebytes

2009-01-24 22:33 . 2009-01-24 22:33 <DIR> d-------- c:\arquivos de programas\Malwarebytes' Anti-Malware

2009-01-24 22:33 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys

2009-01-24 22:33 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys

2009-01-23 14:55 . 2009-01-23 14:55 <DIR> d-------- c:\arquivos de programas\AVIConverter

2009-01-23 09:37 . 2009-01-23 09:37 <DIR> d-------- c:\documents and settings\NetworkService\Dados de aplicativos\tnkwojci

2009-01-19 04:38 . 2009-01-19 04:38 <DIR> d-------- c:\documents and settings\Administrador\Dados de aplicativos\tnkwojci

2009-01-17 12:59 . 2009-01-17 12:59 <DIR> d-------- c:\windows\WinAVI Video Converter 9.0

2009-01-17 12:59 . 2009-01-25 15:41 <DIR> d-------- c:\arquivos de programas\WinAVI Video Converter 9.0

2009-01-16 13:49 . 2009-01-25 16:05 <DIR> d-------- C:\HijackThis

2009-01-13 23:36 . 2009-01-14 00:44 96,976 --a------ c:\windows\system32\drivers\klin.dat

2009-01-13 23:36 . 2009-01-14 00:44 87,855 --a------ c:\windows\system32\drivers\klick.dat

2009-01-13 23:34 . 2009-01-30 07:15 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Kaspersky Lab

2009-01-13 23:34 . 2009-01-13 23:34 <DIR> d-------- c:\arquivos de programas\Kaspersky Lab

2009-01-13 23:34 . 2009-01-30 09:25 1,792,032 --ahs---- c:\windows\system32\drivers\fidbox.dat

2009-01-13 23:34 . 2009-01-30 09:24 66,336 --ahs---- c:\windows\system32\drivers\fidbox2.dat

2009-01-13 23:34 . 2009-01-30 09:19 25,028 --ahs---- c:\windows\system32\drivers\fidbox.idx

2009-01-13 23:34 . 2009-01-30 09:19 7,220 --ahs---- c:\windows\system32\drivers\fidbox2.idx

2009-01-13 23:28 . 2009-01-13 23:28 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Kaspersky Lab Setup Files

2009-01-13 18:36 . 2009-01-13 18:36 <DIR> d-------- c:\windows\Sun

2009-01-13 15:31 . 2009-01-13 15:31 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\Avg8

2009-01-13 15:31 . 2009-01-13 15:31 262,144 --a------ c:\documents and settings\IN241E~8

2009-01-13 15:29 . 2009-01-13 15:29 262,144 --a------ c:\documents and settings\IN241E~7

2009-01-13 15:21 . 2009-01-13 15:21 262,144 --a------ c:\documents and settings\IN241E~6

2009-01-13 15:06 . 2009-01-13 15:06 <DIR> d-------- c:\documents and settings\Administrador\Dados de aplicativos\IObit

2009-01-13 15:06 . 2009-01-13 15:06 <DIR> d-------- c:\arquivos de programas\IObit

2009-01-13 15:06 . 2008-04-17 16:19 90,668 --a------ c:\windows\system32\vobis32.dll

2009-01-12 22:41 . 2009-01-13 15:14 <DIR> d-------- c:\documents and settings\Administrador\Dados de aplicativos\AVGTOOLBAR

2009-01-12 22:34 . 2009-01-12 22:43 8,192 --a------ c:\documents and settings\IN241E~5

2009-01-12 22:32 . 2009-01-12 22:32 <DIR> d-------- c:\arquivos de programas\ESET

2009-01-12 22:30 . 2009-01-12 22:30 262,144 --a------ c:\documents and settings\IN241E~4

2009-01-09 00:27 . 2009-01-09 07:34 <DIR> d---s---- c:\windows\Downloaded Program Files

2009-01-07 11:58 . 2009-01-07 11:58 <DIR> d-------- c:\documents and settings\All Users\Dados de aplicativos\ESET

2009-01-05 14:11 . 2009-01-05 14:11 974 --a------ c:\windows\HP

2009-01-05 14:11 . 2009-01-05 20:07 59 --a------ c:\windows\plugin.fax

2009-01-05 14:11 . 2009-01-05 14:11 8 --a------ c:\windows\control.ctr

2009-01-05 00:37 . 2009-01-05 00:37 <DIR> d-------- c:\arquivos de programas\Microsoft Games

2009-01-04 02:28 . 2009-01-04 02:28 262,144 --a------ c:\documents and settings\IN241E~3

2009-01-04 02:24 . 2009-01-04 02:28 8,192 --a------ c:\documents and settings\IN241E~2

2009-01-03 16:10 . 2009-01-04 02:33 <DIR> d-a------ c:\documents and settings\All Users\Dados de aplicativos\TEMP

2009-01-01 16:26 . 2009-01-01 16:26 373,760 --ahs---- c:\windows\system32\8B.tmp

2008-12-31 13:33 . 2009-01-01 19:02 <DIR> d-------- c:\documents and settings\Administrador\Dados de aplicativos\LimeWire

2008-12-31 13:29 . 2008-12-31 13:28 410,984 --a------ c:\windows\system32\deploytk.dll

2008-12-31 13:29 . 2008-12-31 13:28 73,728 --a------ c:\windows\system32\javacpl.cpl

2008-12-31 13:27 . 2008-12-31 13:27 <DIR> d-------- c:\arquivos de programas\Java

2008-12-31 12:52 . 2008-12-31 12:52 <DIR> d-------- C:\Sun

2008-12-30 07:39 . 2006-10-04 12:06 1,197,294 -----c--- c:\windows\system32\dllcache\sysmain.sdb

2008-12-30 07:38 . 2008-12-30 07:38 <DIR> d-------- c:\arquivos de programas\Windows Media Connect 2

2008-12-30 07:33 . 2008-12-30 07:35 <DIR> d-------- c:\windows\system32\drivers\UMDF

2008-12-25 21:17 . 2008-12-25 21:17 <DIR> d-------- c:\arquivos de programas\Arquivos comuns\SWF Studio

2008-12-12 14:34 . 2008-12-12 14:34 <DIR> d-------- C:\tjgossh

2008-12-12 14:34 . 2008-12-12 14:34 <DIR> d-------- C:\TCP3270

2008-12-12 14:34 . 2008-12-12 14:34 <DIR> d-------- C:\chaves

2008-12-12 14:34 . 2008-12-12 14:34 <DIR> d-------- c:\arquivos de programas\VPN - SSP-GO

 

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-01-24 03:35 105,984 ----a-w c:\windows\system32\jjlkpny.dll

2009-01-14 02:45 112,144 ----a-w c:\windows\system32\drivers\kl1.sys

2009-01-09 09:51 --------- d-----w c:\arquivos de programas\Alwil Software

2009-01-01 17:46 73,728 ----a-w c:\windows\Help\Firewall.exe

2009-01-01 17:46 65,536 ----a-w c:\windows\Help\seguracas.exe

2004-12-09 16:22 27,136 -c--a-w c:\documents and settings\Administrador\envupdat.dll

.

 

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CD559F99-640C-4E58-B3A0-632495C9B66A}]

2009-01-24 01:35 105984 --a------ c:\windows\system32\fsshtae.dll

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"openvpn-gui"="c:\arquivos de programas\VPN - SSP-GO\bin\openvpn-gui.exe" [2008-06-23 99328]

"SunJavaUpdateSched"="c:\arquivos de programas\Java\jre6\bin\jusched.exe" [2008-12-31 136600]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableCAD"= 1 (0x1)

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jmparwfr]

2009-01-24 01:35 105984 c:\windows\system32\fsshtae.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"VIDC.X264"= x264vfw.dll

"VIDC.DIV3"= DivXc32.dll

"VIDC.DIV4"= DivXc32f.dll

"VIDC.3iv2"= 3ivxVfWCodec.dll

"VIDC.HFYU"= huffyuv.dll

"vidc.i263"= i263_32.drv

"VIDC.VP31"= vp31vfw.dll

"msacm.l3fhg"= mp3fhg.acm

"msacm.divxa32"= divxa32.acm

"msacm.imc"= imc32.acm

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 nwprovau

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Menu Iniciar^Programas^Inicializar^HP Digital Imaging Monitor.lnk]

path=c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\HP Digital Imaging Monitor.lnk

backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

--a------ 2004-08-04 05:45 15360 c:\windows\system32\ctfmon.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]

--a------ 2003-07-10 05:13 114688 c:\windows\system32\hkcmd.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]

--a------ 2005-05-12 00:12 49152 c:\arquivos de programas\HP\HP Software Update\hpwuSchd2.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]

--a------ 2003-07-10 05:25 155648 c:\windows\system32\igfxtray.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]

--a------ 2007-08-30 16:06 136512 c:\arquivos de programas\McAfee\Common Framework\UdaterUI.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Naldesk]

--a------ 2002-11-04 12:22 16384 c:\publico\Script\Exe\NalInit.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"WinVNC4"=2 (0x2)

"Windows Packager"=2 (0x2)

"Pml Driver HPZ12"=2 (0x2)

"ose"=3 (0x3)

"OracleClientCache80"=3 (0x3)

"OCS INVENTORY"=2 (0x2)

"MDM"=2 (0x2)

"McAfeeFramework"=2 (0x2)

 

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

 

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Arquivos de programas\\Kaspersky Lab\\Kaspersky Anti-Virus 7.0\\avp.exe"=

 

R0 wdjylyyf;wdjylyyf;c:\windows\system32\drivers\wdjylyyf.sys [2003-04-08 23424]

R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2007-12-13 24592]

R3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [2008-06-23 26624]

S4 OCS INVENTORY;OCS INVENTORY SERVICE;c:\arquivos de programas\OCS Inventory Agent\OcsService.exe [2008-04-21 69632]

S4 OracleClientCache80;OracleClientCache80;c:\software\Oradev\BIN\ONRSD80.EXE --> c:\software\Oradev\BIN\ONRSD80.EXE [?]

S4 Windows Packager;Windows Packager;c:\windows\system32\Srvany.exe [2005-10-19 8464]

.

- - - - ORFÃOS REMOVIDOS - - - -

 

HKCU-Run-NitroPC - c:\documents and settings\Administrador\Meus documentos\NitroPC\NitroPC.exe

Notify-14f6a245511 - (no file)

MSConfigStartUp-bne3 - c:\windows\system32\Bradesco_Pessoa_Jurídica.exe

MSConfigStartUp-msnmesseger - c:\arquivos de programas\msnmmensser.exe

MSConfigStartUp-Somefox - c:\windows\TEMP\94.tmp.exe

 

 

.

------- Scan Suplementar -------

.

uStart Page = www.google.com

mStart Page = about:blank

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyServer = 10.11.0.13:3128

uInternet Settings,ProxyOverride = intranet;*.tst.gov.br

IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

FF - ProfilePath - c:\documents and settings\Administrador\Dados de aplicativos\Mozilla\Firefox\Profiles\i87ycxiq.default\

FF - prefs.js: network.proxy.type - 4

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll

FF - plugin: c:\arquivos de programas\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

 

---- FIREFOX POLICIES ----

c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

.

 

**************************************************************************

 

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-01-30 09:24:24

Windows 5.1.2600 Service Pack 2 NTFS

 

Procurando processos ocultos ...

 

Procurando entradas auto inicializáveis ocultas ...

 

Procurando ficheiros/arquivos ocultos ...

 

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

 

**************************************************************************

.

--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

 

- - - - - - - > 'winlogon.exe'(1328)

c:\arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\miscr3.dll

c:\windows\system32\klogon.dll

 

- - - - - - - > 'lsass.exe'(1384)

c:\arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\dnsq.dll

c:\arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\miscr3.dll

c:\arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\fssync.dll

 

- - - - - - - > 'explorer.exe'(3960)

c:\arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\miscr3.dll

c:\arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\fssync.dll

.

------------------------ Outros Processos em Execução ------------------------

.

c:\arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

c:\arquivos de programas\Java\jre6\bin\jqs.exe

c:\windows\system32\wbem\wmiapsrv.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Tempo para conclusão: 2009-01-30 9:32:38 - Máquina reiniciou

ComboFix-quarantined-files.txt 2009-01-30 11:32:16

 

Pré-execução: 24 pasta(s) 18.228.137.984 bytes disponíveis

Pós execução: 24 pasta(s) 18,195,603,456 bytes disponíveis

 

205

[DigRam 144]

Bom Dia! shanjay

 

<@> Baixe: < BankerFix 3.0 >

<@> Salve-o no Disco Local-C!

<@> Desabilite,temporariamente,o seu anti-vírus.

<@> Dê um duplo-clique sobre o bankerfix.exe.

<@> Ps: Execute o bankerfix.exe,apenas uma vez!Evitando,com isso,a sobrescrição de seu relatório.

<@> A janela do BankerFix 3.0,abrir-se-á com a seguinte pergunta: "Instalar o Bankerfix 3.0?" <-- Traduzido!

<@> Clique em Sim!

<@> Uma janela informando que o BankerFix 3.0 será baixado,via internet,abrir-se-á.

<@> Clique OK. <-- Aguarde!

<@> Na próxima janela,clique em OK.

<@> O BankerFix 3.0 será iniciado!

<@> Pressione qualquer tecla,para dar continuidade ao processo. <-- Aguarde!

<@> Terminado o scan,leia a mensagem na tela e aperte Enter.

<@> Habilite o seu anti-vírus.

<@> Retorne com o relatório,do BankerFix,que estará em: C:\LinhaDefensiva\relatorio.txt <--

<@> Poste,também,HijackThis atualizado.

 

Abraços!

[shanjay 0]

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 13:03:42, on 30/01/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wbem\wmiapsrv.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Arquivos de programas\VPN - SSP-GO\bin\openvpn-gui.exe

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\explorer.exe

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

C:\HijackThis\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.11.0.13:3128

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = intranet;*.tst.gov.br

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {CD559F99-640C-4E58-B3A0-632495C9B66A} - c:\windows\system32\fsshtae.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [openvpn-gui] C:\Arquivos de programas\VPN - SSP-GO\bin\openvpn-gui.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Estatísticas do Antivírus da Web - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ssp-go.sspj.go.gov.br

O17 - HKLM\Software\..\Telephony: DomainName = ssp-go.sspj.go.gov.br

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ssp-go.sspj.go.gov.br

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ssp-go.sspj.go.gov.br

O20 - Winlogon Notify: jmparwfr - C:\WINDOWS\SYSTEM32\fsshtae.dll

O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Arquivos de programas\VPN - SSP-GO\bin\openvpnserv.exe

O24 - Desktop Component 0: (no name) - file:///C:/WINDOWS/TEMP/msohtml1/01/clip_image001.gif

 

--

End of file - 5326 bytes

 

 

BankerFix 3.0 VALKYRIE - Removedor de Bankers

Linha Defensiva | http://www.linhadefensiva.org

http://www.linhadefensiva.org/bankerfix/

-------------------------------------------------------

Data: 2009-01-30 - 12:12

-------------------------------------------------------

Lista de Definição: 2009-01-21-2 | CORE: 2009-01-21-1

=======================================================

 

Arquivo infectado detectado: C:\WINDOWS\control.ctr

Arquivo infectado removido com sucesso!

 

Arquivo infectado detectado: C:\WINDOWS\HP

Arquivo infectado removido com sucesso!

 

Arquivo infectado detectado: C:\WINDOWS\plugin.fax

Arquivo infectado removido com sucesso!

 

Arquivo infectado detectado: \autoexec.bat

Arquivo infectado removido com sucesso!

 

 

 

Removendo Arquivos em Help

-----------------------------------

 

Killing '*'

 

 

Firewall.exe

seguracas.exe

 

 

----- Fim -------------------------

[DigRam 144]

Boa Tarde! shanjay

 

<@> Vá em Iniciar --> Executar --> Digite ou cole: combofix.exe /u --> Clique OK.

<@> Abrir-se-á,a seguinte janela: ( Abrir arquivo - Aviso de Segurança )

<@> Clique em Executar --> Aguarde!

<@> Surgirá,finalmente,a mensagem: "ComboFix está desinstalado" --> Clique OK.

<@> Caso encontre,apague: C:\ComboFix <-- A pasta! + C:\ComboFix.txt <-- Relatório!

---------------------------------

<@> Baixe: < Pocket Killbox >

<@> Salve-o no Desktop!

<@> Abra o KillBox --> Marque a opção: Delete on Reboot

<@> Marque a caixa: "End Explorer Shell While Killing File" --> Minimize a ferramenta!

<@> Copie o(s) ficheiro(s),sob o QUOTE,para o Bloco de Notas.

<@> Estando desconectado(a),acesse o Bloco de Notas e execute estes atalhos: ( ctrl + a ) --> ( ctrl + c )

 

c:\windows\system32\fsshtae.dll

<@> No KillBox,que estava minimizado,clique em File --> Paste from Clipboard --> All Files.

<@> Clique no X e,na pergunta,diga Não!

<@> Reinicie o computador! <-- Importante!

<@> Vá até a pasta: C:\!KillBox...que foi gerada!

<@> Poste o relatório de backup,que está em seu interior! ( C:\!KillBox\Logs\kb.log )

---------------------------------

<@> Abra o HijackThis --> Clique: Do a system scan only

<@> Marque,abaixo,estas entradas:

 

O2 - BHO: (no name) - {CD559F99-640C-4E58-B3A0-632495C9B66A} - c:\windows\system32\fsshtae.dll

 

O20 - Winlogon Notify: jmparwfr - C:\WINDOWS\SYSTEM32\fsshtae.dll

<@> Com todos os programas fechados,clique em Fix checked.

--------------------------------

<!> Poste: kb.log + HijackThis,atualizado.

 

Abraços!

[shanjay 0]

Bom dia! DigRam

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 09:06:13, on 10/02/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\VPN - SSP-GO\bin\openvpn-gui.exe

C:\Arquivos de programas\Java\jre6\bin\jusched.exe

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

C:\Arquivos de programas\Java\jre6\bin\jqs.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\wbem\wmiapsrv.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\svchost.exe

C:\Documents and Settings\Administrador\Desktop\KillBox.exe

C:\HijackThis\HiJackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.11.0.13:3128

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = intranet;*.tst.gov.br

R3 - URLSearchHook: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre6\bin\ssv.dll

O2 - BHO: (no name) - {CD559F99-640C-4E58-B3A0-632495C9B66A} - c:\windows\system32\fsshtae.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Barra de Ferramentas do Yahoo! com bloqueador de pop-up - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Arquivos de programas\Yahoo!\Companion\Installs\cpn\yt.dll

O4 - HKLM\..\Run: [openvpn-gui] C:\Arquivos de programas\VPN - SSP-GO\bin\openvpn-gui.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [AVP] "C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Estatísticas do Antivírus da Web - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) -

O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ssp-go.sspj.go.gov.br

O17 - HKLM\Software\..\Telephony: DomainName = ssp-go.sspj.go.gov.br

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = ssp-go.sspj.go.gov.br

O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = ssp-go.sspj.go.gov.br

O20 - Winlogon Notify: jmparwfr - C:\WINDOWS\SYSTEM32\fsshtae.dll

O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Arquivos de programas\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe

O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Arquivos de programas\VPN - SSP-GO\bin\openvpnserv.exe

O24 - Desktop Component 0: (no name) - file:///C:/WINDOWS/TEMP/msohtml1/01/clip_image001.gif

 

--

End of file - 5486 bytes

 

 

Pocket Killbox version 2.0.0.978

Running on Windows XP as Administrador(Administrator)

was started @ terça-feira, fevereiro 10, 2009, 9:00 AM

 

# 1 [Delete on Reboot]

Path = c:\windows\system32\fsshtae.dll

 

 

Killbox Closed(Exit) @ 9:08:52 AM

__________________________________________________

[DigRam 144]

Bom Dia! shanjay

 

<@> Clique no X e,na pergunta,diga Não!

<!> Repita o procedimento,com o KillBox,e na pergunta sobre o reboot,Confirme! <--

<!> O computador vai reiniciar.

<!> Abra o HijackThis,e dê Fix nas entradas,anteriormente,já relacionadas.

----------------------------

<!> Terminando,poste um novo relatório do HijackThis.

 

Abraços!

[Mário Monteiro 179]

Tópico Arquivado

 

Como o autor não respondeu por mais de 30 dias, o tópico foi arquivado.

 

Caso você seja o autor do tópico e quer reabrir, envie uma mensagem privada para um moderador da área juntamente com o link para este tópico e explique o motivo da reabertura.