[Resolvido!] problemas com CID e Wixawin

pristorolli · Junho 10, 2009

oláá, estou com problemas no IE, na verdade uso o firefox, mas a cada 5 minutos abre janelas do IE com o titulo de CID ou Wixawin, andei lendo os topicos e vi que os procedimentos são particulares de cada computador para tirar essas janelas, aqui vai o log do Hijackthis.

Obrigada desde já.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 14:46:21, on 10/06/2009

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18226)

Boot mode: Normal

Running processes:

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Windows Defender\MSASCui.exe

C:\hp\support\hpsysdrv.exe

C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe

C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

C:\Windows\RtHDVCpl.exe

C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\HpqSRmon.exe

C:\Program Files\AVG\AVG8\avgtray.exe

C:\Program Files\Nero\Nero8\InCD\NBHGui.exe

C:\Program Files\Nero\Nero8\InCD\InCD.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Photo Toolkit\IvBar\phototoolkitmem.exe

c:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE

C:\Windows\system32\DllHost.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\Windows\system32\NOTEPAD.EXE

C:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orkut.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

O1 - Hosts: ::1 localhost

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: MoreRelevantAdvertisingProgram - {4E8D6551-F9A4-6D01-4D4B-BFD7673C0E3E} - C:\Program Files\MoreRelevantAdvertisingProgram\MoreRelevantAdvertisingProgram.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide

O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe

O4 - HKLM\..\Run: [OsdMaestro] "C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe"

O4 - HKLM\..\Run: [ATICCC] "c:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"

O4 - HKLM\..\Run: [sMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe

O4 - HKLM\..\Run: [HP Software Update] c:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"

O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Windows\system32\NeroCheck.exe

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

O4 - HKLM\..\Run: [securDisc] C:\Program Files\Nero\Nero8\InCD\NBHGui.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\Nero\Nero8\InCD\InCD.exe

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKCU\..\Run: [i&F Viewer toolbar] "C:\Program Files\Photo Toolkit\ivbar\phototoolkitmem.exe" -start

O4 - HKCU\..\Run: [indxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"

O4 - HKCU\..\Run: [surf open] "C:\ProgramData\baitjumpjump.ii2yy"

O4 - HKCU\..\Run: [Help Creative Meow City] "C:\ProgramData\Platform build memo.aq9tr9"

O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIÇO DE REDE')

O4 - Startup: hideflag.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O8 - Extra context menu item: Abrir com Wordperfect - C:\Program Files\WordPerfect Office X3\Programs\WPLauncher.hta

O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.15\AMVConverter\grab.html

O8 - Extra context menu item: Baixar link usando &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm

O8 - Extra context menu item: Baixar todos os links usando BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm

O8 - Extra context menu item: Baixar todos os vídeos usando BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.15\MediaManager\grab.html

O9 - Extra button: (no name) - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)

O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll

O9 - Extra button: (no name) - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (no file)

O13 - Gopher Prefix:

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{84AA9719-AB58-4D60-B5E7-89A7476E66AA}: NameServer = 200.204.0.10 200.204.0.138

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe

O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - c:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files\Common Files\LightScribe\LSSrvc.exe

O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: Nero Registry InCD Service (NeroRegInCDSrv) - Nero AG - C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\Windows\system32\IoctlSvc.exe

O23 - Service: RoxMediaDB9 - Sonic Solutions - c:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe

O23 - Service: stllssvr - Unknown owner - c:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)

--

End of file - 8953 bytes

Power Max · Junho 10, 2009

:thumbsup: Olá pristorolli! Seja bem-vindo ao Fórum Imasters.

:seta: Sugiro que você salve ou imprima essas instruções abaixo, pois em alguns momentos você poderá precisar usar o computador sem o acesso à internet:

- Faça o download do ComboFix e salve-o no desktop (área de trabalho):

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

OBS: Para que a ferramenta seja executada é necessário que esteja no desktop (área de trabalho)

Mantenha a tecla [shift] pressionada enquanto espeta o Pendrive, MP3, etc... na porta USB (caso você tenha algum destes) e se tiver mais de um, conecte todos.

Neste caso de você ter alguma destas mídias citados acima deixe de apertar a tecla [shift] só quando o Pendrive (ou outras mídias) for identificado no Windows explorer. Não os tire até completar todas as instruções.

* Desative, temporariamente, o seu antivírus;

* Feche todas as janelas abertas;

* Dê um duplo clique no arquivo ComboFix;

* Na próxima janela clique em Executar, aceite o contrato e aguarde até que o relatório seja gerado;

OBS: Caso não queira que seja instalado o console de recuperação do Windows, clique em "Não" e depois concorde que a verificação prossiga.

Ao ser instalado o console, na inicialização do sistema será apresentada a tela para seleção dos sistemas operacionais.

Mais informações sobre o Console: http://support.microsoft.com/kb/307654/pt-br

* Caso ocorra algum erro, reinicie o computador em Modo Seguro (pressione a tecla F8 intermitentemente, ou F5 em alguns casos, durante a inicialização e escolha a opção Modo Seguro na tela que se apresenta) e repita o procedimento;

* O ComboFix "poderá" reiniciar o PC automaticamente para completar o processo de remoção.

* Quando terminar, será gerado um log, que estará em C:\ComboFix.txt.

* Não clique na Janela do ComboFix, nem o feche clicando no X, enquanto estiver rodando, não mova o mouse e não use o teclado, pois senão irá parar e seu desktop ficará em branco.

* Para parar ou sair do ComboFix, tecle "N".

* Se perder a conexão com a internet, reinicie o computador. Caso o problema persista, abra Conexões de Rede no Painel de Controle, clique com o botão direito do mouse sobre a sua conexão com a internet e em "Reparar";

Poste o log do Combofix que estará em C:\ComboFix.txt juntamente com um novo log do Hijackthis em sua próxima resposta e nos diga como está o seu PC e o pendrive depois disto.

pristorolli · Junho 10, 2009

oláá, obrigada pela rapidez da resposta :thumbsup:

aqui vai o log do Combofix

ComboFix 09-06-09.06 - Priscila 10/06/2009 15:39.1 - NTFSx86

Microsoft® Windows Vista™ Starter 6.0.6001.1.1252.55.1046.18.1407.834 [GMT -3:00]

Executando de: c:\users\Priscila\Desktop\ComboFix.exe

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

SP: AVG Anti-Virus Free *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}

.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))

.

D:\Desktop.ini

.

(((((((((((((((( Arquivos/Ficheiros criados de 2009-05-10 to 2009-06-10 ))))))))))))))))))))))))))))

.

2009-06-10 18:45 . 2009-06-10 18:45 -------- d-----w- c:\users\Priscila\AppData\Local\temp

2009-06-10 18:22 . 2009-06-10 18:42 -------- d---a-w- \Qoobox

2009-06-10 17:39 . 2009-06-10 17:39 401720 ----a-w- C:\HiJackThis.exe

2009-06-10 17:39 . 2009-06-10 17:39 401720 ----a-w- \HiJackThis.exe

2009-06-06 02:01 . 2009-06-06 02:01 -------- d-----w- c:\programdata\WindowsSearch

2009-06-05 14:13 . 2009-06-05 14:13 314200 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\threatwork.exe

2009-06-05 14:13 . 2009-06-05 14:13 25440 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\savapibridge.dll

2009-06-05 14:13 . 2009-06-05 14:13 169312 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lavamessage.dll

2009-06-05 14:13 . 2009-06-05 14:13 15688 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lsdelete.exe

2009-06-05 14:12 . 2009-06-05 14:12 348496 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lavalicense.dll

2009-06-05 14:12 . 2009-06-05 14:12 294240 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\UpdateManager.dll

2009-06-05 14:12 . 2009-06-05 14:12 83808 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\ShellExt.dll

2009-06-05 14:11 . 2009-06-05 14:11 1630048 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Resources.dll

2009-06-05 14:11 . 2009-06-05 14:11 212848 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\RPAPI.dll

2009-06-05 14:11 . 2009-06-05 14:11 40288 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\PrivacyClean.dll

2009-06-05 14:11 . 2009-06-05 14:11 640360 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\CEAPI.dll

2009-06-05 14:11 . 2009-06-05 14:11 540536 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe

2009-06-05 14:11 . 2009-06-05 14:11 559464 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe

2009-06-05 14:11 . 2009-06-05 14:11 2352456 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-Aware.exe

2009-06-05 14:11 . 2009-06-05 14:11 0 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWWSC.exe

2009-06-05 14:11 . 2009-06-05 14:11 518488 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWTray.exe

2009-06-05 14:10 . 2009-06-05 14:10 1005904 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWService.exe

.

((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-06-10 17:39 . 2009-06-10 17:39 401720 ----a-w- \HiJackThis.exe

2009-06-10 16:54 . 2009-05-11 15:17 790528 ----a-w- c:\programdata\aim rect help creative\Dvd Program.exe

2009-06-10 16:40 . 2007-05-22 18:15 1789476864 --sha-w- \pagefile.sys

2009-06-03 16:16 . 2008-08-19 01:04 -------- d-----w- c:\users\Priscila\AppData\Roaming\LimeWire

2009-05-24 15:05 . 2007-05-22 23:10 635670 ----a-w- c:\windows\system32\prfh0416.dat

2009-05-24 15:05 . 2007-05-22 23:10 122138 ----a-w- c:\windows\system32\prfc0416.dat

2009-05-23 21:24 . 2009-01-14 19:34 -------- d-----w- c:\programdata\size hope wait

2009-05-20 15:53 . 2008-05-06 01:40 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-05-20 15:53 . 2008-05-06 01:40 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-05-20 15:53 . 2008-05-06 01:40 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-05-20 15:53 . 2009-01-28 01:00 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-05-14 02:43 . 2008-08-02 04:45 -------- d-----w- c:\programdata\Microsoft Help

2009-05-14 02:41 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail

2009-05-11 15:21 . 2007-08-21 17:06 -------- d-----w- c:\program files\Messenger Plus! Live

2009-05-11 15:17 . 2009-01-14 19:34 -------- d-----w- c:\programdata\aim rect help creative

2009-05-11 15:17 . 2009-05-11 15:17 790528 ----a-w- c:\programdata\size hope wait\eqqpvibl.exe

2009-05-11 15:16 . 2009-01-14 19:34 507904 ----a-w- c:\programdata\size hope wait\bolt inter team.exe

2009-04-25 21:46 . 2008-05-06 01:39 -------- d-----w- c:\programdata\avg8

2009-04-24 14:10 . 2009-04-24 14:13 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys

2009-04-24 14:10 . 2009-04-24 14:10 64160 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys

2009-04-23 22:59 . 2007-08-17 21:53 126456 ----a-w- c:\users\Priscila\AppData\Local\GDIPFONTCACHEV1.DAT

2009-04-23 21:20 . 2009-04-23 21:20 -------- d-----w- c:\users\Priscila\AppData\Roaming\Lingoes

2009-04-23 20:51 . 2009-04-23 20:51 -------- d-----w- c:\program files\Babylon

2009-04-17 15:28 . 2009-04-17 15:28 8708 ----a-w- c:\programdata\Lavasoft\Ad-Aware\ThreatWork\Submit\vidccleaner.exe

2009-04-17 15:28 . 2009-04-17 15:28 123396 ----a-w- c:\programdata\Lavasoft\Ad-Aware\ThreatWork\Submit\pncrt.dll

2009-04-17 15:28 . 2009-04-17 15:28 739844 ----a-w- c:\programdata\Lavasoft\Ad-Aware\ThreatWork\Submit\DivX.dll

2009-04-17 15:28 . 2009-04-17 15:28 39428 ----a-w- c:\programdata\Lavasoft\Ad-Aware\ThreatWork\Submit\WNASPINT.DLL

2009-04-17 14:08 . 2009-04-17 14:04 -------- d-----w- c:\programdata\Lavasoft

2009-04-17 14:07 . 2009-04-17 15:28 15688 ----a-w- c:\windows\system32\lsdelete.exe

2009-04-17 14:07 . 2009-04-17 14:07 69664 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Drivers\64\lbd.sys

2009-04-17 14:07 . 2009-04-17 14:07 274792 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Drivers\64\AAWDriverTool.exe

2009-04-17 14:07 . 2009-04-17 14:07 73064 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Drivers\32\AAWDriverTool.exe

2009-04-17 14:04 . 2009-04-17 14:04 -------- dc-h--w- c:\programdata\{83C91755-2546-441D-AC40-9A6B4B860800}

2009-04-17 14:04 . 2009-04-17 14:04 -------- d-----w- c:\program files\Lavasoft

2009-04-14 14:04 . 2009-04-14 14:04 -------- d-----w- c:\program files\MoreRelevantAdvertisingProgram

2009-04-14 02:27 . 2009-04-14 02:27 -------- d-----w- c:\program files\Free Offers from RI Soft Systems

2009-04-14 02:24 . 2009-04-14 02:24 -------- d-----w- c:\program files\Screen-Savers.com

2009-03-30 03:18 . 2009-03-03 21:29 1024 ----a-w- c:\programdata\BVRP Software\Motorola Phone Tools\faxres.cmd

2009-03-17 03:38 . 2009-04-15 23:08 13824 ----a-w- c:\windows\system32\apilogen.dll

2009-03-17 03:38 . 2009-04-15 23:08 24064 ----a-w- c:\windows\system32\amxread.dll

2007-10-29 18:08 . 2007-09-11 22:52 848 --sha-w- c:\windows\System32\KGyGaAvL.sys

.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))

.

*Nota* entradas vazias e legítimas por defeito não são mostradas.

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\NBHShellExt]

@="{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"

[HKEY_CLASSES_ROOT\CLSID\{8D2223A2-B3C6-4e32-B096-CDD11F628C60}]

2008-02-28 17:04 97064 ----a-w- c:\program files\Nero\Nero8\InCD\NBHShx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Surf open"="c:\programdata\baitjumpjump.ii2yy" [X]

"Help Creative Meow City"="c:\programdata\Platform build memo.aq9tr9" [X]

"I&F Viewer toolbar"="c:\program files\Photo Toolkit\ivbar\phototoolkitmem.exe" [2006-10-28 65536]

"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 1828136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"hpsysdrv"="c:\hp\support\hpsysdrv.exe" [2006-09-28 65536]

"OsdMaestro"="c:\program files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe" [2006-11-20 155648]

"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-07-11 90112]

"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-11-22 630784]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]

"hpqSRMon"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]

"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-05-20 1947928]

"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 2221352]

"SecurDisc"="c:\program files\Nero\Nero8\InCD\NBHGui.exe" [2008-02-28 2049320]

"InCD"="c:\program files\Nero\Nero8\InCD\InCD.exe" [2008-02-28 1083176]

"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-04-24 516440]

"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2008-01-15 4874240]

c:\users\Priscila\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

hideflag.exe [2007-8-16 28784]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoDFSTab"= 1 (0x1)

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]

"NoDFSTab"= 1 (0x1)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]

"{23BA633A-D8B4-48A0-B2F6-A1294CA54020}"= UDP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections

"{7127FF1F-82F2-4DB3-B694-4C42D8E1E4C8}"= TCP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections

"{31EF801C-566D-404C-9EF7-A1E82A9CE554}"= UDP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections

"{D77A1329-C4C4-42C4-BE54-852ED017AB16}"= TCP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections

"{70B7EF5E-EFB7-417E-B1D3-9938D47AC5C8}"= c:\program files\HP Connections\6811507\Program\HP Connections:HP Connections

"{88496B7F-5A72-496B-BCB8-F76F0CB6FDB2}"= UDP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections

"{554A03B6-A608-4EB2-9D67-9170E16EB876}"= TCP:c:\program files\HP Connections\6811507\Program\HP Connections.exe:HP Connections

"TCP Query User{3E996E43-EC14-40F5-9871-3EC50123FA36}c:\\program files\\ares\\ares.exe"= UDP:c:\program files\ares\ares.exe:Ares p2p for windows

"UDP Query User{AE416A84-4B64-4A85-A032-D7E9BAC0DF75}c:\\program files\\ares\\ares.exe"= TCP:c:\program files\ares\ares.exe:Ares p2p for windows

"{E7938213-505B-41E9-A282-9D0DB9F06F13}"= UDP:23706:BitComet 23706 TCP

"{E8F8F355-1D75-48E4-85C2-374096A59BFC}"= TCP:23706:BitComet 23706 UDP

"TCP Query User{B24619A2-0AE5-423C-A95C-A2C39F48D756}c:\\program files\\bitcomet\\bitcomet.exe"= UDP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client

"UDP Query User{F4B213D9-BD88-4C17-89E3-16ABB2F4DAC9}c:\\program files\\bitcomet\\bitcomet.exe"= TCP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client

"TCP Query User{42D82334-6F9A-4A8F-9384-79658E2BE21B}c:\\program files\\bitcomet\\bitcomet.exe"= UDP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client

"UDP Query User{3F220954-FCE6-4323-AA94-A8876ACDC6AF}c:\\program files\\bitcomet\\bitcomet.exe"= TCP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client

"TCP Query User{8A753EB7-BEA9-44C5-B7C0-2F5915829E7A}c:\\program files\\ares\\ares.exe"= UDP:c:\program files\ares\ares.exe:Ares p2p for windows

"UDP Query User{6B6BCC5D-0BEA-4B1D-B514-751EAF7B0F94}c:\\program files\\ares\\ares.exe"= TCP:c:\program files\ares\ares.exe:Ares p2p for windows

"{33A284C7-D58E-47F7-AA8F-72A5E4C75F7D}"= UDP:c:\program files\Winamp Remote\bin\Orb.exe:Orb

"{0D1E9578-951E-47A7-A0CF-6C917B1FB2B2}"= TCP:c:\program files\Winamp Remote\bin\Orb.exe:Orb

"{E0CD05D7-75AD-4204-BE7E-9DCD92A9366A}"= UDP:c:\program files\Winamp Remote\bin\OrbTray.exe:OrbTray

"{991BE959-96BF-4EBD-BE38-AF8CA78C9016}"= TCP:c:\program files\Winamp Remote\bin\OrbTray.exe:OrbTray

"{5C9E164B-74F4-4213-AA54-F1C437E9AB28}"= UDP:c:\program files\Winamp Remote\bin\OrbStreamerClient.exe:Orb Stream Client

"{59E2D654-1A35-4772-B2CA-D1FDFD879474}"= TCP:c:\program files\Winamp Remote\bin\OrbStreamerClient.exe:Orb Stream Client

"{CDE757D5-ADB1-4B61-894C-FF723030C0C1}"= c:\program files\AVG\AVG8\avgupd.exe:avgupd.exe

"{CA32959A-0C2F-42B8-A01F-9509A389EAB2}"= c:\program files\AVG\AVG8\avgemc.exe:avgemc.exe

"TCP Query User{D2C12B88-FA50-4C08-A2E9-A152F3FA6DC0}c:\\program files\\nero\\nero8\\nero home\\nerohome.exe"= UDP:c:\program files\nero\nero8\nero home\nerohome.exe:Nero Home

"UDP Query User{4E29025D-6B78-473D-98F8-C99C780A72BF}c:\\program files\\nero\\nero8\\nero home\\nerohome.exe"= TCP:c:\program files\nero\nero8\nero home\nerohome.exe:Nero Home

"TCP Query User{CD89D783-516B-4BD8-AA78-109248BF4E77}c:\\program files\\common files\\nero\\nero web\\setupx.exe"= UDP:c:\program files\common files\nero\nero web\setupx.exe:Nero Installer

"UDP Query User{40962D9E-8309-4C4F-9396-6E0892CA0230}c:\\program files\\common files\\nero\\nero web\\setupx.exe"= TCP:c:\program files\common files\nero\nero web\setupx.exe:Nero Installer

"TCP Query User{21931EE3-4847-47F1-A81F-082839E45A3B}c:\\program files\\joost\\xulrunner\\tvprunner.exe"= UDP:c:\program files\joost\xulrunner\tvprunner.exe:tvprunner

"UDP Query User{F70994C8-8DD3-457D-AF70-77288F076C94}c:\\program files\\joost\\xulrunner\\tvprunner.exe"= TCP:c:\program files\joost\xulrunner\tvprunner.exe:tvprunner

"TCP Query User{F2B823EA-02AA-476A-9F06-89CF90B077D9}c:\\program files\\tvuplayer\\tvuplayer.exe"= UDP:c:\program files\tvuplayer\tvuplayer.exe:TVUPlayer Component

"UDP Query User{DECA2000-8D49-4A8F-AED1-32071E5C0223}c:\\program files\\tvuplayer\\tvuplayer.exe"= TCP:c:\program files\tvuplayer\tvuplayer.exe:TVUPlayer Component

"TCP Query User{90BA887B-EEEE-411D-B5F4-283AAD0EA7DE}c:\\users\\priscila\\documents\\meus arquivos recebidos\\gustoppi.exe"= UDP:c:\users\priscila\documents\meus arquivos recebidos\gustoppi.exe:gustoppi.exe

"UDP Query User{85C2B189-9870-4C79-B502-88E39294DADA}c:\\users\\priscila\\documents\\meus arquivos recebidos\\gustoppi.exe"= TCP:c:\users\priscila\documents\meus arquivos recebidos\gustoppi.exe:gustoppi.exe

"{F0BBAC42-6FCB-4D9A-B209-227D93CE29B6}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook

"{FEADDECB-D899-46CC-8AB7-F007BB3DA97E}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove

"{66AF4FFF-5628-4340-9DD1-FDB84A62BB8F}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove

"{C51FD4DF-4D26-41D1-AA7E-12B84A8034F1}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

"{CA6C1102-378D-4183-B1D7-07078EF7D15C}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote

"{0F53FAFA-79E2-4CF2-A98C-1559808765EE}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire

"{133CA5BD-A432-43DF-9E80-55CFC8CE41D7}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire

"TCP Query User{7539D041-B988-43AB-80CB-18A2BB4C76DD}c:\\program files\\motorola\\rsd lite\\sdl.exe"= UDP:c:\program files\motorola\rsd lite\sdl.exe:SDL

"UDP Query User{09C3DAFB-7037-4BDD-919F-9C3651413542}c:\\program files\\motorola\\rsd lite\\sdl.exe"= TCP:c:\program files\motorola\rsd lite\sdl.exe:SDL

"TCP Query User{8B646CAE-9D7C-4E68-B7F4-335D46DE5074}c:\\program files\\motorola\\pst\\pst.exe"= UDP:c:\program files\motorola\pst\pst.exe:PST

"UDP Query User{8582CDB8-E098-4185-8B0D-457B7F551DA0}c:\\program files\\motorola\\pst\\pst.exe"= TCP:c:\program files\motorola\pst\pst.exe:PST

"{AEBE9163-D258-401F-B844-F43559BFE1E4}"= UDP:c:\program files\Megacubo\megacubo.exe:MegaCubo

"{9638384D-113A-4320-B457-FB804249D19F}"= TCP:c:\program files\Megacubo\megacubo.exe:MegaCubo

"TCP Query User{C0FEA8BF-7FAF-4365-9195-DEFB97512A15}c:\\program files\\pc satellite tv\\pc satellite tv.exe"= UDP:c:\program files\pc satellite tv\pc satellite tv.exe:PC Satellite TV

"UDP Query User{50235470-CE77-43E8-B28D-D64F8B4D17C9}c:\\program files\\pc satellite tv\\pc satellite tv.exe"= TCP:c:\program files\pc satellite tv\pc satellite tv.exe:PC Satellite TV

"TCP Query User{4F018C88-3135-453B-A89B-08FF4B4B5444}c:\\program files\\tv\\tv22.exe"= UDP:c:\program files\tv\tv22.exe:TV

"UDP Query User{4ABA15E4-8FA2-4D4A-9DD3-E6FB83E11DBD}c:\\program files\\tv\\tv22.exe"= TCP:c:\program files\tv\tv22.exe:TV

"TCP Query User{450DB52B-FBA7-483B-92A9-01486227E803}c:\\program files\\emule\\emule.exe"= UDP:c:\program files\emule\emule.exe:eMule

"UDP Query User{AF7F434B-04DF-4FE5-9179-17E5DB910EAA}c:\\program files\\emule\\emule.exe"= TCP:c:\program files\emule\emule.exe:eMule

"TCP Query User{295F2FF4-27F1-4CB9-AE9B-D692CE012C6B}c:\\program files\\ea games\\need for speed most wanted\\speed.exe"= UDP:c:\program files\ea games\need for speed most wanted\speed.exe:speed

"UDP Query User{09E0F434-26AA-4B55-8050-846FE171C698}c:\\program files\\ea games\\need for speed most wanted\\speed.exe"= TCP:c:\program files\ea games\need for speed most wanted\speed.exe:speed

"{8E05056D-3587-4529-9DF2-B62EA7C0ACC1}"= UDP:c:\program files\LimeWire\LimeWire.exe:LimeWire

"{6CF35D94-C212-40B8-96AB-3A968699A614}"= TCP:c:\program files\LimeWire\LimeWire.exe:LimeWire

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [24/04/2009 11:13 64160]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\drivers\avgldx86.sys [05/05/2008 22:40 325896]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\drivers\avgtdix.sys [27/01/2009 22:00 108552]

R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [05/05/2008 22:39 908568]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [05/05/2008 22:39 298776]

R2 NeroRegInCDSrv;Nero Registry InCD Service;c:\program files\Nero\Nero8\InCD\NBHRegInCDSrv.exe [28/02/2008 14:04 53032]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [02/11/2006 07:25 167936]

S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [18/01/2009 18:34 953168]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\System32\drivers\motccgp.sys [27/02/2007 14:31 17792]

S3 motccgpfl;MotCcgpFlService;c:\windows\System32\drivers\motccgpfl.sys [23/01/2007 19:03 7680]

S3 MotDev;Motorola Inc. USB Device;c:\windows\System32\drivers\motodrv.sys [14/12/2006 10:27 40832]

--- =Outros Serviços/Drivers Na Memória ---

*NewlyCreated* - AVG8WD

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc

.

Conteúdo da pasta 'Tarefas Agendadas'

2009-06-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-18 14:10]

.

- - - - ORFÃOS REMOVIDOS - - - -

HKCU-Run-RocketDock - c:\program files\RocketDock\RocketDock.exe

HKCU-Run-P2kAutostart - (no file)

HKLM-Run-WinampAgent - c:\program files\Winamp\winampa.exe

.

------- Scan Suplementar -------

.

uStart Page = hxxp://www.orkut.com/

IE: Abrir com Wordperfect - c:\program files\WordPerfect Office X3\Programs\WPLauncher.hta

IE: Add to AMV Converter... - c:\program files\MP3 Player Utilities 4.15\AMVConverter\grab.html

IE: Baixar link usando &BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm

IE: Baixar todos os links usando BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm

IE: Baixar todos os vídeos usando BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm

IE: E&xportar para o Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000

IE: MediaManager tool grab multimedia file - c:\program files\MP3 Player Utilities 4.15\MediaManager\grab.html

TCP: {84AA9719-AB58-4D60-B5E7-89A7476E66AA} = 200.204.0.10 200.204.0.138

FF - ProfilePath - c:\users\Priscila\AppData\Roaming\Mozilla\Firefox\Profiles\btb8o13i.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.globo.com/

FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-06-10 15:45

Windows 6.0.6001 Service Pack 1 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

P2kAutostart = ???

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso

arquivos/ficheiros ocultos: 0

**************************************************************************

.

--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

"MSCurrentCountry"=dword:000000b5

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]

@Denied: (A) (Users)

@Denied: (A) (Everyone)

@Allowed: (B 1 2 3 4 5) (S-1-5-20)

"BlindDial"=dword:00000000

.

Tempo para conclusão: 2009-06-10 15:49

ComboFix-quarantined-files.txt 2009-06-10 18:49

Pré-execução: 49.338.044.416 bytes disponíveis

Pós execução: 49.410.691.072 bytes disponíveis

266 --- E O F --- 2009-06-08 18:06

pristorolli · Junho 10, 2009

e aqui o log do Hijackthis.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 15:52:50, on 10/06/2009

Platform: Windows Vista SP1 (WinNT 6.00.1905)

MSIE: Internet Explorer v7.00 (7.00.6001.18226)

Boot mode: Normal

Running processes:

C:\Windows\system32\taskeng.exe

C:\Windows\system32\Dwm.exe

C:\hp\support\hpsysdrv.exe

C:\Program Files\Hewlett-Packard\On-Screen OSD Indicator\OSD.exe

C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

C:\Windows\RtHDVCpl.exe

C:\Program Files\HP\HP Software Update\hpwuSchd2.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\HpqSRmon.exe

C:\Program Files\Nero\Nero8\InCD\NBHGui.exe

C:\Program Files\Nero\Nero8\InCD\InCD.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Photo Toolkit\IvBar\phototoolkitmem.exe

c:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE

C:\Windows\system32\DllHost.exe

C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe

C:\Windows\system32\NOTEPAD.EXE

C:\Windows\system32\conime.exe

C:\Windows\system32\notepad.exe

C:\Windows\Explorer.exe