[Resolvido!] Pc faz barulho como uma catraca

DigRam · Agosto 7, 2009

Boa Tarde! EDSSX

<@> Vá em Iniciar --> Executar --> Digite ou cole: combofix.exe /u --> Clique OK.

<@> Abrir-se-á,a seguinte janela: ( Abrir arquivo - Aviso de Segurança )

<@> Clique em Executar --> Aguarde!

<@> Surgirá,finalmente,a mensagem: "ComboFix está desinstalado" --> Clique OK.

<@> Caso encontre,apague: D:\ComboFix <-- A pasta! + D:\ComboFix.txt <-- Relatório!

<><><><><><><><><><>

<!> Abra o OTMoveIt3 --> Clique em < > Aguarde! --> Yes.

<><><><><><><><><><>

<@> Baixe: < OTListIt2 > ( ...by OldTimer Tools )

<@> Ps: Retire-o do zip!

<@> Salve-o no desktop!

<@> Duplo clique em OTListIt2.exe --> Marque a opção "Scan All Users".

<@> Clique em: < > --> Aguarde!

<@> Dois logs serão gerados no Bloco de Notas:

<@> Poste:

<1> OTListIt.txt <--

<2> Extra.txt <-- Estará minimizado!

Abraços!

EDSSX · Agosto 8, 2009

Bom dia !

Segue o log OTListIt.txt :

OTListIt logfile created on: 08/08/2009 11:14:35 - Run 1

OTListIt2 by OldTimer - Version 2.0.3.5 Folder = D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\Diretório temporário 1 para OTListIt2.zip

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000416 | Country: Brasil | Language: PTB | Date Format: dd/MM/yyyy

511,48 Mb Total Physical Memory | 155,99 Mb Available Physical Memory | 30,50% Memory free

1,22 Gb Paging File | 0,86 Gb Available in Paging File | 70,60% Paging File free

Paging file location(s): D:\pagefile.sys 768 1536;

%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Arquivos de programas

Drive C: | 17,28 Gb Total Space | 7,49 Gb Free Space | 43,37% Space Free | Partition Type: FAT32

Drive D: | 59,00 Gb Total Space | 40,65 Gb Free Space | 68,90% Space Free | Partition Type: FAT32

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: EDIM

Current User Name: edsom luis

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Output = Standard

File Age = 30 Days

Company Name Whitelist: On

========== Processes (SafeList) ==========

PRC - [2009/03/27 11:29:08 | 00,052,808 | ---- | M] ( ) -- D:\Arquivos de programas\GbPlugin\GbpSv.exe

PRC - [2008/04/14 00:20:58 | 01,542,656 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\Explorer.EXE

PRC - [2009/06/09 11:11:04 | 00,108,289 | ---- | M] (Avira GmbH) -- D:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

PRC - [2009/08/07 09:49:48 | 00,185,089 | ---- | M] (Avira GmbH) -- D:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

PRC - [2008/02/26 12:31:16 | 00,628,584 | ---- | M] () -- D:\Arquivos de programas\iolo\common\lib\ioloServiceManager.exe

PRC - [2008/12/04 10:33:34 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- D:\Arquivos de programas\Java\jre6\bin\jqs.exe

PRC - [2003/06/19 23:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- D:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

PRC - [2009/05/19 11:36:18 | 00,240,512 | ---- | M] (Microsoft Corporation) -- D:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

PRC - [2009/07/30 14:45:34 | 00,030,192 | ---- | M] (Google) -- D:\Arquivos de programas\Google\Google Desktop Search\GoogleDesktop.exe

PRC - [2009/03/02 12:08:48 | 00,209,153 | ---- | M] (Avira GmbH) -- D:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe

PRC - [2007/10/18 11:34:46 | 05,724,184 | ---- | M] (Microsoft Corporation) -- D:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

PRC - [2008/12/09 08:08:40 | 00,495,616 | ---- | M] (Gadwin Systems, Inc) -- D:\Arquivos de programas\Gadwin Systems\PrintScreen\PrintScreen.exe

PRC - [2009/08/04 20:55:12 | 00,908,280 | ---- | M] (Mozilla Corporation) -- D:\Arquivos de programas\Mozilla Firefox 3.5 Preview\firefox.exe

PRC - [2009/03/14 07:22:06 | 00,497,664 | R--- | M] (OldTimer Tools) -- D:\Documents and Settings\edsom luis\Configurações locais\temp\Diretório temporário 1 para OTListIt2.zip\OTListIt2.exe

========== Win32 Services (SafeList) ==========

SRV - [2009/06/09 11:11:04 | 00,108,289 | ---- | M] (Avira GmbH) -- D:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService [Auto | Running])

SRV - [2009/08/07 09:49:48 | 00,185,089 | ---- | M] (Avira GmbH) -- D:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService [Auto | Running])

SRV - [2007/10/24 01:47:22 | 00,033,800 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])

SRV - [2007/10/24 01:47:40 | 00,070,144 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32 [On_Demand | Stopped])

SRV - [2007/10/09 12:58:12 | 00,036,864 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0 [On_Demand | Stopped])

SRV - [2009/03/27 11:29:08 | 00,052,808 | ---- | M] ( ) -- D:\Arquivos de programas\GbPlugin\GbpSv.exe -- (GbpSv [unknown | Running])

SRV - [2009/07/30 14:45:34 | 00,030,192 | ---- | M] (Google) -- D:\Arquivos de programas\Google\Google Desktop Search\GoogleDesktop.exe -- (GoogleDesktopManager-060409-093314 [On_Demand | Stopped])

SRV - [2009/04/13 19:59:56 | 00,137,200 | ---- | M] (Google) -- D:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc [On_Demand | Stopped])

SRV - [2008/04/14 00:20:38 | 00,038,400 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\PCHealth\HelpCtr\Binaries\pchsvc.dll -- (helpsvc [Auto | Running])

SRV - [2005/04/04 00:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- D:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])

SRV - [2007/10/11 09:55:10 | 00,864,256 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc [unknown | Stopped])

SRV - [2008/02/26 12:31:16 | 00,628,584 | ---- | M] () -- D:\Arquivos de programas\iolo\common\lib\ioloServiceManager.exe -- (ioloFileInfoList [Auto | Running])

SRV - [2008/02/26 12:31:16 | 00,628,584 | ---- | M] () -- D:\Arquivos de programas\iolo\common\lib\ioloServiceManager.exe -- (ioloProductUpdate [Auto | Running])

SRV - [2008/02/26 12:31:16 | 00,628,584 | ---- | M] () -- D:\Arquivos de programas\iolo\common\lib\ioloServiceManager.exe -- (ioloSystemService [Auto | Running])

SRV - [2008/12/04 10:33:34 | 00,152,984 | ---- | M] (Sun Microsystems, Inc.) -- D:\Arquivos de programas\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService [Auto | Running])

SRV - [2003/06/19 23:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- D:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE -- (MDM [Auto | Running])

SRV - [2007/10/11 09:55:14 | 00,122,880 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing [Disabled | Stopped])

SRV - [2003/07/28 20:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- D:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Source Engine\OSE.EXE -- (ose [On_Demand | Stopped])

SRV - [2009/05/19 11:36:18 | 00,240,512 | ---- | M] (Microsoft Corporation) -- D:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort [Auto | Running])

SRV - [2007/10/18 11:31:54 | 00,098,328 | ---- | M] (Microsoft Corporation) -- D:\Arquivos de programas\Windows Live\Messenger\usnsvc.exe -- (usnjsvc [On_Demand | Stopped])

SRV - [2007/10/25 15:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation) -- D:\Arquivos de programas\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc [On_Demand | Stopped])

SRV - [2004/08/04 04:45:30 | 00,006,656 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wuauserv.dll -- (wuauserv [Auto | Running])

========== Driver Services (SafeList) ==========

DRV - [2005/03/15 12:00:00 | 00,277,504 | ---- | M] (Philips Semiconductors) -- D:\WINDOWS\system32\DRIVERS\SAA713x.sys -- (713xTVCard [Auto | Running])

DRV - [2004/08/04 00:36:02 | 00,701,440 | ---- | M] (ATI Technologies Inc.) -- D:\WINDOWS\system32\DRIVERS\ati2mtag.sys -- (ati2mtag [On_Demand | Running])

DRV - [2009/02/13 11:35:06 | 00,011,608 | ---- | M] (Avira GmbH) -- D:\Arquivos de programas\Avira\AntiVir Desktop\avgio.sys -- (avgio [system | Running])

DRV - [2009/08/07 09:49:48 | 00,055,656 | ---- | M] (Avira GmbH) -- D:\WINDOWS\system32\DRIVERS\avgntflt.sys -- (avgntflt [Auto | Running])

DRV - [2009/04/29 17:37:30 | 00,096,104 | ---- | M] (Avira GmbH) -- D:\WINDOWS\system32\DRIVERS\avipbb.sys -- (avipbb [system | Running])

DRV - [2005/12/15 13:57:46 | 01,368,000 | ---- | M] (C-Media Inc) -- D:\WINDOWS\system32\drivers\cmuda.sys -- (cmuda [On_Demand | Running])

DRV - [2001/08/17 20:13:08 | 00,027,165 | ---- | M] (VIA Technologies, Inc. ) -- D:\WINDOWS\system32\DRIVERS\fetnd5.sys -- (FETNDIS [On_Demand | Running])

DRV - [2009/03/27 12:03:22 | 00,026,568 | ---- | M] (GAS Tecnologia) -- D:\WINDOWS\system32\drivers\GbpKm.sys -- (GbpKm [boot | Running])

DRV - [2008/07/08 14:54:02 | 00,148,496 | ---- | M] (Kaspersky Lab) -- D:\WINDOWS\system32\DRIVERS\12878755.sys -- (is-AP9JMdrv [system | Running])

DRV - [2008/07/08 14:54:02 | 00,148,496 | ---- | M] (Kaspersky Lab) -- D:\WINDOWS\system32\DRIVERS\70906987.sys -- (is-C4H53drv [system | Running])

DRV - [2001/10/28 18:07:22 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- D:\WINDOWS\system32\DRIVERS\ptilink.sys -- (Ptilink [On_Demand | Running])

DRV - [2009/03/02 11:24:26 | 00,030,136 | ---- | M] (Resplendence Software Projects Sp.) -- D:\WINDOWS\system32\DRIVERS\rspSanity32.sys -- (rspSanity [On_Demand | Stopped])

DRV - [2007/11/13 07:25:56 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- D:\WINDOWS\system32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])

DRV - [2009/06/09 11:11:04 | 00,028,520 | ---- | M] (Avira GmbH) -- D:\WINDOWS\system32\DRIVERS\ssmdrv.sys -- (ssmdrv [system | Running])

DRV - [2009/07/23 21:18:26 | 00,050,192 | ---- | M] (Trend Micro Inc.) -- D:\WINDOWS\system32\drivers\tmactmon.sys -- (tmactmon [Auto | Stopped])

DRV - [2009/07/23 21:18:28 | 00,335,376 | ---- | M] (Trend Micro Inc.) -- D:\WINDOWS\system32\DRIVERS\TM_CFW.sys -- (tmcfw [On_Demand | Running])

DRV - [2009/07/24 22:02:44 | 00,102,664 | ---- | M] (Trend Micro Inc.) -- D:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm [Auto | Running])

DRV - [2009/07/23 21:18:26 | 00,050,192 | ---- | M] (Trend Micro Inc.) -- D:\WINDOWS\system32\drivers\tmevtmgr.sys -- (tmevtmgr [Auto | Stopped])

DRV - [2009/07/23 21:18:26 | 00,036,368 | ---- | M] (Trend Micro Inc.) -- D:\WINDOWS\system32\DRIVERS\tmpreflt.sys -- (tmpreflt [Auto | Running])

DRV - [2009/07/23 21:18:26 | 00,080,400 | ---- | M] (Trend Micro Inc.) -- D:\WINDOWS\system32\DRIVERS\tmtdi.sys -- (tmtdi [system | Running])

DRV - [2008/04/13 11:45:14 | 00,060,032 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\drivers\usbaudio.sys -- (usbaudio [On_Demand | Stopped])

DRV - [2009/07/23 21:18:28 | 01,195,512 | ---- | M] (Trend Micro Inc.) -- D:\WINDOWS\system32\DRIVERS\vsapint.sys -- (vsapint [Auto | Running])

DRV - [2007/03/23 02:00:14 | 00,030,032 | ---- | M] () -- D:\WINDOWS\system32\DRIVERS\XPVCOM.sys -- (xpvcom [On_Demand | Running])

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL =

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page =

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome

IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome

IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-839522115-1409082233-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL =

IE - HKU\S-1-5-21-839522115-1409082233-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = www.live.com;

IE - HKU\S-1-5-21-839522115-1409082233-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page =

IE - HKU\S-1-5-21-839522115-1409082233-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

IE - HKU\S-1-5-21-839522115-1409082233-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1

IE - HKU\S-1-5-21-839522115-1409082233-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google

IE - HKU\S-1-5-21-839522115-1409082233-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

IE - HKU\S-1-5-21-839522115-1409082233-725345543-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://portuguese.ircfast.com/pt/index.php?rvs=hompag

IE - HKU\S-1-5-21-839522115-1409082233-725345543-1003\S-1-5-21-839522115-1409082233-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

FF - prefs.js..browser.search.defaultenginename: "Google"

FF - presf.js..browser.search.defaulturl: "http://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q="

FF - prefs.js..browser.search.selectedEngine: "Google"

FF - prefs.js..browser.startup.homepage: "http://portuguese.ircfast.com/pt/index.php?rvs=hompag"

FF - prefs.js..extensions.enabledItems: {3112ca9c-de6d-4884-a869-9855de68056c}:3.1.20081127W

FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0

FF - prefs.js..extensions.enabledItems: {991A772A-BA13-4c1d-A9EF-F897F31DEC7D}:3.1

FF - prefs.js..extensions.enabledItems: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.1

FF - HKLM\software\mozilla\Firefox\extensions\\jqs@sun.com -> %ProgramFiles%\JAVA\JRE6\LIB\DEPLOY\JQS\FF [D:\ARQUIVOS DE PROGRAMAS\JAVA\JRE6\LIB\DEPLOY\JQS\FF] -> [2008/12/04 10:33:42 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.11\extensions\\Components -> %ProgramFiles%\MOZILLA FIREFOX\COMPONENTS [D:\ARQUIVOS DE PROGRAMAS\MOZILLA FIREFOX\COMPONENTS] -> [2008/06/06 16:33:42 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.0.11\extensions\\Plugins -> %ProgramFiles%\MOZILLA FIREFOX\PLUGINS [D:\ARQUIVOS DE PROGRAMAS\MOZILLA FIREFOX\PLUGINS] -> [2008/06/06 16:33:42 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.5\extensions\\Components -> %ProgramFiles%\MOZILLA FIREFOX 3.5 PREVIEW\COMPONENTS [D:\ARQUIVOS DE PROGRAMAS\MOZILLA FIREFOX 3.5 PREVIEW\COMPONENTS] -> [2009/06/17 16:05:06 00,000,000 | ---D | M]

FF - HKLM\software\mozilla\Mozilla Firefox 3.5\extensions\\Plugins -> %ProgramFiles%\MOZILLA FIREFOX 3.5 PREVIEW\PLUGINS [D:\ARQUIVOS DE PROGRAMAS\MOZILLA FIREFOX 3.5 PREVIEW\PLUGINS] -> [2009/06/17 16:05:06 00,000,000 | ---D | M]

FF - D:\Documents and Settings\edsom luis\Dados de aplicativos\mozilla\Extensions [2009/07/23 22:53:34 00,000,000 | ---D | M]

FF - D:\Documents and Settings\edsom luis\Dados de aplicativos\mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384} [2009/07/23 22:53:34 00,000,000 | ---D | M]

FF - D:\Documents and Settings\edsom luis\Dados de aplicativos\mozilla\Firefox\Profiles\r46u2xkd.default\extensions [2008/06/06 16:46:10 00,000,000 | ---D | M]

FF - D:\Documents and Settings\edsom luis\Dados de aplicativos\mozilla\Firefox\Profiles\r46u2xkd.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} [2009/01/06 21:31:22 00,000,000 | ---D | M]

FF - D:\Documents and Settings\edsom luis\Dados de aplicativos\mozilla\Firefox\Profiles\r46u2xkd.default\extensions\{991A772A-BA13-4c1d-A9EF-F897F31DEC7D} [2008/10/05 14:03:38 00,000,000 | ---D | M]

FF - D:\Arquivos de programas\mozilla firefox\extensions [2008/06/06 16:33:42 00,000,000 | ---D | M]

FF - D:\Arquivos de programas\mozilla firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c} [2008/06/06 16:33:42 00,000,000 | ---D | M]

FF - D:\Arquivos de programas\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd} [2008/06/06 16:33:42 00,000,000 | ---D | M]

FF - D:\Arquivos de programas\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [2008/12/04 10:34:02 00,000,000 | ---D | M]

FF - D:\Arquivos de programas\mozilla firefox\extensions\google-ggic@partners.mozilla.com [2008/06/06 16:33:42 00,000,000 | ---D | M]

O1 HOSTS File: (698 bytes) - D:\WINDOWS\System32\drivers\etc\Hosts

O1 - Hosts: 127.0.0.1 localhost

O2 - BHO: (Adobe PDF Link Helper) - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)

O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - D:\Arquivos de programas\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)

O2 - BHO: (GbIehObj Class) - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - D:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbiehcef.dll (Caixa Economica Federal)

O4 - HKLM..\Run: [Adobe Reader Speed Launcher] "D:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe" (Adobe Systems Incorporated)

O4 - HKLM..\Run: [avgnt] "D:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /min (Avira GmbH)

O4 - HKLM..\Run: [Google Desktop Search] "D:\Arquivos de programas\Google\Google Desktop Search\GoogleDesktop.exe" /startup (Google)

O4 - HKU\S-1-5-21-839522115-1409082233-725345543-1003..\Run: [Gadwin PrintScreen] D:\Arquivos de programas\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash (Gadwin Systems, Inc)

O4 - HKU\S-1-5-21-839522115-1409082233-725345543-1003..\Run: [msnmsgr] "D:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background (Microsoft Corporation)

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present

O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoResolveSearch = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 2

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0

O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145

O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-839522115-1409082233-725345543-1003\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O7 - HKU\S-1-5-21-839522115-1409082233-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323

O7 - HKU\S-1-5-21-839522115-1409082233-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: LinkResolveIgnoreLinkInfo = 0

O7 - HKU\S-1-5-21-839522115-1409082233-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863

O7 - HKU\S-1-5-21-839522115-1409082233-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoBandCustomize = 0

O7 - HKU\S-1-5-21-839522115-1409082233-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRealMode = 0

O7 - HKU\S-1-5-21-839522115-1409082233-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1

O7 - HKU\S-1-5-21-839522115-1409082233-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0

O7 - HKU\S-1-5-21-839522115-1409082233-725345543-1003_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O9 - Extra 'Tools' menuitem : @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe (Microsoft Corporation)

O15 - HKLM\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.

O15 - HKU\.DEFAULT\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.

O15 - HKU\S-1-5-18\..Trusted Domains: 49 domain(s) and sub-domain(s) not assigned to a zone.

O15 - HKU\S-1-5-21-839522115-1409082233-725345543-1003\..Trusted Domains: 48 domain(s) and sub-domain(s) not assigned to a zone.

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (Reg Error: Key error.)

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?39830.6705092593 (Reg Error: Value error.)

O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)

O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)

O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab (Java Plug-in 1.6.0_11)

O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - D:\Arquivos de programas\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)

O18 - Protocol\Handler\ipp Reg Error: Value error. - Reg Error: Key error. File not found

O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - D:\Arquivos de programas\Arquivos comuns\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - D:\Arquivos de programas\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp Reg Error: Value error. - Reg Error: Key error. File not found

O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - D:\Arquivos de programas\Arquivos comuns\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - D:\Arquivos de programas\Arquivos comuns\SYSTEM\OLE DB\msdaipp.dll (Microsoft Corporation)

O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - D:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)

O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - D:\Arquivos de programas\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)

O18 - Protocol\Handler\mso-offdap {3D9F03FA-7A94-11D3-BE81-0050048385D1} - D:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)

O18 - Protocol\Handler\mso-offdap11 {32505114-5902-49B2-880A-1F7738E5A384} - D:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)

O18 - Protocol\Filter: - text/xml - D:\Arquivos de programas\Arquivos comuns\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)

O20 - HKLM Winlogon: Shell - (Explorer.exe) - D:\WINDOWS\Explorer.exe (Microsoft Corporation)

O20 - Winlogon\Notify\ GbPluginCef: DllName - D:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbiehcef.dll - D:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbiehcef.dll (Caixa Economica Federal)

O24 - Desktop Components:0 (Minha página inicial atual) - About:Home

O28 - HKLM ShellExecuteHooks: {E37CB5F0-51F5-4395-A808-5FA49E399003} - D:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbiehcef.dll (Caixa Economica Federal)

O31 - SafeBoot: AlternateShell - cmd.exe

O32 - HKLM CDRom: AutoRun - 1

O32 - AutoRun File - [2009/07/21 23:46:40 00,000,000 | RHSD | M] - C:\autorun.inf -- [ FAT32 ]

O32 - AutoRun File - [2009/01/16 19:35:02 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ FAT32 ]

O32 - AutoRun File - [2009/07/21 23:46:40 00,000,000 | RHSD | M] - D:\autorun.inf -- [ FAT32 ]

========== Files/Folders - Created Within 30 Days ==========

[3 D:\Documents and Settings\edsom luis\Meus documentos\*.tmp files]

[2009/08/07 11:17:01 | 00,000,162 | -H-- | C] () -- D:\Documents and Settings\edsom luis\Meus documentos\~$RPF 2010 1 ANO R CH ESP.doc

[2009/08/04 21:54:53 | 00,000,162 | -H-- | C] () -- D:\Documents and Settings\edsom luis\Meus documentos\~$RRICULO INFORMATICA.doc

[2009/08/04 21:40:21 | 00,000,000 | -HSD | C] -- D:\Recycled

[2009/08/04 10:26:44 | 00,000,162 | -H-- | C] () -- D:\Documents and Settings\edsom luis\Meus documentos\~$DE MAIO LIB NET.doc

[2009/08/04 00:17:09 | 00,000,000 | -HSD | C] -- D:\Config.Msi

[2009/08/03 21:30:02 | 00,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Dados de aplicativos\SUPERAntiSpyware.com

[2009/08/03 21:29:52 | 00,000,000 | ---D | C] -- D:\Documents and Settings\edsom luis\Dados de aplicativos\SUPERAntiSpyware.com

[2009/08/03 15:18:06 | 00,000,000 | ---D | C] -- D:\Documents and Settings\edsom luis\Meus documentos\a-squared Free

[2009/08/02 18:24:13 | 53,639,9872 | -HS- | C] () -- D:\hiberfil.sys

[2009/08/01 19:20:57 | 00,000,000 | ---D | C] -- D:\Documents and Settings\edsom luis\Dados de aplicativos\Yahoo!

[2009/08/01 16:00:35 | 00,000,000 | ---D | C] -- D:\ToolBar SD

[2009/07/31 15:51:47 | 00,000,000 | -H-D | C] -- D:\WINDOWS\PIF

[2009/07/31 00:12:32 | 00,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Documentos\Common

[2009/07/30 23:47:18 | 00,000,000 | ---D | C] -- D:\Documents and Settings\edsom luis\Dados de aplicativos\iolo

[2009/07/30 21:29:02 | 00,000,000 | ---D | C] -- D:\Documents and Settings\edsom luis\Dados de aplicativos\Download Manager

[2009/07/30 15:36:58 | 00,000,000 | ---D | C] -- D:\Documents and Settings\edsom luis\Dados de aplicativos\WinRAR

[2009/07/30 14:07:11 | 00,000,000 | ---D | C] -- D:\WINDOWS\System32\CatRoot2

[2009/07/30 14:06:43 | 00,000,000 | -H-D | C] -- D:\Arquivos de programas\WindowsUpdate

[2009/07/30 14:05:37 | 00,000,000 | ---D | C] -- D:\WINDOWS\SoftwareDistribution

[2009/07/29 15:12:11 | 00,021,504 | ---- | C] () -- D:\Documents and Settings\edsom luis\Meus documentos\ESTUDO RASTREAMENTO.doc

[2009/07/28 13:43:02 | 00,000,000 | -HSD | C] -- D:\WINDOWS\CSC

[2009/07/27 14:28:42 | 00,148,496 | ---- | C] (Kaspersky Lab) -- D:\WINDOWS\System32\drivers\12878755.sys

[2009/07/24 13:11:24 | 00,000,000 | ---D | C] -- D:\WINDOWS\Sun

[2009/07/23 21:31:00 | 00,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Documentos\iaudata

[2009/07/23 21:21:58 | 00,050,192 | ---- | C] (Trend Micro Inc.) -- D:\WINDOWS\System32\drivers\tmevtmgr.sys

[2009/07/23 21:21:58 | 00,050,192 | ---- | C] (Trend Micro Inc.) -- D:\WINDOWS\System32\drivers\tmactmon.sys

[2009/07/23 21:21:58 | 00,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Documentos\OEM

[2009/07/23 21:21:24 | 00,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Documentos\plugins

[2009/07/23 21:21:24 | 00,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Documentos\iaulogs

[2009/07/23 21:20:57 | 00,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Dados de aplicativos\Trend Micro

[2009/07/23 21:20:09 | 00,000,000 | ---D | C] -- D:\Documents and Settings\All Users\Documentos\Component

[2009/07/23 21:18:30 | 00,661,808 | ---- | C] (trend_company_name) -- D:\WINDOWS\System32\UfWSC.cpl

[2009/07/23 21:18:28 | 01,195,512 | ---- | C] (Trend Micro Inc.) -- D:\WINDOWS\System32\drivers\vsapint.sys

[2009/07/23 21:18:28 | 00,335,376 | ---- | C] (Trend Micro Inc.) -- D:\WINDOWS\System32\drivers\TM_CFW.sys

[2009/07/23 21:18:28 | 00,205,328 | ---- | C] (Trend Micro Inc.) -- D:\WINDOWS\System32\drivers\tmxpflt.sys

[2009/07/23 21:18:26 | 00,080,400 | ---- | C] (Trend Micro Inc.) -- D:\WINDOWS\System32\drivers\tmtdi.sys

[2009/07/23 21:18:26 | 00,036,368 | ---- | C] (Trend Micro Inc.) -- D:\WINDOWS\System32\drivers\tmpreflt.sys

[2009/07/23 12:10:18 | 00,000,000 | ---D | C] -- D:\Documents and Settings\edsom luis\Configurações locais\Dados de aplicativos\BLCorp

[2009/07/23 12:10:18 | 00,000,000 | ---D | C] -- D:\Arquivos de programas\blcorp

[2009/07/23 11:55:37 | 00,102,664 | ---- | C] (Trend Micro Inc.) -- D:\WINDOWS\System32\drivers\tmcomm.sys

[2009/07/22 17:04:56 | 00,018,594 | ---- | C] () -- D:\Documents and Settings\edsom luis\Meus documentos\ESTUDO 3.1

[2009/07/21 23:46:39 | 00,000,000 | RHSD | C] -- D:\autorun.inf

[2009/07/21 20:37:16 | 00,579,072 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\user32.dll

[2009/07/21 20:35:55 | 00,000,000 | ---D | C] -- D:\WINDOWS\ERUNT

[2009/07/20 13:08:02 | 00,020,992 | ---- | C] () -- D:\Documents and Settings\edsom luis\Meus documentos\ESTUDOS 2.doc

[2009/07/16 08:14:23 | 00,119,808 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\t2embed.dll

[2009/07/16 08:14:23 | 00,081,920 | ---- | C] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\fontsub.dll

[2009/07/15 18:43:11 | 00,033,280 | ---- | C] () -- D:\Documents and Settings\edsom luis\Meus documentos\ESTUDOS.doc

[2009/07/13 17:19:22 | 00,000,873 | ---- | C] () -- D:\Documents and Settings\edsom luis\Desktop\ComboFix.exe.lnk

[2009/07/11 17:26:37 | 00,000,792 | ---- | C] () -- D:\WINDOWS\j459kdf9n6r0e5.PAC

[2009/07/11 15:23:51 | 00,019,968 | ---- | C] () -- D:\Documents and Settings\edsom luis\Meus documentos\TÓPICO DO CH.doc

========== Files - Modified Within 30 Days ==========

[3 D:\Documents and Settings\edsom luis\Meus documentos\*.tmp files]

[2009/08/08 11:05:52 | 00,000,464 | -H-- | M] () -- D:\WINDOWS\tasks\User_Feed_Synchronization-{85870EB0-73F3-41E1-92DD-7C153C1F486E}.job

[2009/08/08 11:02:24 | 00,000,006 | -H-- | M] () -- D:\WINDOWS\tasks\SA.DAT

[2009/08/08 11:02:16 | 00,002,048 | --S- | M] () -- D:\WINDOWS\bootstat.dat

[2009/08/08 11:02:14 | 53,639,9872 | -HS- | M] () -- D:\hiberfil.sys

[2009/08/08 11:01:22 | 00,000,032 | -HS- | M] () -- D:\WINDOWS\System32\drivers\fidbox.idx

[2009/08/08 11:01:22 | 00,000,032 | -HS- | M] () -- D:\WINDOWS\System32\drivers\fidbox.dat

[2009/08/08 11:00:56 | 04,834,522 | -H-- | M] () -- D:\Documents and Settings\edsom luis\Configurações locais\Dados de aplicativos\IconCache.db

[2009/08/07 11:19:40 | 00,026,112 | ---- | M] () -- D:\Documents and Settings\edsom luis\Meus documentos\DIRPF 2010 1 ANO R CH ESP.doc

[2009/08/07 11:17:02 | 00,000,162 | -H-- | M] () -- D:\Documents and Settings\edsom luis\Meus documentos\~$RPF 2010 1 ANO R CH ESP.doc

[2009/08/07 11:15:38 | 00,023,552 | ---- | M] () -- D:\Documents and Settings\edsom luis\Meus documentos\EMPRESTIMO BRADESCO EDSON.doc

[2009/08/07 09:49:48 | 00,055,656 | ---- | M] (Avira GmbH) -- D:\WINDOWS\System32\drivers\avgntflt.sys

[2009/08/07 09:38:02 | 00,002,262 | ---- | M] () -- D:\WINDOWS\System32\wpa.dbl

[2009/08/06 09:16:18 | 00,039,424 | ---- | M] () -- D:\Documents and Settings\edsom luis\Meus documentos\Controle Pensão.doc

[2009/08/04 21:56:14 | 00,046,592 | ---- | M] () -- D:\Documents and Settings\edsom luis\Meus documentos\CURRICULO INFORMATICA.doc

[2009/08/04 21:54:54 | 00,000,162 | -H-- | M] () -- D:\Documents and Settings\edsom luis\Meus documentos\~$RRICULO INFORMATICA.doc

[2009/08/04 21:34:36 | 00,000,227 | ---- | M] () -- D:\WINDOWS\system.ini

[2009/08/04 10:26:46 | 00,000,162 | -H-- | M] () -- D:\Documents and Settings\edsom luis\Meus documentos\~$DE MAIO LIB NET.doc

[2009/08/01 19:20:50 | 00,001,524 | ---- | M] () -- D:\Documents and Settings\edsom luis\Desktop\CCleaner.lnk

[2009/07/31 23:30:28 | 00,136,192 | ---- | M] () -- D:\Documents and Settings\edsom luis\Meus documentos\SALDO FGTS EDSON 4.doc

[2009/07/31 23:26:52 | 00,136,192 | ---- | M] () -- D:\Documents and Settings\edsom luis\Meus documentos\SALDO DO FGTS EDSON 2.doc

[2009/07/31 23:24:54 | 00,136,192 | ---- | M] () -- D:\Documents and Settings\edsom luis\Meus documentos\SALDO FGTS EDSON 3.doc

[2009/07/31 16:53:06 | 00,021,504 | ---- | M] () -- D:\Documents and Settings\edsom luis\Meus documentos\ESTUDO RASTREAMENTO.doc

[2009/07/29 15:10:56 | 00,002,559 | ---- | M] () -- D:\Documents and Settings\edsom luis\Desktop\Microsoft Office Word 2003.lnk

[2009/07/26 21:51:52 | 00,000,796 | ---- | M] () -- D:\WINDOWS\win.ini

[2009/07/26 11:19:06 | 00,029,696 | ---- | M] () -- D:\Documents and Settings\edsom luis\Meus documentos\CURRICULUM VITAE.doc

[2009/07/24 22:16:44 | 00,040,448 | ---- | M] () -- D:\Documents and Settings\edsom luis\Configurações locais\Dados de aplicativos\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

[2009/07/24 22:02:44 | 00,102,664 | ---- | M] (Trend Micro Inc.) -- D:\WINDOWS\System32\drivers\tmcomm.sys

[2009/07/23 21:18:30 | 00,661,808 | ---- | M] (trend_company_name) -- D:\WINDOWS\System32\UfWSC.cpl

[2009/07/23 21:18:28 | 01,195,512 | ---- | M] (Trend Micro Inc.) -- D:\WINDOWS\System32\drivers\vsapint.sys

[2009/07/23 21:18:28 | 00,335,376 | ---- | M] (Trend Micro Inc.) -- D:\WINDOWS\System32\drivers\TM_CFW.sys

[2009/07/23 21:18:28 | 00,205,328 | ---- | M] (Trend Micro Inc.) -- D:\WINDOWS\System32\drivers\tmxpflt.sys

[2009/07/23 21:18:26 | 00,080,400 | ---- | M] (Trend Micro Inc.) -- D:\WINDOWS\System32\drivers\tmtdi.sys

[2009/07/23 21:18:26 | 00,050,192 | ---- | M] (Trend Micro Inc.) -- D:\WINDOWS\System32\drivers\tmevtmgr.sys

[2009/07/23 21:18:26 | 00,050,192 | ---- | M] (Trend Micro Inc.) -- D:\WINDOWS\System32\drivers\tmactmon.sys

[2009/07/23 21:18:26 | 00,036,368 | ---- | M] (Trend Micro Inc.) -- D:\WINDOWS\System32\drivers\tmpreflt.sys

[2009/07/22 22:49:54 | 00,033,280 | ---- | M] () -- D:\Documents and Settings\edsom luis\Meus documentos\ESTUDOS.doc

[2009/07/22 20:39:30 | 00,025,600 | ---- | M] () -- D:\Documents and Settings\edsom luis\Meus documentos\RESPOSTA PARA O CH.doc

[2009/07/22 17:04:58 | 00,018,594 | ---- | M] () -- D:\Documents and Settings\edsom luis\Meus documentos\ESTUDO 3.1

[2009/07/21 20:45:30 | 01,056,290 | ---- | M] () -- D:\WINDOWS\System32\PerfStringBackup.INI

[2009/07/21 20:45:30 | 00,465,986 | ---- | M] () -- D:\WINDOWS\System32\perfh016.dat

[2009/07/21 20:45:30 | 00,432,992 | ---- | M] () -- D:\WINDOWS\System32\perfh009.dat

[2009/07/21 20:45:30 | 00,076,414 | ---- | M] () -- D:\WINDOWS\System32\perfc016.dat

[2009/07/21 20:45:30 | 00,067,696 | ---- | M] () -- D:\WINDOWS\System32\perfc009.dat

[2009/07/21 20:37:18 | 00,579,072 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\user32.dll

[2009/07/20 13:08:50 | 00,020,992 | ---- | M] () -- D:\Documents and Settings\edsom luis\Meus documentos\ESTUDOS 2.doc

[2009/07/19 18:45:06 | 11,067,392 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\System32\ieframe.dll

[2009/07/19 18:45:06 | 11,067,392 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\ieframe.dll

[2009/07/19 10:15:08 | 05,937,152 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\System32\mshtml.dll

[2009/07/19 10:15:08 | 05,937,152 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\System32\dllcache\mshtml.dll

[2009/07/18 10:05:38 | 00,000,208 | ---- | M] () -- D:\WINDOWS\System32\drivers\GbpKmAp.lst

[2009/07/14 17:30:58 | 00,027,136 | ---- | M] () -- D:\Documents and Settings\edsom luis\Meus documentos\DECIFRAÇÃO DO CONFICKER.doc

[2009/07/13 17:19:24 | 00,000,873 | ---- | M] () -- D:\Documents and Settings\edsom luis\Desktop\ComboFix.exe.lnk

[2009/07/13 13:36:34 | 00,038,160 | ---- | M] (Malwarebytes Corporation) -- D:\WINDOWS\System32\drivers\mbamswissarmy.sys

[2009/07/13 13:36:12 | 00,019,096 | ---- | M] (Malwarebytes Corporation) -- D:\WINDOWS\System32\drivers\mbam.sys

[2009/07/13 12:14:42 | 00,000,792 | ---- | M] () -- D:\WINDOWS\j459kdf9n6r0e5.PAC

[2009/07/13 05:48:56 | 00,219,648 | ---- | M] () -- D:\WINDOWS\PEV.exe

[2009/07/11 15:23:52 | 00,019,968 | ---- | M] () -- D:\Documents and Settings\edsom luis\Meus documentos\TÓPICO DO CH.doc

< End of report >

Segue o log Extras.txt :

OTListIt Extras logfile created on: 08/08/2009 11:14:35 - Run 1

OTListIt2 by OldTimer - Version 2.0.3.5 Folder = D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\Diretório temporário 1 para OTListIt2.zip

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000416 | Country: Brasil | Language: PTB | Date Format: dd/MM/yyyy

511,48 Mb Total Physical Memory | 155,99 Mb Available Physical Memory | 30,50% Memory free

1,22 Gb Paging File | 0,86 Gb Available in Paging File | 70,60% Paging File free

Paging file location(s): D:\pagefile.sys 768 1536;

%SystemDrive% = D: | %SystemRoot% = D:\WINDOWS | %ProgramFiles% = D:\Arquivos de programas

Drive C: | 17,28 Gb Total Space | 7,49 Gb Free Space | 43,37% Space Free | Partition Type: FAT32

Drive D: | 59,00 Gb Total Space | 40,65 Gb Free Space | 68,90% Space Free | Partition Type: FAT32

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: EDIM

Current User Name: edsom luis

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: All users

Output = Standard

File Age = 30 Days

Company Name Whitelist: On

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

.html [@ = htmlfile] -- D:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

.js [@ = JSFile] -- Reg Error: Key error. File not found

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- D:\Arquivos de programas\Mozilla Firefox 3.5 Preview\firefox.exe (Mozilla Corporation)

[HKEY_USERS\S-1-5-21-839522115-1409082233-725345543-1003\SOFTWARE\Classes\<extension>]

.html [@ = FirefoxHTML] -- D:\Arquivos de programas\Mozilla Firefox 3.5 Preview\firefox.exe (Mozilla Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

"FirstRunDisabled" = 1

"AntiVirusDisableNotify" = 0

"FirewallDisableNotify" = 0

"UpdatesDisableNotify" = 0

"AntiVirusOverride" = 0

"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

"DisableMonitoring" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

"DisableMonitoring" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

"DisableMonitoring" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile

"EnableFirewall" = 1

"DoNotAllowExceptions" = 0

"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[2008/04/13 16:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[2007/10/18 11:34:46 | 05,724,184 | ---- | M] (Microsoft Corporation) -- D:\Arquivos de programas\Windows Live\Messenger\MSNMSGR.EXE:*:Enabled:Windows Live Messenger

[2007/10/02 17:18:24 | 00,304,488 | ---- | M] (Microsoft Corporation) -- D:\Arquivos de programas\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]

[2008/04/14 00:21:18 | 00,078,336 | ---- | M] (Microsoft Corporation) -- D:\WINDOWS\system32\rtcshare.exe:*:Disabled:Compartilhamento de aplicativo RTC

[2008/04/13 16:53:32 | 00,558,080 | ---- | M] (Microsoft Corporation) -- %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000

[2007/10/18 11:34:46 | 05,724,184 | ---- | M] (Microsoft Corporation) -- D:\Arquivos de programas\Windows Live\Messenger\MSNMSGR.EXE:*:Enabled:Windows Live Messenger

[2007/10/02 17:18:24 | 00,304,488 | ---- | M] (Microsoft Corporation) -- D:\Arquivos de programas\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148

"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java 6 Update 11

"{2BA00471-0328-3743-93BD-FA813353A783}" = Microsoft .NET Framework 3.0 Service Pack 1

"{2FC099BD-AC9B-33EB-809C-D332E1B27C40}" = Microsoft .NET Framework 3.5

"{3248F0A8-6813-11D6-A77B-00B0D0160050}" = Java 6 Update 5

"{350C9416-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP

"{3A417047-2E30-4D05-8977-F706D40BFF39}" = Windows Live installer

"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack

"{4DE3E3D9-AE81-45DE-9195-3015F7B1DBF3}" = Junk Mail filter update

"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3

"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable

"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053

"{81EC7A2F-EB36-44EB-A89D-C11A7D9A9EE8}" = Opera 10.00

"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight

"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)

"{8B21B9EF-6DBF-4F63-8CC7-9F6A56D1EE8E}" = GTOneCare

"{8EADB73B-026D-4978-A8F0-1EEF5E1ECEC7}" = Windows Live Messenger

"{8FD62EBB-3175-4907-A326-989B14E5C757}" = hp deskjet 3500

"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard

"{90110416-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edição 2003

"{94C65B81-1CCE-3D93-95B5-853B1A3DA539}" = Microsoft .NET Framework 3.0 Service Pack 1 Language Pack - PTB

"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting

"{95120000-0120-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector

"{95120000-0120-0416-0000-0000000FF1CE}" = Microsoft Office Outlook Connector

"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17

"{A040AC77-C1AA-4CC9-8931-9F648AF178F6}" = você 9.0 Runtime

"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable

"{A8D93648-9F7F-407D-915C-62044644C3DA}" = MSI to redistribute MS VS2005 CRT libraries

"{AA6E423F-CBDF-3608-AC30-0CF08D7C9A07}" = Microsoft .NET Framework 3.5 Language Pack - ptb

"{AC76BA86-7AD7-1046-7B44-A91000000001}" = Adobe Reader 9.1.2 - Português

"{AC76BA86-7AD7-5464-3428-900000000004}" = Spelling Dictionaries Support For Adobe Reader 9

"{B508B3F1-A24A-32C0-B310-85786919EF28}" = Microsoft .NET Framework 2.0 Service Pack 1

"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)

"{E0828692-FD9D-459F-9312-C645C3CA6650}" = HP Photo and Imaging 2.0 - Deskjet Series

"{E1BBBAC5-2857-4155-82A6-54492CE88620}" = Opera 9.64

"{EDA9F30A-8B65-3E6F-B353-CCA1C9241471}" = Microsoft .NET Framework 2.0 Service Pack 1 Language Pack - PTB

"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]

"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)

"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01

"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX

"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin

"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus

"CCleaner" = CCleaner (remove only)

"C-Media Audio Driver" = C-Media WDM Audio Driver

"Free Window Registry Repair" = Free Window Registry Repair

"Gadwin PrintScreen" = Gadwin PrintScreen

"Google Desktop" = Google Desktop

"HijackThis" = HijackThis 2.0.2

"hp print screen utility" = hp print screen utility

"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs

"ie7" = Windows Internet Explorer 7

"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware

"Microsoft .NET Framework 3.5" = Microsoft .NET Framework 3.5

"Microsoft .NET Framework 3.5 Language Pack - ptb" = Microsoft .NET Framework 3.5 Language Pack - ptb

"Mozilla Firefox (3.0.11)" = Mozilla Firefox (3.0.11)

"Mozilla Firefox (3.5)" = Mozilla Firefox (3.5)

"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP

"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs

"Revo Uninstaller" = Revo Uninstaller 1.83

"Seven Remix XP" = Seven Remix XP 2.1

"WIC" = Windows Imaging Component

"Windows Media Format Runtime" = Windows Media Format 11 runtime

"Windows XP Service Pack" = Windows XP Service Pack 3

"WMFDist11" = Windows Media Format 11 runtime

"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0

"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0

"XPSEPSCLP" = XML Paper Specification Shared Components Language Pack 1.0

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"Google Chrome" = Google Chrome

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-839522115-1409082233-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]

Error - 30/07/2009 09:46:49 | Computer Name = EDIM | Source = MsiInstaller | ID = 1024

Description = Produto: Microsoft Office Professional Edição 2003 - A atualização

'Security Update for PowerPoint 2003 (KB957784): POWERPNT' não pôde ser instalada.

Código de erro 1603. O Windows Installer pode criar logs para ajudar a solucionar

problemas na instalação de pacotes de software. Use o link a seguir para obter

informações sobre ativação do suporte a registro em log: http://go.microsoft.com/fwlink/?LinkId=23127

Error - 30/07/2009 10:28:56 | Computer Name = EDIM | Source = Windows Live Messenger | ID = 1000

Description =

Error - 30/07/2009 21:23:57 | Computer Name = EDIM | Source = Application Error | ID = 1000

Description = Aplicativo com falha iexplore.exe, versão 6.0.2900.2180, módulo com

falha mshtml.dll, versão 8.0.6001.18812, endereço com falha 0x00209d2c.

Error - 30/07/2009 21:59:44 | Computer Name = EDIM | Source = Windows Live Messenger | ID = 1000

Description =

Error - 30/07/2009 22:47:33 | Computer Name = EDIM | Source = ioloServiceManager.exe | ID = 0

Description =

Error - 30/07/2009 23:13:00 | Computer Name = EDIM | Source = ioloServiceManager.exe | ID = 0

Description =

Error - 31/07/2009 10:10:41 | Computer Name = EDIM | Source = Windows Live Messenger | ID = 1000

Description =

Error - 31/07/2009 17:32:20 | Computer Name = EDIM | Source = Windows Live Messenger | ID = 1000

Description =

Error - 04/08/2009 13:33:17 | Computer Name = EDIM | Source = Windows Live Messenger | ID = 1000

Description =

Error - 07/08/2009 17:44:56 | Computer Name = EDIM | Source = Application Error | ID = 1000

Description = Aplicativo com falha wmplayer.exe, versão 9.0.0.4503, módulo com falha

mshtml.dll, versão 8.0.6001.18812, endereço com falha 0x00209d2c.

[ System Events ]

Error - 07/08/2009 21:52:36 | Computer Name = EDIM | Source = Cdrom | ID = 262151

Description = O dispositivo, \Device\CdRom0, possui um bloco defeituoso.

Error - 07/08/2009 21:52:43 | Computer Name = EDIM | Source = Cdrom | ID = 262151

Description = O dispositivo, \Device\CdRom0, possui um bloco defeituoso.

Error - 08/08/2009 09:01:16 | Computer Name = EDIM | Source = sr | ID = 1

Description = O filtro da restauração do sistema encontrou o erro inesperado '0xC0000001'

ao processar o arquivo '' no volume 'HarddiskVolume2'. O monitoramento do volume

foi interrompido.

Error - 08/08/2009 09:01:44 | Computer Name = EDIM | Source = Service Control Manager | ID = 7000

Description = Não foi possível iniciar o serviço tmevtmgr devido ao seguinte erro:

%%127

Error - 08/08/2009 09:01:44 | Computer Name = EDIM | Source = Service Control Manager | ID = 7001

Description = O serviço tmactmon depende do serviço tmevtmgr, mas não foi possível

iniciá-lo devido ao seguinte erro: %%127

Error - 08/08/2009 09:01:48 | Computer Name = EDIM | Source = Service Control Manager | ID = 7026

Description = Falha ao carregar o(s) seguinte(s) driver(s) de início do sistema

ou de inicialização: Lbd

Error - 08/08/2009 10:02:23 | Computer Name = EDIM | Source = sr | ID = 1

Description = O filtro da restauração do sistema encontrou o erro inesperado '0xC0000001'

ao processar o arquivo '' no volume 'HarddiskVolume2'. O monitoramento do volume

foi interrompido.

Error - 08/08/2009 10:02:37 | Computer Name = EDIM | Source = Service Control Manager | ID = 7000

Description = Não foi possível iniciar o serviço tmevtmgr devido ao seguinte erro:

%%127

Error - 08/08/2009 10:02:37 | Computer Name = EDIM | Source = Service Control Manager | ID = 7001

Description = O serviço tmactmon depende do serviço tmevtmgr, mas não foi possível

iniciá-lo devido ao seguinte erro: %%127

Error - 08/08/2009 10:02:39 | Computer Name = EDIM | Source = Service Control Manager | ID = 7026

Description = Falha ao carregar o(s) seguinte(s) driver(s) de início do sistema

ou de inicialização: Lbd

[ TuneUp Events ]

Error - 20/04/2009 13:04:07 | Computer Name = EDIM | Source = TuneUp Program Statistics | ID = 131840

Description =

< End of report >

Abraços

DigRam · Agosto 9, 2009

Bom Dia! EDSSX

<@> Baixe: < DelDomains >

<@> Extraia o DelDomains.inf,no desktop.

<@> Clique com o botão direito do mouse,e escolha Instalar --> Abrir.

<@> Aparentemente,parece que nada aconteceu,pois sua ação é imperceptível!

<><><><><><><><><>

<@> Baixe: < gmer.zip >

<@> Salve-o no Disco Local ( C ) e descompacte-o aí mesmo,em uma pasta própria. ( C:\gmer.exe )

<@> Por default,a caixa D:\ e Show All estarão desmarcadas. <-- Possuindo,assinale apenas a caixa D:\.

<@> Feche todos os programas,que estejam abertos,e clique em Scan. <-- Aguarde!

<@> Permita a execução de gmer.sys,caso seja solicitado.

<@> Confirme a investigação na busca por rootkits,caso receba essa solicitação.

<@> Terminando poderá receber outro aviso sobre atividade rootkit --> Clique OK.

<@> Ao final,conclua clicando em "Save...".

<@> Coloque como "Nome do arquivo": Gmer.log

<@> Em "Salvar em:",escolha o Desktop! --> Clique em "Salvar" --> OK.

<@> Poste,na sua resposta: Gmer.log + HijackThis,atualizado.

Abraços!

EDSSX · Agosto 9, 2009

Bom dia !

Segue log do DelDomains :

; DelDomains.inf © 11-28-04 | Revised 01-15-06

; Created by: Mike Burgess Microsoft MVP

; http://mvps.org/winhelp2002/

;

; Warning: Deletes all entries in the Restricted & Trusted Zone list

; http://mvps.org/winhelp2002/restricted.htm

;

; Revised to include the EscDomains key

;

; To execute this file: in Explorer - right-click (this file)

; Select Install from the Menu.

; Note: you will not see any onscreen action.

[version]

signature="$CHICAGO$"

[DefaultInstall]

DelReg=DelTemps

AddReg=AddTemps

[DelTemps]

HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"

HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"

HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"

HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"

HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains"

; Recreate the keys to avoid a restart

[AddTemps]

HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"

HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"

HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"

HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"

HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains"

Segue log do gmer :

GMER 1.0.15.15020 [gmer.exe] - http://www.gmer.net

Rootkit scan 2009-08-09 10:50:27

Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.15 ----

SSDT F8B3B316 ZwCreateKey

SSDT F8B3B30C ZwCreateThread

SSDT F8B3B31B ZwDeleteKey

SSDT F8B3B325 ZwDeleteValueKey

SSDT F8B3B32A ZwLoadKey

SSDT F8B3B2F8 ZwOpenProcess

SSDT F8B3B2FD ZwOpenThread

SSDT F8B3B334 ZwReplaceKey

SSDT F8B3B32F ZwRestoreKey

SSDT F8B3B320 ZwSetValueKey

SSDT F8B3B307 ZwTerminateProcess

---- User code sections - GMER 1.0.15 ----

.text D:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe[348] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 0056DBBD D:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe (Windows Live Messenger/Microsoft Corporation)

.text D:\WINDOWS\system32\winlogon.exe[936] kernel32.dll!FreeLibrary 7C80AC7E 5 Bytes JMP 1006D0E0 D:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbiehcef.dll (Gbieh Module/Caixa Economica Federal)

.text D:\WINDOWS\system32\winlogon.exe[936] kernel32.dll!FreeLibraryAndExitThread 7C80C210 5 Bytes JMP 1006CF80 D:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbiehcef.dll (Gbieh Module/Caixa Economica Federal)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\hmebrzs\Parameters.REN (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\hmebrzs\Parameters.REN@ServiceDll D:\WINDOWS\system32\lkvfn.dll

Reg HKLM\SYSTEM\ControlSet002\Services\hmebrzs\Parameters.REN.REN (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\hmebrzs\Parameters.REN.REN.REN (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\znfsio\Parameters (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\znfsio\Parameters.REN (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\znfsio\Parameters.REN@ServiceDll D:\WINDOWS\system32\lkvfn.dll

Reg HKLM\SYSTEM\ControlSet002\Services\znfsio\Parameters.REN.REN (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\znfsio\Parameters.REN.REN.REN (not active ControlSet)

---- EOF - GMER 1.0.15 ----

Segue novo log do

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:53:59, on 09/08/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

D:\WINDOWS\System32\smss.exe

D:\WINDOWS\system32\winlogon.exe

D:\WINDOWS\system32\services.exe

D:\WINDOWS\system32\lsass.exe

D:\ARQUIV~1\GbPlugin\GbpSv.exe

D:\WINDOWS\system32\svchost.exe

D:\WINDOWS\System32\svchost.exe

D:\WINDOWS\system32\spoolsv.exe

D:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

D:\WINDOWS\Explorer.EXE

D:\Arquivos de programas\Google\Google Desktop Search\GoogleDesktop.exe

D:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe

D:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe

D:\Arquivos de programas\Gadwin Systems\PrintScreen\PrintScreen.exe

D:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

D:\WINDOWS\System32\svchost.exe

D:\Arquivos de programas\iolo\common\lib\ioloServiceManager.exe

D:\Arquivos de programas\Java\jre6\bin\jqs.exe

D:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

D:\Arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe

D:\WINDOWS\system32\wbem\wmiapsrv.exe

D:\Arquivos de programas\Mozilla Firefox 3.5 Preview\firefox.exe

D:\Documents and Settings\edsom luis\Meus documentos\Downloads\HiJackThis(2).exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://portuguese.ircfast.com/pt/index.php?rvs=hompag

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - D:\Arquivos de programas\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll

O2 - BHO: G-Buster Browser Defense CEF - {C41A1C0E-EA6C-11D4-B1B8-444553540003} - D:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbiehcef.dll

O4 - HKLM\..\Run: [Google Desktop Search] "D:\Arquivos de programas\Google\Google Desktop Search\GoogleDesktop.exe" /startup

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Arquivos de programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [avgnt] "D:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKCU\..\Run: [msnmsgr] "D:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe" /background

O4 - HKCU\..\Run: [Gadwin PrintScreen] D:\Arquivos de programas\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab

O20 - Winlogon Notify: GbPluginCef - D:\ARQUIVOS DE PROGRAMAS\GBPLUGIN\gbiehcef.dll

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - D:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - D:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Gbp Service (GbpSv) - - D:\ARQUIV~1\GbPlugin\GbpSv.exe

O23 - Service: Gerenciador do Google Desktop 5.9.906.4286 (GoogleDesktopManager-060409-093314) - Google - D:\Arquivos de programas\Google\Google Desktop Search\GoogleDesktop.exe

O23 - Service: Google Updater Service (gusvc) - Google - D:\Arquivos de programas\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iolo FileInfoList Service (ioloFileInfoList) - Unknown owner - D:\Arquivos de programas\iolo\common\lib\ioloServiceManager.exe

O23 - Service: iolo Product Update Service (ioloProductUpdate) - Unknown owner - D:\Arquivos de programas\iolo\common\lib\ioloServiceManager.exe

O23 - Service: iolo System Service (ioloSystemService) - Unknown owner - D:\Arquivos de programas\iolo\common\lib\ioloServiceManager.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Arquivos de programas\Java\jre6\bin\jqs.exe

--

End of file - 4937 bytes

Grato

DigRam · Agosto 9, 2009

Boa Noite! EDSSX

ComboFix 09-08-03.04 - edsom luis 03/08/2009 18:28.70.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.511.262 [GMT -3:00]

Executando de: d:\documents and settings\edsom luis\Meus documentos\Downloads\ComboFix.exe

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: Trend Micro Internet Security *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}

FW: Trend Micro Personal Firewall *enabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

<!> Qual o motivo para 2 antivírus? Fique somente com o Avira.

<><><><><><><><><>

<@> Baixe: < FixPolicies > ( ...by Bill Castner )

<@> Salve-o no Desktop!

<@> Esteja logado como Administrador.

<@> Execute o arquivo FixPolicies.exe,com um duplo-clique.

<@> Clique em Install.

<@> Abra a pasta FixPolicies,que foi criada.

<@> Duplo-clique em Fix_policies.cmd.

<@> Surgirá,por breve momento,uma caixa preta.

<><><><><><><><><>

<@> Baixe: < > (...par A.Rothstein & dj Quiou )

<@> Salve-o no desktop!

<@> Feche programas que estejam abertos,e execute a ferramenta.

<@> Clique no botão Recherche,para iniciar o scan. <-- Aguarde!

<@> Terminando,teremos relacionados os itens que serão removidos.

<@> Clique no botão Supression para remover os itens encontrados.

<@> Clique,à seguir,em Quitter.

<@> Poste o relatório: ( D:\TCleaner.txt ) <--

Abraços!

EDSSX · Agosto 10, 2009

Boa Noite !

O da trend micro eu desinstalei utilizando o revo, e consta ele sempre no log do combofix; deve ser rastros .

Segue o log do D:\TCleaner.txt :

[ Rapport ToolsCleaner version 2.3.10 (par A.Rothstein & dj QUIOU) ]

--> Recherche:

D:\TB.txt: trouvé !

D:\Toolbar SD: trouvé !

D:\Documents and Settings\edsom luis\Configurações locais\temp\Diretório temporário 1 para gmer.zip\Gmer.exe: trouvé !

D:\Documents and Settings\edsom luis\Meus documentos\Downloads\Gmer.zip: trouvé !

D:\Documents and Settings\edsom luis\Meus documentos\Downloads\ComboFix.exe: trouvé !

D:\Documents and Settings\edsom luis\Meus documentos\Downloads\HijackThis.exe: trouvé !

D:\Documents and Settings\edsom luis\Meus documentos\Downloads\ToolBarSD.exe: trouvé !

D:\Documents and Settings\edsom luis\Meus documentos\Downloads\hijackthis.log: trouvé !

D:\Documents and Settings\edsom luis\Meus documentos\Downloads\Rsit.exe: trouvé !

D:\Documents and Settings\edsom luis\Meus documentos\Downloads\dds.scr: trouvé !

---------------------------------

--> Suppression:

D:\Documents and Settings\edsom luis\Configurações locais\temp\Diretório temporário 1 para gmer.zip\Gmer.exe: supprimé !

D:\Documents and Settings\edsom luis\Meus documentos\Downloads\Gmer.zip: supprimé !

D:\Documents and Settings\edsom luis\Meus documentos\Downloads\ComboFix.exe: ERREUR DE SUPPRESSION !!

D:\Documents and Settings\edsom luis\Meus documentos\Downloads\HijackThis.exe: supprimé !

D:\Documents and Settings\edsom luis\Meus documentos\Downloads\ToolBarSD.exe: supprimé !

D:\TB.txt: supprimé !

D:\Documents and Settings\edsom luis\Meus documentos\Downloads\hijackthis.log: supprimé !

D:\Documents and Settings\edsom luis\Meus documentos\Downloads\Rsit.exe: supprimé !

D:\Documents and Settings\edsom luis\Meus documentos\Downloads\dds.scr: supprimé !

D:\Toolbar SD: supprimé !

Grato

DigRam · Agosto 10, 2009

Bom Dia! EDSSX

<!> Estabeleça,agora,um ponto de restauração do sistema.

<><><><><><><><><>

<@> Execute o OTListIt2.exe.

<@> Copie estas informações que estão no QUOTE,para o campo clipboard da ferramenta. ( Custom Scans/Fixes )

:Processes
explorer.exe

:OTLI

DRV - [2007/11/13 07:25:56 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- D:\WINDOWS\system32\DRIVERS\secdrv.sys -- (Secdrv [On_Demand | Stopped])

DRV - [2009/07/23 21:18:26 | 00,050,192 | ---- | M] (Trend Micro Inc.) -- D:\WINDOWS\system32\drivers\tmactmon.sys -- (tmactmon [Auto | Stopped])

DRV - [2009/07/23 21:18:28 | 00,335,376 | ---- | M] (Trend Micro Inc.) -- D:\WINDOWS\system32\DRIVERS\TM_CFW.sys -- (tmcfw [On_Demand | Running])

DRV - [2009/07/24 22:02:44 | 00,102,664 | ---- | M] (Trend Micro Inc.) -- D:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm [Auto | Running])

DRV - [2009/07/23 21:18:26 | 00,050,192 | ---- | M] (Trend Micro Inc.) -- D:\WINDOWS\system32\drivers\tmevtmgr.sys -- (tmevtmgr [Auto | Stopped])

DRV - [2009/07/23 21:18:26 | 00,036,368 | ---- | M] (Trend Micro Inc.) -- D:\WINDOWS\system32\DRIVERS\tmpreflt.sys -- (tmpreflt [Auto | Running])

DRV - [2009/07/23 21:18:26 | 00,080,400 | ---- | M] (Trend Micro Inc.) -- D:\WINDOWS\system32\DRIVERS\tmtdi.sys -- (tmtdi [system | Running])

DRV - [2009/07/23 21:18:28 | 01,195,512 | ---- | M] (Trend Micro Inc.) -- D:\WINDOWS\system32\DRIVERS\vsapint.sys -- (vsapint [Auto | Running])

:Services

TM_CFW

tmevtmgr

tmpreflt

tmactmon

tmcomm

tmxpflt

tmtdi

tmcfw

vsapint

hmebrzs

znfsio

secdrv

:Reg

[-HKEY_LOCAL_MACHINE\software\Microsoft\security center\Monitoring\TrendAntiVirus]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771]

[-HKEY_USERS\S-1-5-21-839522115-1409082233-725345543-1003\Software\Microsoft\Protected Storage System Provider\S-1-5-21-839522115-1409082233-725345543-1003]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771.REN]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2.REN]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data.REN]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hmebrzs]

[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\znfsio]

:Files

D:\Documents and Settings\edsom luis\Configurações locais\temp\McafeeRootkitDetective\Rootkit_Detective.exe

D:\Documents and Settings\edsom luis\Configurações locais\temp\McafeeRootkitDetective

D:\Documents and Settings\edsom luis\Meus documentos\Downloads\ComboFix.exe

D:\Documents and Settings\edsom luis\.housecall6.6\patch.exe

D:\Documents and Settings\edsom luis\.housecall6.6

D:\WINDOWS\System32\drivers\tmpreflt.sys

D:\WINDOWS\System32\drivers\tmevtmgr.sys

D:\WINDOWS\System32\drivers\tmactmon.sys

D:\WINDOWS\System32\drivers\tmcomm.sys

D:\WINDOWS\System32\drivers\TM_CFW.sys

D:\WINDOWS\System32\drivers\vsapint.sys

D:\WINDOWS\System32\drivers\tmxpflt.sys

D:\WINDOWS\System32\drivers\tmtdi.sys

D:\WINDOWS\System32\UfWSC.cpl

D:\WINDOWS\System32\lkvfn.dll

D:\WINDOWS\j459kdf9n6r0e5.PAC

D:\WINDOWS\PEV.exe

:Commands

[purity]

[emptytemp]

[start explorer]

[Reboot]

<@> Clique no botão Run Fix --> Aguarde a conclusão!

<@> Terminando,vá até a pasta: C:\_OTListIt\MovedFiles\*.log <-- Poste esse relatório!

Abraços!

EDSSX · Agosto 10, 2009

Bom dia !

Segue o log

========== PROCESSES ==========

Process explorer.exe killed successfully!

========== OTLISTIT ==========

Service\Driver Secdrv deleted successfully.

D:\WINDOWS\system32\DRIVERS\secdrv.sys moved successfully.

Service\Driver tmactmon deleted successfully.

D:\WINDOWS\system32\drivers\tmactmon.sys moved successfully.

Service\Driver tmcfw deleted successfully.

D:\WINDOWS\system32\DRIVERS\TM_CFW.sys moved successfully.

Service\Driver tmcomm stopped successfully.

Service\Driver tmcomm deleted successfully.

D:\WINDOWS\system32\drivers\tmcomm.sys moved successfully.

Service\Driver tmevtmgr deleted successfully.

D:\WINDOWS\system32\drivers\tmevtmgr.sys moved successfully.

Service\Driver tmpreflt stopped successfully.

Service\Driver tmpreflt deleted successfully.

D:\WINDOWS\system32\DRIVERS\tmpreflt.sys moved successfully.

Service\Driver tmtdi deleted successfully.

D:\WINDOWS\system32\DRIVERS\tmtdi.sys moved successfully.

Service\Driver vsapint stopped successfully.

Service\Driver vsapint deleted successfully.

D:\WINDOWS\system32\DRIVERS\vsapint.sys moved successfully.

========== SERVICES/DRIVERS ==========

Service\Driver TM_CFW not found.

Service\Driver tmevtmgr not found.

Service\Driver tmpreflt not found.

Service\Driver tmactmon not found.

Service\Driver tmcomm not found.

Service\Driver tmxpflt not found.

Unable to delete service\driver tmtdi.

Service\Driver tmcfw not found.

Service\Driver vsapint not found.

Service\Driver hmebrzs not found.

Service\Driver znfsio not found.

Service\Driver secdrv not found.

========== REGISTRY ==========

Registry key HKEY_LOCAL_MACHINE\software\Microsoft\security center\Monitoring\TrendAntiVirus\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771\ not found.

Registry key HKEY_USERS\S-1-5-21-839522115-1409082233-725345543-1003\S-1-5-21-839522115-1409082233-725345543-1003\Software\Microsoft\Protected Storage System Provider\S-1-5-21-839522115-1409082233-725345543-1003\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data\a5c5c2e4-6bee-4ef9-a0f5-f76a07cce771.REN\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2.REN\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data.REN\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Protected Storage System Provider\*Local Machine*\Data 2\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hmebrzs\ not found.

Registry key HKEY_LOCAL_MACHINE\System\ControlSet001\Services\znfsio\ not found.

========== FILES ==========

File/Folder D:\Documents and Settings\edsom luis\Configurações locais\temp\McafeeRootkitDetective\Rootkit_Detective.exe not found.

File/Folder D:\Documents and Settings\edsom luis\Configurações locais\temp\McafeeRootkitDetective not found.

D:\Documents and Settings\edsom luis\Meus documentos\Downloads\ComboFix.exe moved successfully.

File/Folder D:\Documents and Settings\edsom luis\.housecall6.6\patch.exe not found.

File/Folder D:\Documents and Settings\edsom luis\.housecall6.6 not found.

File/Folder D:\WINDOWS\System32\drivers\tmpreflt.sys not found.

File/Folder D:\WINDOWS\System32\drivers\tmevtmgr.sys not found.

File/Folder D:\WINDOWS\System32\drivers\tmactmon.sys not found.

File/Folder D:\WINDOWS\System32\drivers\tmcomm.sys not found.

File/Folder D:\WINDOWS\System32\drivers\TM_CFW.sys not found.

File/Folder D:\WINDOWS\System32\drivers\vsapint.sys not found.

D:\WINDOWS\System32\drivers\tmxpflt.sys moved successfully.

File/Folder D:\WINDOWS\System32\drivers\tmtdi.sys not found.

D:\WINDOWS\System32\UfWSC.cpl moved successfully.

File/Folder D:\WINDOWS\System32\lkvfn.dll not found.

D:\WINDOWS\j459kdf9n6r0e5.PAC moved successfully.

D:\WINDOWS\PEV.exe moved successfully.

========== COMMANDS ==========

File delete failed. D:\Documents and Settings\edsom luis\Configurações locais\temp\Diretório temporário 2 para OTListIt2.zip\OTListIt2.exe scheduled to be deleted on reboot.

File delete failed. D:\Documents and Settings\edsom luis\Configurações locais\temp\~DF5C12.tmp scheduled to be deleted on reboot.

File delete failed. D:\Documents and Settings\edsom luis\Configurações locais\temp\etilqs_7GeENsteOrvV0XqloQZD scheduled to be deleted on reboot.

User's Temp folder emptied.

User's Temporary Internet Files folder emptied.

User's Internet Explorer cache folder emptied.

Local Service Temp folder emptied.

Local Service Temporary Internet Files folder emptied.

File delete failed. D:\WINDOWS\temp\Perflib_Perfdata_348.dat scheduled to be deleted on reboot.

Windows Temp folder emptied.

Java cache emptied.

File delete failed. D:\Documents and Settings\edsom luis\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\r46u2xkd.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.

File delete failed. D:\Documents and Settings\edsom luis\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\r46u2xkd.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.

File delete failed. D:\Documents and Settings\edsom luis\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\r46u2xkd.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.

File delete failed. D:\Documents and Settings\edsom luis\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\r46u2xkd.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.

File delete failed. D:\Documents and Settings\edsom luis\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\r46u2xkd.default\XUL.mfl scheduled to be deleted on reboot.

File delete failed. D:\Documents and Settings\edsom luis\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\r46u2xkd.default\urlclassifier3.sqlite scheduled to be deleted on reboot.

FireFox cache emptied.

Opera cache emptied.

Temp folders emptied.

Explorer started successfully

OTListIt2 by OldTimer - Version 2.0.3.5 log created on 08102009_111801

Files moved on Reboot...

D:\Documents and Settings\edsom luis\Configurações locais\temp\Diretório temporário 2 para OTListIt2.zip\OTListIt2.exe moved successfully.

D:\Documents and Settings\edsom luis\Configurações locais\temp\~DF5C12.tmp moved successfully.

File D:\Documents and Settings\edsom luis\Configurações locais\temp\etilqs_7GeENsteOrvV0XqloQZD not found!

File D:\WINDOWS\temp\Perflib_Perfdata_348.dat not found!

D:\Documents and Settings\edsom luis\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\r46u2xkd.default\Cache\_CACHE_MAP_ moved successfully.

D:\Documents and Settings\edsom luis\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\r46u2xkd.default\Cache\_CACHE_001_ moved successfully.

D:\Documents and Settings\edsom luis\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\r46u2xkd.default\Cache\_CACHE_002_ moved successfully.

D:\Documents and Settings\edsom luis\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\r46u2xkd.default\Cache\_CACHE_003_ moved successfully.

D:\Documents and Settings\edsom luis\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\r46u2xkd.default\XUL.mfl moved successfully.

D:\Documents and Settings\edsom luis\Configurações locais\Dados de aplicativos\Mozilla\Firefox\Profiles\r46u2xkd.default\urlclassifier3.sqlite moved successfully.

Registry entries deleted on Reboot...

Grato

DigRam · Agosto 10, 2009

Boa Tarde! EDSSX

<@> Copie estas informações,sob o CODE,para o Bloco de Notas.

; DelDomains.inf © 11-28-04 | Revised 01-15-06; Created by: Mike Burgess Microsoft MVP; http://mvps.org/winhelp2002/;; Warning: Deletes all entries in the Restricted & Trusted Zone list; http://mvps.org/winh.../restricted.htm;; Revised to include the EscDomains key;; To execute this file: in Explorer - right-click (this file); Select Install from the Menu.; Note: you will not see any onscreen action.[version]signature="$CHICAGO$"[DefaultInstall]DelReg=DelTempsAddReg=AddTemps[DelTemps]HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains"; Recreate the keys to avoid a restart[AddTemps]HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains"

<@> Em "Salvar como tipo",coloque: "Todos os arquivos"

<@> Em "Nome do arquivo",digite: DelDomains.inf <-- Não esqueça o ( .inf )

<@> Salve-o no desktop.

<@> Agora,siga com sua instalação!

<@> Vá ao arquivo --> Clique direito nesse arquivo --> Instalar <-- Clique esquerdo!

<><><><><><><><>

<!> Ps: Sua ação é silenciosa! Observando-se,apenas,um leve tremor na tela do computador.

<><><><><><><><>

<@> Estando tudo Ok,crie um ponto limpo na Restauração do Sistema.

<@> Clique com o direito do mouse,em cima de Meu Computador --> Propriedades --> Restauração do Sistema.

<@> Marque: Desativar Restauração do Sistema --> Aplicar --> Aguarde! --> Ok.

<@> Depois,desmarque novamente! --> Aplicar --> Aguarde! --> Ok.

<@> Para maiores detalhes,leia o Tutorial: < Link >

<><><><><><><><>

<!> Seu log está limpo,e isento de malwares. :bye:

<!> É recomendável,para um melhor desempenho da máquina,desfragmentar o disco ou executar scandisk,na correção dos erros lógicos.

<!> Para evitar novas infecções,leia os artigos:

< Destaque: Cuidados ao navegar na net >

< Destaque: Ameaças Expandidas >

Abraços!

EDSSX · Agosto 11, 2009

Boa tarde !

Agora deu certo .

Segundo os logs infra do ToolBar S&D, avira antirootkit e do mcafeedetective ainda constam os rootkits .

Obs : De acordo com um log abaixo antigo ( em tempo durante este tópico ) do avira antirootkit eram apenas 2, agora são estes 2 e mais 2 rootkits cfe. log abaixo .

Segue log do ToolBar S&D :

-----------\\ ToolBar S&D 1.2.8 XP/Vista

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 3

X86-based PC ( Uniprocessor Free : AMD Sempron 2400+ )

BIOS : Version 07.00T

USER : edsom luis ( Administrator )

BOOT : Normal boot

Antivirus : Trend Micro Internet Security 17.1.1171 (Not Activated)

Firewall : Trend Micro Personal Firewall 5.5 (Activated)

A:\ (USB)

C:\ (Local Disk) - FAT32 - Total:17 Go (Free:7 Go)

D:\ (Local Disk) - FAT32 - Total:59 Go (Free:41 Go)

E:\ (CD or DVD)

"D:\ToolBar SD" ( MAJ : 21-12-2008|20:47 )

Option : [2] ( 10/08/2009|15:25 )

-----------\\ Procura por Arquivos / Ficheiros ...

-----------\\ Extensions

(edsom luis) - {3112ca9c-de6d-4884-a869-9855de68056c} => google-toolbar

(edsom luis) - {991A772A-BA13-4c1d-A9EF-F897F31DEC7D} => megaupload

(edsom luis) - {3112ca9c-de6d-4884-a869-9855de68056c} => google-toolbar

-----------\\ [..\Internet Explorer\Main]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]

"SearchMigratedDefaultURL"="http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8"

"Start Page"="http://portuguese.ircfast.com/pt/index.php?rvs=hompag"

"Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"

"Url"="http://go.microsoft.com/fwlink/?LinkID=68928"

"Url"="http://go.microsoft.com/fwlink/?LinkID=44406"

"Url"="http://go.microsoft.com/fwlink/?LinkID=68929"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]

"Start Page"="http://www.msn.com/"

"Default_Page_URL"="http://go.microsoft.com/fwlink/?LinkId=69157"

"Default_Search_URL"="http://go.microsoft.com/fwlink/?LinkId=54896"

"Search Page"="http://go.microsoft.com/fwlink/?LinkId=54896"

--------------------\\ Procurando por outras infecções

--------------------\\ ROOTKIT !!

Rootkit Pandex ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_HOOKSYS]

Rootkit Pandex ! .. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_HOOKSYS]

Rootkit Pandex ! .. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HOOKSYS]

1 - "D:\ToolBar SD\TB_1.txt" - 10/08/2009|15:27 - Option : [2]

-----------\\ Verificação completa em 15:27:37,00

Segue log do avira antirootkit :

Avira AntiRootkit Tool (1.1.0.1)

===================================================================

- Scan started terça-feira, 11 de agosto de 2009 - 12:23:37

===================================================================

-------------------------------------------------------------------

Configuration:

-------------------------------------------------------------------

- [X] Scan files

- [X] Scan registry

- [X] Scan processes

- [ ] Fast scan

- Working disk total size : 59.00 GB

- Working disk free size : 41.23 GB (69 %)

-------------------------------------------------------------------

Results:

Hidden key : HKEY_LOCAL_MACHINE\System\ControlSet002\Services\hmebrzs\parameters.ren

Hidden key : HKEY_LOCAL_MACHINE\System\ControlSet002\Services\hmebrzs\parameters.ren.ren

Hidden key : HKEY_LOCAL_MACHINE\System\ControlSet002\Services\hmebrzs\parameters.ren.ren.ren

Hidden key : HKEY_USERS\S-1-5-21-839522115-1409082233-725345543-1003\Software\Microsoft\Protected Storage System Provider\S-1-5-21-839522115-1409082233-725345543-1003\data

--------------------------------------------------------------------

Files: 0/155865

Registry items: 4/399408

Processes: 0/30

Scan time: 00:05:12

--------------------------------------------------------------------

Active processes:

- xbvsrudm.exe (PID 216) (Avira AntiRootkit Tool)

- System (PID 4)

- SMSS.EXE (PID 556)

- CSRSS.EXE (PID 620)

- WINLOGON.EXE (PID 644)

- SERVICES.EXE (PID 688)

- LSASS.EXE (PID 700)

- GBPSV.EXE (PID 872)

- SVCHOST.EXE (PID 912)

- SVCHOST.EXE (PID 1012)

- SVCHOST.EXE (PID 1108)

- SVCHOST.EXE (PID 1248)

- SVCHOST.EXE (PID 1464)

- EXPLORER.EXE (PID 1536)

- SPOOLSV.EXE (PID 1592)

- SCHED.EXE (PID 1704)

- GoogleDesktop.exe (PID 1764)

- AVGNT.EXE (PID 1796)

- MSNMSGR.EXE (PID 1804)

- PrintScreen.exe (PID 1824)

- AVGUARD.EXE (PID 260)

- SVCHOST.EXE (PID 328)

- ioloServiceManager.exe (PID 448)

- JQS.EXE (PID 576)

- MDM.EXE (PID 768)

- SEAPORT.EXE (PID 1060)

- alg.exe (PID 2296)

- wmiapsrv.exe (PID 2692)

- firefox.exe (PID 3436)

- avirarkd.exe (PID 2252)

===================================================================

- Scan finished terça-feira, 11 de agosto de 2009 - 12:28:50

===================================================================

DigRam · Agosto 12, 2009

Boa Noite! EDSSX

<!> Os relatórios das ferramentas,que lhe passei,não acusam o rootkit. Aonde,somente,Toolbar S&D acusa o malware e não sendo uma ferramenta específica para essas detecções.

<!> Vamos então,seguir mais um pouco,na pesquisa e se não houver rootkits,pararei a análise e fecharei o Tópico.

<><><><><><><><><><>

<@> Baixe: < > ( ...by andymanchesta )

<@> Salve-o no Disco Local-D e,descompacte-o aí mesmo.

<@> Reinicie o computador em Modo de Segurança. <-- Link!

<@> Dê um duplo clique em: < runThis.bat >

<!> Caso uma janela abra e feche,repentinamente!
<!> Vá em Iniciar --> Executar --> Digite ou cole: %systemdrive%\SDFix\apps\FixPath.exe /Q --> OK!

<!> Reinicie o computador e execute,novamente,o SDFix.

<!> Caso não funcione,verifique a variável %comspec%.

<!> Clique direito do mouse,em Meu Computador --> Propriedades --> Avançadas.

<!> Em Variáveis do Ambiente,verifique se a variável ComSpec,tem o seguinte valor para o cmd.exe:

<!> Valor: %SystemRoot%\system32\cmd.exe

<@> Aperte o Y.

<@> Aguarde a conclusão!

<@> Terminando,aperte Enter. ( Ou,qualquer tecla!)

<@> O computador será reiniciado!

<@> Aguarde,ainda,a conclusão da limpeza.

<><><><><><><><><><>

<@> Poste: Report.txt

Abraços!

EDSSX · Agosto 12, 2009

Boa Tarde !

Obrigado pela atenção .

Ok então; entretanto o avira antirootkit detectou 4 .

Segue o log abaixo do SDFix :

SDFix: Version 1.240

Run by edsom luis on 12/08/2009 at 11:37

Microsoft Windows XP [versão 5.1.2600]

Running From: D:\SDFix

Checking Services :

Restoring Default Security Values

Restoring Default Hosts File

Rebooting

Checking Files :

No Trojan Files Found

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-12 11:43:07

Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"D:\\WINDOWS\\system32\\rtcshare.exe"="D:\\WINDOWS\\system32\\rtcshare.exe:*:Disabled:Compartilhamento de aplicativo RTC"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"D:\\Arquivos de programas\\Windows Live\\Messenger\\MSNMSGR.EXE"="D:\\Arquivos de programas\\Windows Live\\Messenger\\MSNMSGR.EXE:*:Enabled:Windows Live Messenger"

"D:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"="D:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"D:\\Arquivos de programas\\Windows Live\\Messenger\\MSNMSGR.EXE"="D:\\Arquivos de programas\\Windows Live\\Messenger\\MSNMSGR.EXE:*:Enabled:Windows Live Messenger"

"D:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"="D:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :

Files with Hidden Attributes :

Sun 8 Mar 2009 638,816 A.SH. --- "D:\WINDOWS\NiwradSoft Shell Pack\Backup\iexplore.exe"

Wed 29 Jul 2009 46,592 ...H. --- "D:\Documents and Settings\edsom luis\Meus documentos\~WRL0004.tmp"

Tue 7 Jul 2009 26,112 ...H. --- "D:\Documents and Settings\edsom luis\Meus documentos\~WRL0005.tmp"

Fri 7 Aug 2009 26,112 ...H. --- "D:\Documents and Settings\edsom luis\Meus documentos\~WRL1302.tmp"

Finished!

Obrigado e abraços

DigRam · Agosto 12, 2009

Boa Tarde! EDSSX

Ok então; entretanto o avira antirootkit detectou 4

<!> O relatório do Avira,acusa Falsos positivo! Mas...o do Toolbar S&D,é preocupante.

<><><><><><><><><>

<@> Baixe: < Sysinternals RootkitRevealer 1.7 >

<@> Poste o relatório dessa verificação,na sua resposta.

<><><><><><><><><>

<@> Abra o Editor do Registro.

<@> Navegue até as subpastas,em destaque:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_HOOKSYS\0000\Control

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_HOOKSYS\0000\Control

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HOOKSYS\0000\Control

<@> Para cada entrada,Exporte os valores de Control.

<@> Clique em "Arquivo" --> "Exportar..."

<@> Em "Salvar como tipo",escolha: "Arquivos de texto"

<@> Em "Nome do arquivo",digite: hook

<@> Salve-o no desktop,e poste hook.txt <--

Abraços!

EDSSX · Agosto 13, 2009

Boa Tarde !

Quando se vai baixar o Sysinternals RootkitRevealer seja em qualquer link , abre a página abaixo; tentarei outras vezes, tendo êxito postarei/editarei aqui .

Segue os logs :

Nome da chave: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_HOOKSYS

Nome da classe: <Sem classe>

Hora da última gravação: 11/06/2009 - 19:58

Valor 0

Nome: NextInstance

Tipo: REG_DWORD

Dados: 0x1

Nome da chave: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_HOOKSYS

Nome da classe: <Sem classe>

Hora da última gravação: 11/06/2009 - 19:58

Valor 0

Nome: NextInstance

Tipo: REG_DWORD

Dados: 0x1

Nome da chave: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_HOOKSYS

Nome da classe: <Sem classe>

Hora da última gravação: 11/06/2009 - 19:58

Valor 0

Nome: NextInstance

Tipo: REG_DWORD

Dados: 0x1

Grato e abraços .

DigRam · Agosto 13, 2009

Boa Tarde! EDSSX

°°°°°°°°°°°°°°°°°°°°°°°°°°
Valor 0 <--

Nome: NextInstance

Tipo: REG_DWORD

Dados: 0x1

°°°°°°°°°°°°°°°°°°°°°°°°°°

<!> Para cada entrada,tinhamos somente este valor? ( 0 )

<!> Se for o caso,pode ocorrer a impossibilidade da maioria das ferramentas,não detectar a(s) entrada(s) criadas pelo rootkit. Adicionadas,é claro,nomes ou dados incorretos.

<!> Voçê já teve o programa Rising,instalado no PC? Pois essas entradas/serviços,estão relacionadas ao mesmo. A infecção,pelas minhas pesquisas,vem por meio da inserção de unidades removíveis. ( Pendrive )

<><><><><><><><><><>

<@> Ps: Vai aqui o link ao RootkitRevealer: < http://www.badongo.com/file/16558662 >

<@> Pode acontecer,desse também não detectar o rootkit aonde a engenharia adotada pelo Toolbar S&D,na detecção do rootkit,não é conhecida.

<@> Ps: Darei prioridade ao seu caso,mas...para isso,necessitarei de um relatório mais abrangente. #SystemScan#

<@> Configure seu computador,para mostrar pastas/arquivos ocultos.

<><><><><><><><><><>

<@> Baixe: < > ( System Scan )

///////////// CRÉDITOS \\\\\\\\\\\\
SystemScan uses some freeware tools that remain property of their authors:

* SteelWerX Registry Console Tool, Who Am I (Bobby Flekman: www.xs4all.nl/~fstaal01) --> "Registry scan", "PC accounts "

* dumphive (Markus Stephany)--> "Registry scan"

* Listdlls (M.Russinovich, B.Cogswell: www.sysinternals.com) --> "Loaded modules"

* Catchme & MBR Rootkit detector (gmer: www.gmer.net) --> "Hidden objects", "Alternate Data Streams" & "Master Boot Record"

---> NOTE: SystemScan integrates "The Avenger" from Swandog46 (http://swandog46.geekstogo.com) to allow you to remove malwares found in this log

Thanks to all of them for their hard work

<@> Salve-o no Disco local-(D),e execute-o aí mesmo!

<@> Permita a execução,caso seja negada por programa de proteção.

<@> Desmarque a caixa: "Flag the checkbox..."

<@> Clique em "Proceed" --> Aguarde!

<@> Na janela "Suspect File",que surgirá,escolha: "Recent files,days old" [60]

<@> Clique,à seguir,em "Scan Now" --> Dê o OK,na mensagem!

<@> Aguarde a finalização,que é um pouco demorada,e poste o relatório. ( report.txt )

<@> Localize-o no desktop e no interior da pasta "suspectfile".

<@> Ps: Nessa mesma pasta,existe o relatório compactado: dd_mm_2009_xx_yy_report <--

<@> Hospede-o em um site,de sua preferência,indicando-nos o endereço.

Abraços!

EDSSX · Agosto 13, 2009

Boa Tarde !

Tinha outros valores ( acho que são iguais os 3 ) cfe. figura infra .

Sim tinha instalado este Rising e que me lembre outros softwares do mesmo fabricante; inclusive o comportamento deles no pc estava muito estranho por isto removi .

Segue log do RootkitRevealer :

HKU\.DEFAULT\Control Panel\International 12/4/2009 00:03 0 bytes Security mismatch.

HKU\.DEFAULT\Control Panel\International\Geo 12/4/2009 00:03 0 bytes Security mismatch.

HKU\S-1-5-21-839522115-1409082233-725345543-1003\Console 12/8/2009 12:08 0 bytes Security mismatch.

HKU\S-1-5-21-839522115-1409082233-725345543-1003\Control Panel\International 12/4/2009 00:03 0 bytes Security mismatch.

HKU\S-1-5-21-839522115-1409082233-725345543-1003\Control Panel\International\Geo 12/4/2009 00:03 0 bytes Security mismatch.

HKU\S-1-5-18\Control Panel\International 12/4/2009 00:03 0 bytes Security mismatch.

HKU\S-1-5-18\Control Panel\International\Geo 12/4/2009 00:03 0 bytes Security mismatch.

HKLM\SECURITY\Policy\Secrets\SAC* 19/9/2007 11:02 0 bytes Key name contains embedded nulls (*)

HKLM\SECURITY\Policy\Secrets\SAI* 19/9/2007 11:02 0 bytes Key name contains embedded nulls (*)

HKLM\SOFTWARE\swearware\backup\winsock2 21/6/2009 13:19 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters 21/6/2009 13:19 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5 21/6/2009 13:19 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries 21/6/2009 13:19 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000001 21/6/2009 13:19 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000002 21/6/2009 13:19 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000003 21/6/2009 13:19 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9 21/6/2009 13:19 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries 21/6/2009 13:19 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001 21/6/2009 13:19 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002 21/6/2009 13:19 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003 21/6/2009 13:19 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004 21/6/2009 13:19 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005 21/6/2009 13:19 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006 21/6/2009 13:19 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007 21/6/2009 13:19 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008 21/6/2009 13:19 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009 21/6/2009 13:19 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010 21/6/2009 13:19 0 bytes Security mismatch.

HKLM\SOFTWARE\swearware\backup\winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011 21/6/2009 13:19 0 bytes Security mismatch.

C:\System Volume Information\_restore{EEF64C4D-500C-4C7F-9CA6-B6525621900A}\RP810 13/8/2009 12:47 0 bytes Hidden from Windows API.

C:\System Volume Information\_restore{EEF64C4D-500C-4C7F-9CA6-B6525621900A}\RP810\change.log.1 13/8/2009 12:59 498 bytes Hidden from Windows API.

C:\System Volume Information\_restore{EEF64C4D-500C-4C7F-9CA6-B6525621900A}\RP810\RestorePointSize 13/8/2009 13:05 8 bytes Hidden from Windows API.

Segue log do suspectfile :

SystemScan - www.suspectfile.com - ver. 3.6.2 (code: holifay & bReAkdOWn)

Running on: Windows XP PROFESSIONAL Edition, Service Pack 3 (2600.5.1)

System directory: D:\WINDOWS

SystemScan file: D:\Documents and Settings\edsom luis\Meus documentos\Downloads\sys6303.exe

Running in: User mode

Date: 13/08/2009

Time: 15:05:43

Output limited to:

-Recent files

===================== RECENT FILES =====================

Listing files newer than 60 days

---- recent files in D:\

12/08/2009 12:01:26 -- 12/08/2009 12:01:28 (DIR) -S-- 1 days old -- D:\ComboFix

10/08/2009 14:53:48 -- 10/08/2009 14:53:50 (DIR) ---- 3 days old -- D:\Qoobox

08/08/2009 23:14:16 -- 08/08/2009 23:14:18 (DIR) ---- 4 days old -- D:\f3e64e655c4cf5ea0969946e

21/07/2009 23:46:39 -- 21/07/2009 23:46:40 (DIR) HSRA 22 days old -- D:\autorun.inf

18/06/2009 21:00:37 -- 18/06/2009 21:00:38 (DIR) ---- 55 days old -- D:\21a6b3c9a203d11e9fcb

18/06/2009 20:57:24 -- 18/06/2009 20:57:26 (DIR) H-R- 55 days old -- D:\AHCache

18/06/2009 20:57:14 -- 18/06/2009 20:57:16 (DIR) ---- 55 days old -- D:\1de403447504815a4b19843a905f

12/08/2009 12:24:10 -- 13/08/2009 09:52:10 536399872 HS-A 0 days old -- D:\hiberfil.sys

16/04/2009 00:42:14 -- 13/08/2009 09:52:10 805306368 HS-A 0 days old -- D:\pagefile.sys

12/08/2009 12:08:43 -- 12/08/2009 12:08:44 23786 ---A 1 days old -- D:\ComboFix.txt

10/08/2009 15:25:34 -- 10/08/2009 15:27:38 2362 ---A 2 days old -- D:\TB.txt

---- recent files in D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\

13/08/2009 15:02:21 -- 13/08/2009 15:02:22 (DIR) ---- 0 days old -- D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\nst1A1.tmp

13/08/2009 12:48:35 -- 13/08/2009 12:48:36 (DIR) ---- 0 days old -- D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\{8CB14A64-CEF4-4C8F-B1C8-1C3B8752CB55}

13/08/2009 12:30:03 -- 13/08/2009 12:30:04 (DIR) ---- 0 days old -- D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\database

13/08/2009 12:30:03 -- 13/08/2009 12:30:04 (DIR) ---- 0 days old -- D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\Translations

13/08/2009 12:30:02 -- 13/08/2009 12:30:04 (DIR) ---- 0 days old -- D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\Drivers

13/08/2009 12:30:00 -- 13/08/2009 12:30:02 (DIR) ---- 0 days old -- D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\Themes

13/08/2009 12:30:01 -- 13/08/2009 12:30:02 (DIR) ---- 0 days old -- D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\scanners

13/08/2009 12:29:42 -- 13/08/2009 12:29:44 (DIR) ---- 0 days old -- D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\cis resource

13/08/2009 12:29:26 -- 13/08/2009 12:29:28 (DIR) ---- 0 days old -- D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\CDIResData

13/08/2009 12:21:44 -- 13/08/2009 12:21:46 (DIR) ---- 0 days old -- D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\plugtmp

13/08/2009 11:57:59 -- 13/08/2009 11:58:00 (DIR) ---- 0 days old -- D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\RootkitRevealer

13/08/2009 11:57:57 -- 13/08/2009 11:57:58 (DIR) H--- 0 days old -- D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\Diretório temporário 1 para RootkitRevealer.zip

13/08/2009 09:52:46 -- 13/08/2009 09:52:48 (DIR) ---- 0 days old -- D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\WPDNSE

12/08/2009 14:25:00 -- 12/08/2009 14:25:02 (DIR) H--- 1 days old -- D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\Diretório temporário 2 para antivir_rootkit(2).zip

12/08/2009 13:56:31 -- 12/08/2009 13:56:32 (DIR) H--- 1 days old -- D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\Diretório temporário 1 para HiJackThis.zip

12/08/2009 12:56:58 -- 12/08/2009 12:57:00 (DIR) H--- 1 days old -- D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\Diretório temporário 1 para antivir_rootkit(2).zip

13/08/2009 15:02:33 -- 13/08/2009 15:02:34 16384 ---A 0 days old -- D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\~DFF22B.tmp

13/08/2009 15:02:20 -- 13/08/2009 15:02:22 74 ---A 0 days old -- D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\systemscan.ini

13/08/2009 12:45:40 -- 13/08/2009 13:36:30 7104 ---A 0 days old -- D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\kl-setup-2009-08-13-12-45-40.log

13/08/2009 12:46:02 -- 13/08/2009 13:36:26 5000186 ---A 0 days old -- D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\kl-install-2009-08-13-12-45-42.log

13/08/2009 12:47:33 -- 13/08/2009 13:36:18 279253 ---A 0 days old -- D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\caevents.log

13/08/2009 12:56:40 -- 13/08/2009 12:56:44 4772 ---A 0 days old -- D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\kleaner (pid 2080) 2009-08-13 12-56-40.log

13/08/2009 12:53:00 -- 13/08/2009 12:53:08 18721 ---A 0 days old -- D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\kleaner (pid 1568) 2009-08-13 12-53-00.log

13/08/2009 12:49:24 -- 13/08/2009 12:49:30 8502 ---A 0 days old -- D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\kleaner (pid 1568) 2009-08-13 12-49-24.log

13/08/2009 12:45:46 -- 13/08/2009 12:45:58 22614 ---A 0 days old -- D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\tmp53.tmp

13/08/2009 12:32:09 -- 13/08/2009 12:32:12 4829376 ---A 0 days old -- D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\HopSurfToolbarSetupDll.dll

13/08/2009 12:32:09 -- 13/08/2009 12:32:10 804352 ---A 0 days old -- D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\XLJCFRDNFMHIHGYGSUYMOUBTFODZLQGZGRKMJWXZ

13/08/2009 12:32:09 -- 13/08/2009 12:32:10 121856 ---A 0 days old -- D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\MHBJUYITTSNPGJJVGOODMQTYCBSLFEGGYKULOXYG

13/08/2009 12:29:57 -- 13/08/2009 12:29:58 0 H--A 0 days old -- D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\etilqs_3NsEdibE8yWTDKBJzdG8

13/08/2009 12:29:26 -- 13/08/2009 12:29:28 12252 ---A 0 days old -- D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\Script.ini

13/08/2009 11:58:08 -- 13/08/2009 11:58:10 584576 ---A 0 days old -- D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\CYRKKCA.exe

13/08/2009 11:57:48 -- 13/08/2009 11:57:50 231390 --RA 0 days old -- D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\RootkitRevealer.zip

13/08/2009 11:49:41 -- 13/08/2009 11:49:42 5 ---A 0 days old -- D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\chrome_shutdown_ms.txt

13/08/2009 09:52:45 -- 13/08/2009 09:52:46 16384 ---A 0 days old -- D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\~DF2A89.tmp

12/08/2009 12:24:22 -- 12/08/2009 15:14:06 16384 ---A 0 days old -- D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\~DFEAB4.tmp

12/08/2009 14:25:00 -- 12/08/2009 14:25:02 0 ---A 1 days old -- D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\52.tmp

12/08/2009 14:25:00 -- 21/04/2009 14:20:32 188673 --RA 1 days old -- D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\uaaqozga.exe

12/08/2009 12:56:59 -- 12/08/2009 12:57:00 0 ---A 1 days old -- D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\1E.tmp

12/08/2009 12:56:59 -- 21/04/2009 14:20:32 188673 --RA 1 days old -- D:\DOCUME~1\EDSOML~1\CONFIG~1\Temp\duugqtzj.exe

---- recent files in D:\WINDOWS\

13/08/2009 09:55:10 -- 13/08/2009 09:55:12 (DIR) ---- 0 days old -- D:\WINDOWS\LastGood

12/08/2009 12:08:45 -- 12/08/2009 12:08:46 (DIR) ---- 1 days old -- D:\WINDOWS\temp

10/08/2009 11:09:26 -- 10/08/2009 11:09:28 (DIR) H--- 3 days old -- D:\WINDOWS\$NtUninstallKB961118$

31/07/2009 15:51:47 -- 31/07/2009 15:51:48 (DIR) H--- 12 days old -- D:\WINDOWS\PIF

30/07/2009 14:05:37 -- 30/07/2009 14:05:38 (DIR) ---- 14 days old -- D:\WINDOWS\SoftwareDistribution

28/07/2009 13:43:02 -- 28/07/2009 13:43:04 (DIR) HS-- 16 days old -- D:\WINDOWS\CSC

24/07/2009 13:11:24 -- 24/07/2009 13:11:26 (DIR) ---- 20 days old -- D:\WINDOWS\Sun

21/07/2009 20:35:55 -- 21/07/2009 20:35:56 (DIR) ---- 22 days old -- D:\WINDOWS\ERUNT

17/07/2009 00:05:55 -- 17/07/2009 00:05:56 (DIR) H--- 27 days old -- D:\WINDOWS\$NtUninstallKB973346$

17/07/2009 00:05:27 -- 17/07/2009 00:05:28 (DIR) H--- 27 days old -- D:\WINDOWS\$NtUninstallKB971633$

17/07/2009 00:01:53 -- 17/07/2009 00:01:54 (DIR) H--- 27 days old -- D:\WINDOWS\$NtUninstallKB961371$

10/08/2009 12:11:45 -- 13/08/2009 13:28:52 45938 ---A 0 days old -- D:\WINDOWS\setupapi.log

13/08/2009 10:03:45 -- 13/08/2009 10:07:08 4967 ---A 0 days old -- D:\WINDOWS\KB960859.log

01/08/2009 19:35:07 -- 13/08/2009 10:07:04 708254 ---A 0 days old -- D:\WINDOWS\WindowsUpdate.log

13/08/2009 10:03:28 -- 13/08/2009 10:07:04 4869 ---A 0 days old -- D:\WINDOWS\KB971657.log

13/08/2009 10:03:15 -- 13/08/2009 10:06:58 4774 ---A 0 days old -- D:\WINDOWS\KB971557.log

13/08/2009 10:01:04 -- 13/08/2009 10:06:54 4682 ---A 0 days old -- D:\WINDOWS\KB973507.log

13/08/2009 09:55:10 -- 13/08/2009 10:04:04 4110 ---A 0 days old -- D:\WINDOWS\KB973815.log

10/08/2009 12:11:46 -- 13/08/2009 09:52:36 0 ---A 0 days old -- D:\WINDOWS\0.log

19/09/2007 10:51:42 -- 13/08/2009 09:52:12 2048 -S-A 0 days old -- D:\WINDOWS\bootstat.dat

19/09/2007 10:52:55 -- 12/08/2009 15:14:16 32322 ---A 0 days old -- D:\WINDOWS\SchedLgU.Txt

28/10/2001 18:07:30 -- 12/08/2009 12:06:46 227 ---A 1 days old -- D:\WINDOWS\system.ini

12/08/2009 11:33:47 -- 12/08/2009 12:06:44 202546 ---A 1 days old -- D:\WINDOWS\ntbtlog.txt

10/08/2009 14:54:12 -- 20/04/2009 12:56:28 31232 ---A 3 days old -- D:\WINDOWS\NIRCMD.exe

10/08/2009 14:54:11 -- 31/08/2000 08:00:00 212480 ---A 3 days old -- D:\WINDOWS\SWXCACLS.exe

10/08/2009 14:54:11 -- 31/08/2000 08:00:00 136704 ---A 3 days old -- D:\WINDOWS\SWSC.exe

10/08/2009 14:54:11 -- 31/08/2000 08:00:00 68096 ---A 3 days old -- D:\WINDOWS\zip.exe

10/08/2009 14:54:11 -- 08/08/2009 12:10:16 216064 ---A 3 days old -- D:\WINDOWS\PEV.exe

10/08/2009 14:54:11 -- 31/08/2000 08:00:00 80412 ---A 3 days old -- D:\WINDOWS\grep.exe

10/08/2009 14:54:11 -- 31/08/2000 08:00:00 98816 ---A 3 days old -- D:\WINDOWS\sed.exe

10/08/2009 14:54:11 -- 31/08/2000 08:00:00 161792 ---A 3 days old -- D:\WINDOWS\SWREG.exe

28/10/2001 18:07:38 -- 26/07/2009 21:51:52 796 ---A 17 days old -- D:\WINDOWS\win.ini

---- recent files in D:\WINDOWS\system\

30/06/2009 02:06:05 -- 30/06/2009 19:06:48 276 ---A 43 days old -- D:\WINDOWS\system\cmicnfg.ini

---- recent files in D:\WINDOWS\system32\

30/07/2009 14:07:11 -- 30/07/2009 14:07:12 (DIR) ---- 14 days old -- D:\WINDOWS\system32\CatRoot2

13/08/2009 12:30:26 -- 13/08/2009 12:30:04 179792 ---A 0 days old -- D:\WINDOWS\system32\guard32.dll

28/10/2001 18:07:48 -- 13/08/2009 11:51:46 2262 ---A 0 days old -- D:\WINDOWS\system32\wpa.dbl

28/10/2001 18:07:18 -- 12/08/2009 11:44:12 79022 ---A 1 days old -- D:\WINDOWS\system32\perfc016.dat

28/10/2001 18:07:18 -- 12/08/2009 11:44:12 432356 ---A 1 days old -- D:\WINDOWS\system32\perfh009.dat

19/09/2007 10:34:24 -- 12/08/2009 11:44:12 1060812 ---A 1 days old -- D:\WINDOWS\system32\PerfStringBackup.INI

28/10/2001 18:07:18 -- 12/08/2009 11:44:12 468108 ---A 1 days old -- D:\WINDOWS\system32\perfh016.dat

28/10/2001 18:07:18 -- 12/08/2009 11:44:12 67312 ---A 1 days old -- D:\WINDOWS\system32\perfc009.dat

19/09/2007 10:32:59 -- 09/08/2009 10:14:02 264616 ---A 4 days old -- D:\WINDOWS\system32\FNTCACHE.DAT

13/08/2007 18:54:10 -- 19/07/2009 18:45:06 11067392 ---A 24 days old -- D:\WINDOWS\system32\ieframe.dll

04/08/2004 07:45:24 -- 19/07/2009 10:15:08 5937152 ---A 25 days old -- D:\WINDOWS\system32\mshtml.dll

08/07/2008 20:28:26 -- 07/07/2009 08:10:58 24539592 ---A 37 days old -- D:\WINDOWS\system32\MRT.exe

04/08/2004 07:45:28 -- 03/07/2009 13:59:12 915456 ---A 41 days old -- D:\WINDOWS\system32\wininet.dll

04/08/2004 07:45:26 -- 03/07/2009 13:59:12 206848 ---A 41 days old -- D:\WINDOWS\system32\occache.dll

04/08/2004 07:45:28 -- 03/07/2009 13:59:12 1208832 ---A 41 days old -- D:\WINDOWS\system32\urlmon.dll

13/08/2007 18:54:10 -- 03/07/2009 13:59:10 55296 ---A 41 days old -- D:\WINDOWS\system32\msfeedsbs.dll

04/08/2004 07:45:46 -- 03/07/2009 13:59:10 1469440 ---A 41 days old -- D:\WINDOWS\system32\inetcpl.cpl

13/08/2007 18:54:10 -- 03/07/2009 13:59:10 594432 ---A 41 days old -- D:\WINDOWS\system32\msfeeds.dll

04/08/2004 07:45:24 -- 03/07/2009 13:59:10 25600 ---A 41 days old -- D:\WINDOWS\system32\jsproxy.dll

27/10/2008 13:57:53 -- 03/07/2009 13:59:08 1985536 ---A 41 days old -- D:\WINDOWS\system32\iertutil.dll

04/08/2004 07:45:24 -- 03/07/2009 13:59:08 184320 ---A 41 days old -- D:\WINDOWS\system32\iepeers.dll

04/08/2004 07:45:24 -- 03/07/2009 13:59:06 386048 ---A 41 days old -- D:\WINDOWS\system32\iedkcs32.dll

04/08/2004 07:45:36 -- 03/07/2009 08:01:06 173056 ---A 41 days old -- D:\WINDOWS\system32\ie4uinit.exe

29/06/2009 23:14:41 -- 27/02/2009 15:34:02 462848 ---A 44 days old -- D:\WINDOWS\system32\Firebird2Control.cpl

04/08/2004 07:41:20 -- 29/06/2009 05:40:16 57667 ---A 45 days old -- D:\WINDOWS\system32\ieuinit.inf

04/08/2004 07:45:28 -- 16/06/2009 11:39:26 119808 ---A 58 days old -- D:\WINDOWS\system32\t2embed.dll

28/10/2001 18:06:32 -- 16/06/2009 11:39:26 81920 ---A 58 days old -- D:\WINDOWS\system32\fontsub.dll

---- recent files in D:\WINDOWS\system32\drivers\

13/08/2009 13:32:54 -- 13/08/2009 13:32:56 96976 ---A 0 days old -- D:\WINDOWS\system32\drivers\klin.dat

13/08/2009 13:32:51 -- 13/08/2009 13:32:52 87855 ---A 0 days old -- D:\WINDOWS\system32\drivers\klick.dat

13/08/2009 13:11:49 -- 13/08/2009 13:11:50 32 HS-A 0 days old -- D:\WINDOWS\system32\drivers\fidbox2.idx

13/08/2009 13:11:49 -- 13/08/2009 13:11:50 32 HS-A 0 days old -- D:\WINDOWS\system32\drivers\fidbox2.dat

13/08/2009 12:59:03 -- 13/08/2009 12:59:04 227344 ---A 0 days old -- D:\WINDOWS\system32\drivers\klif.sys

13/08/2009 12:30:26 -- 13/08/2009 12:30:04 25160 ---A 0 days old -- D:\WINDOWS\system32\drivers\cmdhlp.sys

13/08/2009 12:30:26 -- 13/08/2009 12:30:04 86976 ---A 0 days old -- D:\WINDOWS\system32\drivers\inspect.sys

13/08/2009 12:30:26 -- 13/08/2009 12:30:04 132040 ---A 0 days old -- D:\WINDOWS\system32\drivers\cmdguard.sys

29/04/2009 20:59:26 -- 12/08/2009 15:14:34 32 HS-A 0 days old -- D:\WINDOWS\system32\drivers\fidbox.idx

29/04/2009 20:59:26 -- 12/08/2009 15:14:34 32 HS-A 0 days old -- D:\WINDOWS\system32\drivers\fidbox.dat

18/03/2009 21:30:50 -- 07/08/2009 09:49:48 55656 ---A 6 days old -- D:\WINDOWS\system32\drivers\avgntflt.sys

27/07/2009 14:28:42 -- 08/07/2008 14:54:02 148496 ---A 17 days old -- D:\WINDOWS\system32\drivers\12878755.sys

12/11/2008 15:12:43 -- 18/07/2009 10:05:38 208 ---A 26 days old -- D:\WINDOWS\system32\drivers\GbpKmAp.lst

23/04/2009 12:56:20 -- 13/07/2009 13:36:34 38160 ---A 31 days old -- D:\WINDOWS\system32\drivers\mbamswissarmy.sys

23/04/2009 12:56:22 -- 13/07/2009 13:36:12 19096 ---A 31 days old -- D:\WINDOWS\system32\drivers\mbam.sys

30/06/2009 02:28:52 -- 13/04/2008 11:46:24 10880 ---A 44 days old -- D:\WINDOWS\system32\drivers\NdisIP.sys

30/06/2009 02:08:30 -- 13/04/2008 11:45:14 60032 ---A 44 days old -- D:\WINDOWS\system32\drivers\USBAUDIO.sys

---- recent files in D:\WINDOWS\temp\

13/08/2009 09:52:30 -- 13/08/2009 09:52:32 16384 ---A 0 days old -- D:\WINDOWS\temp\Perflib_Perfdata_c8.dat

---- recent files in D:\Arquivos de programas\

13/08/2009 13:12:06 -- 13/08/2009 13:12:08 (DIR) ---- 0 days old -- D:\Arquivos de programas\Kaspersky Lab

13/08/2009 12:30:03 -- 13/08/2009 12:30:04 (DIR) ---- 0 days old -- D:\Arquivos de programas\COMODO

12/08/2009 13:08:23 -- 12/08/2009 13:08:24 (DIR) ---- 1 days old -- D:\Arquivos de programas\Lavalys

30/07/2009 14:06:43 -- 30/07/2009 14:06:44 (DIR) H--- 14 days old -- D:\Arquivos de programas\WindowsUpdate

23/07/2009 12:10:18 -- 23/07/2009 12:10:20 (DIR) ---- 21 days old -- D:\Arquivos de programas\blcorp

22/06/2009 14:01:59 -- 22/06/2009 14:02:00 (DIR) ---- 52 days old -- D:\Arquivos de programas\Gadwin Systems

17/06/2009 16:05:03 -- 17/06/2009 16:05:04 (DIR) ---- 56 days old -- D:\Arquivos de programas\Mozilla Firefox 3.5 Preview

---- recent files in D:\Arquivos de programas\Arquivos comuns\

---- recent files in D:\Documents and Settings\edsom luis\Dados de aplicativos\

13/08/2009 12:32:10 -- 13/08/2009 12:32:12 (DIR) ---- 0 days old -- D:\Documents and Settings\edsom luis\Dados de aplicativos\Comodo

03/08/2009 21:29:52 -- 03/08/2009 21:29:54 (DIR) ---- 9 days old -- D:\Documents and Settings\edsom luis\Dados de aplicativos\SUPERAntiSpyware.com

01/08/2009 19:20:57 -- 01/08/2009 19:20:58 (DIR) ---- 11 days old -- D:\Documents and Settings\edsom luis\Dados de aplicativos\Yahoo!

30/07/2009 23:47:18 -- 30/07/2009 23:47:20 (DIR) ---- 13 days old -- D:\Documents and Settings\edsom luis\Dados de aplicativos\iolo

30/07/2009 21:29:02 -- 30/07/2009 21:29:04 (DIR) ---- 13 days old -- D:\Documents and Settings\edsom luis\Dados de aplicativos\Download Manager

30/07/2009 15:36:58 -- 30/07/2009 15:37:00 (DIR) ---- 13 days old -- D:\Documents and Settings\edsom luis\Dados de aplicativos\WinRAR

---- recent files in D:\Documents and Settings\edsom luis\Configurações locais\Dados de aplicativos\

23/07/2009 12:10:18 -- 23/07/2009 12:10:20 (DIR) ---- 21 days old -- D:\Documents and Settings\edsom luis\Configurações locais\Dados de aplicativos\BLCorp

12/06/2009 01:29:58 -- 12/08/2009 15:14:00 5898090 H--A 0 days old -- D:\Documents and Settings\edsom luis\Configurações locais\Dados de aplicativos\IconCache.db

19/09/2007 13:50:44 -- 09/08/2009 10:16:40 68280 ---A 4 days old -- D:\Documents and Settings\edsom luis\Configurações locais\Dados de aplicativos\GDIPFONTCACHEV1.DAT

19/09/2007 11:08:04 -- 24/07/2009 22:16:44 40448 ---A 19 days old -- D:\Documents and Settings\edsom luis\Configurações locais\Dados de aplicativos\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

==========================================

Scan completed in 0,6 minutes

End of report

~~~~~~~~~~~~~~~~~~~~~-----CREDITS-----~~~~~~~~~~~~~~~~~~~~~

SystemScan uses some freeware tools that remain property of their authors:

* SteelWerX Registry Console Tool, Who Am I (Bobby Flekman: www.xs4all.nl/~fstaal01) --> "Registry scan", "PC accounts "

* dumphive (Markus Stephany)--> "Registry scan"

* Listdlls (M.Russinovich, B.Cogswell: www.sysinternals.com) --> "Loaded modules"

* Catchme & MBR Rootkit detector (gmer: www.gmer.net) --> "Hidden objects", "Alternate Data Streams" & "Master Boot Record"

---> NOTE: SystemScan integrates "The Avenger" from Swandog46 (http://swandog46.geekstogo.com) to allow you to remove malwares found in this log

Thanks to all of them for their hard work

Segue log compactado :