[Resolvido!] atapi.sys infectado - Log do hijackthis

Supremus · Janeiro 2, 2010

Oi

O meu antivirus começou a detetar um trojan no atapi.sys, como era um velho AV instalei um novo e o problema mantem-se e confirma-se..

Ajudem-me por favor.

Aqui fica o log do hijackthis:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:52:22, on 02-01-2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Programas\AskBarDis\bar\bin\AskService.exe

C:\Programas\AskBarDis\bar\bin\ASKUpgrade.exe

C:\Programas\Brother\BRAdmin Professional 3\bratimer.exe

C:\Programas\Java\jre6\bin\jqs.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\PnkBstrA.exe

C:\Programas\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Rundll32.exe

C:\Programas\NetLimiter\NetLimiter.exe

C:\Programas\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Programas\Java\jre6\bin\jusched.exe

C:\Programas\Microsoft Office\Office12\GrooveMonitor.exe

C:\Programas\ScanSoft\PaperPort\pptd40nt.exe

C:\Programas\Brother\Brmfcmon\BrMfcWnd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programas\Brother\ControlCenter3\brccMCtl.exe

C:\Programas\Brother\Brmfcmon\BrMfimon.exe

C:\Programas\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\WINDOWS\System32\svchost.exe

C:\Programas\Windows Live\Messenger\msnmsgr.exe

C:\Programas\Windows Live\Contacts\wlcomm.exe

C:\Programas\Mozilla Firefox\firefox.exe

C:\Programas\ESET\ESET Smart Security\ekrn.exe

C:\Programas\ESET\ESET Smart Security\egui.exe

C:\Programas\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.mini20.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações

O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Programas\Ficheiros comuns\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Programas\AskBarDis\bar\bin\askBar.dll

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programas\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: Programa Auxiliar de Início de Sessão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programas\Ficheiros comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Programas\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O2 - BHO: DAPIELoader Class - {FF6C3CF0-4B15-11D1-ABED-709549C10000} - C:\PROGRA~1\DAP\DAPIEL~1.DLL

O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Programas\AskBarDis\bar\bin\askBar.dll

O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper

O4 - HKLM\..\Run: [NetLimiter] C:\Programas\NetLimiter\NetLimiter.exe /s

O4 - HKLM\..\Run: [startCCC] "C:\Programas\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun

O4 - HKLM\..\Run: [QuickTime Task] "C:\Programas\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Programas\Adobe\Reader 9.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [Adobe ARM] "C:\Programas\Ficheiros comuns\Adobe\ARM\1.0\AdobeARM.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Programas\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [GrooveMonitor] "C:\Programas\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Programas\Ficheiros comuns\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [PaperPort PTD] "C:\Programas\ScanSoft\PaperPort\pptd40nt.exe"

O4 - HKLM\..\Run: [indexSearch] "C:\Programas\ScanSoft\PaperPort\IndexSearch.exe"

O4 - HKLM\..\Run: [PPort11reminder] "C:\Programas\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"

O4 - HKLM\..\Run: [brMfcWnd] C:\Programas\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN

O4 - HKLM\..\Run: [ControlCenter3] C:\Programas\Brother\ControlCenter3\brctrcen.exe /autorun

O4 - HKLM\..\Run: [egui] "C:\Programas\ESET\ESET Smart Security\egui.exe" /hide /waitservice

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Chute\Definições locais\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVIÇO LOCAL')

O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SERVIÇO LOCAL')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Serviço de rede')

O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Serviço de rede')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')

O8 - Extra context menu item: &Clean Traces - C:\Programas\DAP\Privacy Package\dapcleanerie.htm

O8 - Extra context menu item: &Download with &DAP - C:\Programas\DAP\dapextie.htm

O8 - Extra context menu item: Download &all with DAP - C:\Programas\DAP\dapextie2.htm

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000

O9 - Extra button: Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: &Enviar para o OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programas\Microsoft Office\Office12\GrooveSystemServices.dll

O23 - Service: ASKService - Unknown owner - C:\Programas\AskBarDis\bar\bin\AskService.exe

O23 - Service: ASKUpgrade - Unknown owner - C:\Programas\AskBarDis\bar\bin\ASKUpgrade.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: Brother BRAdminPro Scheduler (BRA_Scheduler) - Unknown owner - C:\Programas\Brother\BRAdmin Professional 3\bratimer.exe

O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Programas\ESET\ESET Smart Security\EHttpSrv.exe

O23 - Service: ESET Service (ekrn) - ESET - C:\Programas\ESET\ESET Smart Security\ekrn.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Programas\Java\jre6\bin\jqs.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Programas\CyberLink\Shared Files\RichVideo.exe

O23 - Service: ServiceLayer - Nokia - C:\Programas\PC Connectivity Solution\ServiceLayer.exe

--

End of file - 8934 bytes

Obrigado

Power Max · Janeiro 2, 2010

:) Olá Supremus! Seja bem-vindo ao Fórum Imasters.

:seta: Abra o HijackThis, clique em Do a system scan only, marque a entrada abaixo e clique em Fix checked:

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

___________________________________

:seta: Siga, por gentileza, as dicas deste tutorial:

'>http://dicasetutoriaisparapc.blogspot.com/2009/10/tutorial-do-ad-remover.html"]Tutorial do Ad-Remover

___________________________________

:seta: Siga também as dicas deste tutorial para fazer uma limpeza de seu PC com o Malwarebytes:

'>http://dicasetutoriaisparapc.blogspot.com/2009/10/tutorial-do-malwarebytes-anti-malware.html"]Tutorial do Malwarebytes Anti-Malware

Na sua próxima resposta poste este log do Malwarebytes juntamente com o log do Ad-Remover que estará em C:\Ad-Report-CLEAN[1].log e um novo log do Hijackthis e nos diga como está o seu PC após estes procedimentos.

Ficamos no aguardo.

Supremus · Janeiro 2, 2010

Antes de mais, muito obrigado pela disponibilidade.

Corri o AD-Remover, o Malwarebytes Anti-Malware e de novo o Hijackthis. Durante o novo scan do hijackthis o antivirus voltou a detetar o virus:

Object: C:\WINDOWS\system32\DRIVERS\atapi.sys

Threat: Win32/Olmarik.OF virus

Cá vão os logs:

AD-Remover

.

======= LOGFILE OF AD-REMOVER 1.1.4.6_F | ONLY XP/VISTA/7 =======

.

Updated by C_XX on 26.12.2009 at 20:47

Contact: AdRemover.contact@gmail.com

Website: http://pagesperso-orange.fr/NosTools/ad_remover.html

.

Launch at: 18:50:17, 02-01-2010 | Normal Boot | Option: CLEAN

Executed from: C:\Programas\Ad-Remover\

Operating system: Microsoft® Windows XP™ Service Pack 3 VersÆo 5.1.2600

Computer Name: RUI | Current user: Chute

Bonnes fêtes de fin d'année à vous tous :)

.

============== NEUTRALIZED ELEMENT(S) ==============

.

Service: ASKService

Service: ASKUpgrade

C:\Programas\AskBarDis

(!) -- Temp files deleted.

.

HKCU\software\appdatalow\AskBarDis

HKCU\software\AskBarDis

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{3041d03e-fd4b-44e0-b742-2d9b88305f98}

HKCU\Software\Mozilla\Firefox\Extensions\\{A89AED22-9133-424c-88E7-C8235C5FF302}

HKLM\software\appdatalow\AskBarDis

HKLM\software\AskBarDis

HKLM\Software\Classes\CLSID\{0702a2b6-13aa-4090-9e01-bcdc85dd933f}

HKLM\Software\Classes\CLSID\{201f27d4-3704-41d6-89c1-aa35e39143ed}

HKLM\Software\Classes\CLSID\{3041d03e-fd4b-44e0-b742-2d9b88305f98}

HKLM\Software\Classes\CLSID\{622fd888-4e91-4d68-84d4-7262fd0811bf}

HKLM\Software\Classes\CLSID\{b0de3308-5d5a-470d-81b9-634fc078393b}

HKLM\software\classes\TR.TRFactory

HKLM\software\classes\TR.TRFactory.1

HKLM\Software\Classes\TypeLib\{4B1C1E16-6B34-430E-B074-5928ECA4C150}

HKLM\Software\Microsoft\Internet Explorer\Toolbar\\{3041d03e-fd4b-44e0-b742-2d9b88305f98}

HKLM\software\microsoft\shared tools\msconfig\startupreg\AdVantage

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}

.

============== Added scan ==============

.

* Mozilla FireFox Version 3.5.6 [pt-PT] *

.

ProfilePath: uzl5a8m2.default (Chute)

.

(Chute, prefs.js) Browser.download.lastDir, E:\aplicaÃ§Ãµes\Â»Â« SEGURANÃ‡A Â»Â«

(Chute, prefs.js) Browser.startup.homepage, hxxp://ogame.com.pt/

(Chute, prefs.js) Extensions.enabledItems, {b66bc4c3-6d25-4a10-8c59-01daa9063051}:1.5.2,{e4a8a97b-f2ed-450b-b12d-ee082ba24781}:0.8.20090920.2,{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}:6.0.11,{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13,{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}:6.0.15,{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}:6.0.17,jqs@sun.com:1.0,{20a82645-c095-46ed-80e3-08825760534b}:1.1,bkmrksync@nokia.com:1.0.0.723,{972ce4c6-7e08-4474-a285-3208198ce6fd}:3.5.6

.

* Internet Explorer Version 8.0.6001.18702 *

.

[HKEY_CURRENT_USER\..\Internet Explorer\Main]

.

Do404Search: 01000000

Local Page: C:\WINDOWS\system32\blank.htm

Show_ToolBar: yes

Enable Browser Extensions: yes

Start Page: hxxp://fr.msn.com/

Default_search_url: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

Default_page_url: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Search bar: hxxp://go.microsoft.com/fwlink/?linkid=54896

.

[HKEY_LOCAL_MACHINE\..\Internet Explorer\Main]

.

Default_Page_URL: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

Default_Search_URL: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

Delete_Temp_Files_On_Exit: yes

Local Page: C:\WINDOWS\system32\blank.htm

Search Page: hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

Start Page: hxxp://fr.msn.com/

Search bar: hxxp://search.msn.com/spbasic.htm

.

[HKEY_LOCAL_MACHINE\..\Internet Explorer\ABOUTURLS]

.

Tabs: res://ieframe.dll/tabswelcome.htm

.

============== Suspect (Cracks, Serials, ...) ==============

.

C:\Documents and Settings\Chute\Application Data\uTorrent\Nero 9.2.6.0 Activation Patch + Plugins keymaker v4.0.2.0 - Amar_Bunty.rar.torrent

.

===================================

.

3752 Byte(s) - C:\Ad-Report-CLEAN[1].log

3970 Byte(s) - C:\Ad-Report-SCAN[1].log

.

0 File(s) - C:\DOCUME~1\Chute\DEFINI~1\Temp

1 File(s) - C:\WINDOWS\Temp

8 File(s) - C:\WINDOWS\Prefetch

.

19 File(s) - C:\Programas\Ad-Remover\BACKUP

25 File(s) - C:\Programas\Ad-Remover\QUARANTINE

.

End at: 18:56:41 | 02-01-2010 - CLEAN[1]

.

============== E.O.F ==============

.

Malwarebytes Anti-Malware

Malwarebytes' Anti-Malware 1.43

Versão do banco de dados: 3480

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

02-01-2010 19:52:01

mbam-log-2010-01-02 (19-52-01).txt

Tipo de Verificação: Completa (C:\|)

Objetos verificados: 153381

Tempo decorrido: 42 minute(s), 10 second(s)

Processos da Memória infectados: 0

Módulos de Memória Infectados: 0

Chaves do Registo infectadas: 0

Valores do Registo infectados: 0

Ítens do Registo infectados: 2

Pastas infectadas: 0

Ficheiros infectados: 0

Processos da Memória infectados:

(Nenhum item malicioso foi detectado)

Módulos de Memória Infectados:

(Nenhum item malicioso foi detectado)

Chaves do Registo infectadas:

(Nenhum item malicioso foi detectado)

Valores do Registo infectados:

(Nenhum item malicioso foi detectado)

Ítens do Registo infectados:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Pastas infectadas:

(Nenhum item malicioso foi detectado)

Ficheiros infectados:

(Nenhum item malicioso foi detectado)

Hijackthis

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 19:58:20, on 02-01-2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Programas\Brother\BRAdmin Professional 3\bratimer.exe

C:\Programas\ESET\ESET Smart Security\ekrn.exe

C:\Programas\Java\jre6\bin\jqs.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Programas\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Rundll32.exe

C:\Programas\NetLimiter\NetLimiter.exe

C:\Programas\ATI Technologies\ATI.ACE\Core-Static\MOM.exe

C:\Programas\Adobe\Reader 9.0\Reader\Reader_sl.exe

C:\Programas\Java\jre6\bin\jusched.exe

C:\Programas\Microsoft Office\Office12\GrooveMonitor.exe

C:\Programas\ScanSoft\PaperPort\pptd40nt.exe

C:\Programas\Brother\Brmfcmon\BrMfcWnd.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Programas\ESET\ESET Smart Security\egui.exe

C:\Programas\Brother\ControlCenter3\brccMCtl.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Programas\Brother\Brmfcmon\BrMfimon.exe

C:\Programas\ATI Technologies\ATI.ACE\Core-Static\ccc.exe

C:\WINDOWS\System32\svchost.exe

C:\Programas\Mozilla Firefox\firefox.exe

C:\Programas\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.microsoft.com/fwlink/?linkid=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fr.msn.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://fr.msn.com/