[Resolvido!] Analise de log

Alexandre Vasconcelos · Julho 8, 2010

Não consigo instalar nenhum antivirus, nenhum arquivo .exe é instalado...

Os executáveis desaparecem em segundos quando os procuro.!

Abaixo o log do Hijack...

alguem me ajude pro favor!!!!!!!!!

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 14:26:06, on 8/7/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Arquivos de programas\Arquivos comuns\InterVideo\RegMgr\iviRegMgr.exe

C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Arquivos de programas\PDF Complete\pdfsvc.exe

C:\Arquivos de programas\RALINK\Common\RalinkRegistryWriter.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Arquivos de programas\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe

C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe

C:\WINDOWS\SMINST\Scheduler.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Lexmark\ErrorApp\LMab1err.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Arquivos de programas\RALINK\Common\RaUI.exe

C:\WINDOWS\system32\LMabcoms.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\Documents and Settings\Admin\Meus documentos\Downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.pc.mg.gov.br/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=PT_BR&c=74&bd=smb&pf=desktop

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.pc.mg.gov.br:8080

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.mg.gov.br;<local>

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll

O4 - HKLM\..\Run: [ATIPTA] "C:\Arquivos de programas\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [soundMAXPnP] C:\Arquivos de programas\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [soundMAX] "C:\Arquivos de programas\Analog Devices\SoundMAX\Smax4.exe" /tray

O4 - HKLM\..\Run: [amd_dc_opt] C:\Arquivos de programas\AMD\Dual-Core Optimizer\amd_dc_opt.exe

O4 - HKLM\..\Run: [PDF Complete] C:\Arquivos de programas\PDF Complete\pdfsty.exe

O4 - HKLM\..\Run: [setRefresh] C:\Arquivos de programas\Compaq\SetRefresh\SetRefresh.exe

O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\Sminst\Recguard.exe

O4 - HKLM\..\Run: [Reminder] C:\WINDOWS\Creator\Remind_XP.exe

O4 - HKLM\..\Run: [scheduler] C:\WINDOWS\SMINST\Scheduler.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [LMab1err] C:\Arquivos de programas\Lexmark\ErrorApp\LMab1err.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-21-2709758421-4265321505-2810677420-1007\..\Run: [vamsoft] C:\WINDOWS\system32\vamsoft.exe (User 'Cartório TCO')

O4 - HKUS\S-1-5-21-2709758421-4265321505-2810677420-1007\..\Run: [internet Security Service] C:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\dark.exe (User 'Cartório TCO')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Arquivos de programas\RALINK\Common\RaUI.exe

O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe

O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp

O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=PT_BR&c=74&bd=smb&pf=desktop

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{C713E704-CB90-4D07-9B28-D42A1532506C}: NameServer = 200.198.41.50,200.198.5.4

O22 - SharedTaskScheduler: Pré-carregador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Daemon de cache de categorias de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: IviRegMgr - InterVideo - C:\Arquivos de programas\Arquivos comuns\InterVideo\RegMgr\iviRegMgr.exe

O23 - Service: lmab_device - - C:\WINDOWS\system32\LMabcoms.exe

O23 - Service: PC Angel (PCA) - SoftThinks - C:\WINDOWS\SMINST\PCAngel.exe

O23 - Service: PDF Document Manager (pdfcDispatcher) - PDF Complete Inc - C:\Arquivos de programas\PDF Complete\pdfsvc.exe

O23 - Service: Ralink Registry Writer (RalinkRegistryWriter) - Ralink Technology, Corp. - C:\Arquivos de programas\RALINK\Common\RalinkRegistryWriter.exe

--

End of file - 6692 bytes

wings · Julho 9, 2010

Bom dia...

1.

*Desative temporariamente seu antivírus

*Baixe o USBFix e salve-o no desktop

*Conecte o Pendrive no PC

*Duplo clique em UsbFix

*Clique em [Pesquisa] e aguarde o término

*Remova o Pendrive

*Cole o relatório criado em C:\UsbFix.txt

Alexandre Vasconcelos · Julho 9, 2010

Pronto fiz o que você me pediu!!!

Segue abaixo o relatorio:

############################## | UsbFix 7.016 | [Pesquisa]

Usuário: Admin (Administrador) # CARTORIOTCO [ ]

Atualizado em 05/07/10 por El Desaparecido / C_XX

Começou em 13:10:27 | 09/07/2010

Site: http://pagesperso-orange.fr/NosTools/index.html

Contato: FindyKill.Contact@gmail.com

CPU: AMD Athlon Dual Core Processor 4450B

CPU 2: AMD Athlon Dual Core Processor 4450B

Microsoft Windows XP Professional (5.1.2600 32-Bit) # Service Pack 3

Internet Explorer 8.0.6001.18702

Windows Firewall: Habilitado

RAM -> 767 Mb

C:\ (%systemdrive%) -> Disco fixo # 139 Gb (122 Mb livre - 88%) [] # NTFS

D:\ -> Disco fixo # 10 Gb (6 Mb livre - 58%) [HP_RECOVERY] # NTFS

E:\ -> CD-ROM

G:\ -> Disco removível # 2 Gb (1 Mb livre - 60%) [KINGSTON] # FAT

################## | Ficheiros # pastas infeciosos |

Presente ! G:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\dark.exe

Presente ! G:\Autorun.inf

Presente ! G:\qpcp.pif

Presente ! G:\dfug.pif

Presente ! G:\gmrw.pif

Presente ! G:\afkcof.pif

Presente ! G:\abk.bat

Presente ! G:\bd3q0qix.exe

Presente ! G:\ogcikeq.com

Presente ! G:\opgde.exe

Presente ! G:\cold

################## | Registro |

Presente ! HKLM\Software\Classes\CLSID\MADOWN

################## | Mountpoints2 |

HKCU\.\.\.\.\Explorer\MountPoints2\{24468106-cab9-11dd-8856-002264e419dd}

Shell\AutoRun\Command = F:\iq.bat

Shell\open\Command = F:\iq.bat

HKCU\.\.\.\.\Explorer\MountPoints2\{25abeac4-cde0-11dd-885e-002264e419dd}

Shell\AutoRun\Command = G:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\dark.exe

Shell\open\Command = G:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\dark.exe

HKCU\.\.\.\.\Explorer\MountPoints2\{260f886b-7f94-11df-8ab4-000d093096e6}

Shell\aUTopLAy\Command = wdijrq.exe

Shell\AutoRun\Command = wdijrq.exe

Shell\explorE\Command = wdijrq.exe

Shell\opEn\Command = wdijrq.exe

HKCU\.\.\.\.\Explorer\MountPoints2\{46e53f04-cc1c-11dd-8859-002264e419dd}

Shell\AutoRun\Command = F:\iq.bat

Shell\open\Command = F:\iq.bat

HKCU\.\.\.\.\Explorer\MountPoints2\{774f63c5-8503-11de-895c-002264e419dd}

Shell\AutoRun\Command = G:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\dark.exe

Shell\open\Command = G:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\dark.exe

HKCU\.\.\.\.\Explorer\MountPoints2\{7cb98344-c881-11de-89b2-002264e419dd}

Shell\open\Command = G:\CARTORIOTCO\CARTORIOTCO\CARTORIOTCOv3.exe

################## | Vaccin |

(!) Este computador não é vacinada!

################## | E.O.F |

wings · Julho 9, 2010

1.

*Conecte novamente o Pendrive no PC

*Duplo clique em UsbFix

*Clique em [supressão] e aguarde o término

*Remova o Pendrive

*Cole o relatório criado em C:\UsbFix.txt

Alexandre Vasconcelos · Julho 9, 2010

############################## | UsbFix 7.016 | [supressão]

Usuário: Admin (Administrador) # CARTORIOTCO [ ]

Atualizado em 05/07/10 por El Desaparecido / C_XX

Começou em 14:38:08 | 09/07/2010

Site: http://pagesperso-orange.fr/NosTools/index.html

Contato: FindyKill.Contact@gmail.com

CPU: AMD Athlon Dual Core Processor 4450B

CPU 2: AMD Athlon Dual Core Processor 4450B

Microsoft Windows XP Professional (5.1.2600 32-Bit) # Service Pack 3

Internet Explorer 8.0.6001.18702

Windows Firewall: Habilitado

RAM -> 767 Mb

C:\ (%systemdrive%) -> Disco fixo # 139 Gb (122 Mb livre - 88%) [] # NTFS

D:\ -> Disco fixo # 10 Gb (6 Mb livre - 58%) [HP_RECOVERY] # NTFS

E:\ -> CD-ROM

G:\ -> Disco removível # 2 Gb (1 Mb livre - 60%) [KINGSTON] # FAT

################## | Ficheiros # pastas infeciosos |

Supprimido ! G:\RESTORE\S-1-5-21-1482476501-1644491937-682003330-1013\dark.exe

Não supprimido ! G:\Autorun.inf

Supprimido ! G:\qpcp.pif

Supprimido ! G:\dfug.pif

Supprimido ! G:\gmrw.pif

Supprimido ! G:\afkcof.pif

Supprimido ! G:\abk.bat

Supprimido ! G:\bd3q0qix.exe

Supprimido ! G:\ogcikeq.com

Supprimido ! G:\opgde.exe

Supprimido ! G:\cold

################## | Registro |

Supprimido ! HKLM\Software\Classes\CLSID\MADOWN

################## | Mountpoints2 |

Supprimido ! HKCU\.\.\.\.\Explorer\MountPoints2\{24468106-cab9-11dd-8856-002264e419dd}

Supprimido ! HKCU\.\.\.\.\Explorer\MountPoints2\{260f886b-7f94-11df-8ab4-000d093096e6}

Supprimido ! HKCU\.\.\.\.\Explorer\MountPoints2\{46e53f04-cc1c-11dd-8859-002264e419dd}

Supprimido ! HKCU\.\.\.\.\Explorer\MountPoints2\{7cb98344-c881-11de-89b2-002264e419dd}

################## | Listing |

[06/07/2010 - 14:17:32 | RD ] C:\Arquivos de programas

[11/12/2008 - 13:04:39 | RASH | 223] C:\boot.ini

[01/03/2006 - 23:00:00 | RASH | 4952] C:\Bootfont.bin

[09/07/2010 - 09:33:25 | D ] C:\Cartório

[11/12/2008 - 17:00:33 | D ] C:\compaq

[19/12/2008 - 07:40:13 | D ] C:\Documents and Settings

[09/07/2010 - 08:34:28 | ASH | 804597760] C:\hiberfil.sys

[11/12/2008 - 17:00:34 | HD ] C:\hp

[11/12/2008 - 17:00:36 | D ] C:\i386

[01/07/2010 - 17:05:41 | D ] C:\ibm2

[01/07/2010 - 17:02:05 | RASH | 0] C:\IO.SYS

[01/07/2010 - 17:02:05 | RASH | 0] C:\MSDOS.SYS

[15/12/2008 - 06:54:49 | RHD ] C:\MSOCache

[01/03/2006 - 23:00:00 | ASH | 47564] C:\ntdetect.com

[23/06/2010 - 14:44:14 | ASH | 251696] C:\ntldr

[09/07/2010 - 08:34:27 | ASH | 1207959552] C:\pagefile.sys

[09/07/2010 - 14:39:25 | SHD ] C:\RECYCLER

[20/07/2009 - 14:24:55 | RSHD ] C:\RESTORE

[11/12/2008 - 13:05:00 | SHD ] C:\System Volume Information

[11/12/2008 - 13:04:54 | AHD ] C:\system.sav

[05/01/2009 - 07:31:32 | D ] C:\temp

[09/07/2010 - 14:39:25 | D ] C:\UsbFix

[09/07/2010 - 14:39:26 | A | 1212] C:\UsbFix.txt

[07/07/2010 - 08:18:20 | D ] C:\WINDOWS

[01/07/2005 - 15:16:54 | ASH | 102] D:\Desktop.ini

[22/11/2004 - 19:28:00 | ASH | 8130] D:\Folder.htt

[03/11/2005 - 08:29:50 | ASH | 0] D:\HP_RECOVERY

[24/09/2008 - 12:03:18 | RSHD ] D:\I386

[30/11/2004 - 15:01:00 | A | 18894848] D:\Info.exe

[24/09/2008 - 11:57:26 | RSHD ] D:\ISOS

[24/09/2008 - 12:03:37 | ASH | 1142] D:\MASTER.LOG

[24/09/2008 - 12:03:18 | RSHD ] D:\minint

[29/08/2002 - 04:00:00 | ASH | 47580] D:\NTDETECT.COM

[12/05/2006 - 16:07:42 | ASH | 0] D:\NTFS

[29/08/2002 - 04:00:00 | ASH | 245920] D:\NTLDR

[24/09/2008 - 12:03:18 | RSHD ] D:\PRELOAD

[27/10/2005 - 18:24:10 | ASH | 181882] D:\protect.ed

[24/09/2008 - 12:03:18 | RD ] D:\RECOVERY

[09/07/2010 - 14:39:25 | SHD ] D:\RECYCLER

[29/08/2002 - 04:00:00 | ASH | 245920] D:\STLDR

[24/09/2008 - 11:46:13 | RSHD ] D:\System Volume Information

[08/02/2002 - 19:44:00 | ASH | 88038] D:\Warning.bmp

[25/03/2005 - 16:00:00 | ASH | 10] D:\WIN51

[22/01/2001 - 21:00:00 | ASH | 11] D:\WIN51.B2

[25/07/2001 - 21:00:00 | ASH | 11] D:\WIN51.RC1

[26/07/2001 - 02:47:00 | ASH | 11] D:\WIN51.RC2

[25/03/2005 - 16:00:00 | ASH | 10] D:\WIN51IA

[25/03/2005 - 16:00:00 | ASH | 10] D:\WIN51IA.SP1

[18/08/2001 - 21:00:00 | ASH | 10] D:\WIN51IC

[20/03/2001 - 21:00:00 | ASH | 11] D:\WIN51IC.B2

[25/07/2001 - 21:00:00 | ASH | 11] D:\WIN51IC.RC1

[25/07/2001 - 21:00:00 | ASH | 11] D:\WIN51IC.RC2

[17/08/2001 - 21:00:00 | ASH | 10] D:\WIN51IP

[22/01/2001 - 21:00:00 | ASH | 11] D:\WIN51IP.B2

[26/07/2001 - 02:47:00 | ASH | 11] D:\WIN51IP.RC2

[17/08/2001 - 21:00:00 | ASH | 10] D:\WIN51IP.SP1

[17/08/2001 - 21:00:00 | ASH | 10] D:\WIN51IP2

[25/03/2005 - 16:00:00 | ASH | 167] D:\WINBOM.INI

[12/05/2006 - 16:07:42 | ASH | 0] D:\XGA

[30/09/2009 - 10:48:38 | D ] G:\Desktop

[10/09/2009 - 11:31:16 | D ] G:\chassi

[15/09/2009 - 17:41:24 | D ] G:\Meus documentos

[09/07/2010 - 14:38:36 | N | 270] G:\autorun.inf

[15/10/2009 - 08:18:22 | D ] G:\drivers

[05/12/2009 - 17:32:36 | RASH | 147968] G:\rocx.exe

[22/09/2009 - 11:01:34 | RSHD ] G:\RESTORE

[16/02/2010 - 08:20:14 | RSH | 172543] G:\naofh.cmd

[19/02/2010 - 12:04:14 | D ] G:\DELEGADO

[11/02/2010 - 19:23:54 | D ] G:\pen drive depol

[09/07/2010 - 09:36:12 | D ] G:\CARLOS

[14/02/2010 - 07:23:06 | D ] G:\Gino e Geno (2006) Canto Bebo e choro

[14/02/2010 - 07:23:22 | D ] G:\Gino e Geno (2008) Por pra dentro

[14/02/2010 - 07:23:54 | D ] G:\Gino & Geno - 2005 - A Galera Do Chapeu

[14/02/2010 - 07:24:42 | D ] G:\Gino & Geno (2004) Ao vivo

[14/02/2010 - 07:25:32 | D ] G:\Gino & Geno (2007) Nóis Enverga Mais Não Quebra

[23/06/2010 - 07:40:44 | D ] G:\Depol.2010

[08/06/2010 - 10:56:30 | RSHD ] G:\SAOROMAOXXX

################## | Vaccin |

C:\Autorun.inf -> Folder criado por UsbFix (El Desaparecido & C_XX)

D:\Autorun.inf -> Folder criado por UsbFix (El Desaparecido & C_XX)

################## | Upload |

Favor enviar o arquivo: C:\UsbFix_Upload_Me_CARTORIOTCO.zip

http://chiquitine.changelog.fr/Sample/Upload.php

Obrigado pela sua contribuição.

################## | E.O.F |

wings · Julho 9, 2010

1.

Favor enviar o arquivo: C:\UsbFix_Upload_Me_CARTORIOTCO.zip para o link abaixo:

http://chiquitine.changelog.fr/Sample/Upload.php

Obrigado pela sua contribuição.

2.

*Duplo clique em UsbFix

*Clique em [uninstall]

3.

*Novo log do hijack e informe como está o PC.

Alexandre Vasconcelos · Julho 9, 2010

Novo Log:

Logfile of Trend Micro HijackThis v2.0.4

Scan saved at 15:10:52, on 9/7/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Arquivos de programas\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Documents and Settings\Admin\Meus documentos\Downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://go.microsoft.com/fwlink/?linkid=54896

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fr.msn.com/

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://fr.msn.com/