Help - Search - Members - Calendar
Full Version: MS Juan and MS Track System
Malwarebytes Forum > Computer Help > Malware Removal - HijackThis Logs
Cat
Oct 15 2008, 01:57 PM
Hello everyone, recently I've been plagued by a certain Malware (Rapid Anti-Virus) and after Malwarebytes got rid of it there was still a MS Juan and a MS Track System that when ever it got deleted it just came right back. I read that it's caused by a Trojan that morphs it self and that I should post a HiJack log os that you guys can find it.

For the moment, the only annoying thing that they are doing is a pop-up, that's harmless right now, but I'm scared that it might download the malware again, hope you guys can help.

Logfile of HijackThis v1.99.1
Scan saved at 11:46:03, on 15/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\D-Tools\daemon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4T1.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\ARQUIVOS DE PROGRAMAS\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://200.165.104.28/home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {81CE65E0-77F6-4C28-B2D2-FA74DB732742} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\ARQUIV~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll
O2 - BHO: {841254df-05e8-871a-9b84-a8ce42709e6c} - {c6e90724-ec8a-48b9-a178-8e50fd452148} - C:\WINDOWS\system32\fzcvoc.dll
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Arquivos de programas\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4T1.EXE /P23 "EPSON Stylus C45 Series" /M "Stylus C45" /EF "HKCU"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Web Entry - {B4E30F61-16D9-11D3-85D1-005004229569} - c:\lotus\organize\bandobjs.dll
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Arquivos de programas\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\arquivos de programas\bonjour\mdnsnsp.dll
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{389C889C-B558-42BB-932D-C911DCD62162}: NameServer = 192.168.254.254
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\ARQUIV~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: fzcvoc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe

Thanks.
AdvancedSetup
Oct 15 2008, 07:43 PM
Hello and Welcome to Malwarebytes.org

Please read and follow the instructions provided here: Pre- HJT Post Instructions
When ready please post your logs back here:


During this scan and cleanup process you should not install any other software unless requested to do so.


Update TrendMicro™ HijackThis™
Your version of TrendMicro™ HijackThis™ is outdated. You need to download and install the latest version 2.0.2
  • Download HJTInstall.exe to your desktop.
  • Doubleclick HJTInstall.exe to install HijackThis.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • It will create a HijackThis icon on your desktop.
  • Once installed, it will launch HijackThis.
  • Click on the Do a system scan and save a logfile button. It will scan and the log should open in Notepad. Include this log in your next reply.
  • You can delete the old version of HJT, located here: C:\hijackthis\HijackThis.exe
Cat
Oct 15 2008, 10:34 PM
Malwarebytes' Anti-Malware 1.28
Database version: 1271
Windows 5.1.2600 Service Pack 2

15/10/2008 18:31:45
mbam-log-2008-10-15 (18-31-45).txt

Scan type: Quick Scan
Objects scanned: 48798
Time elapsed: 3 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


-------------------

;*******************************************************************************
ANALYSIS: 2008-10-15 20:30:38
PROTECTIONS: 1
MALWARE: 12
SUSPECTS: 3
;*******************************************************************************
PROTECTIONS
Description Version Active Updated
;=============================================================
Eset NOD32 sistema antivrus 2.50 2.50 Yes No
;=============================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;=============================================================
00020255 Exploit/ByteVerify HackTools No 0 Yes No C:\Documents and Settings\usuario\.jpi_cache\jar\1.0\loaderadv620.jar-39a471c-39882a9a.zip[Dummy.class]
00020255 Exploit/ByteVerify HackTools No 0 Yes No C:\Documents and Settings\usuario\.jpi_cache\jar\1.0\loaderadv621.jar-3a85e9d-642381a7.zip[Dummy.class]
00047865 adware/midaddle Adware No 0 Yes No c:\documents and settings\usuario\configurações locais\temp\9.exe
00055913 adware/razespyware Adware No 0 Yes No c:\windows\system32\page.htm
00118082 Exploit/ByteVerify HackTools No 0 Yes No C:\Documents and Settings\usuario\.jpi_cache\jar\1.0\loaderadv621.jar-3a85e9d-642381a7.zip[Matrix.class]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\usuario\Dados de aplicativos\Mozilla\Firefox\Profiles\idt8m96x.default\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\usuario\Dados de aplicativos\Mozilla\Firefox\Profiles\idt8m96x.default\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\usuario\Dados de aplicativos\Mozilla\Firefox\Profiles\idt8m96x.default\cookies.txt[.tribalfusion.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\usuario\Dados de aplicativos\Mozilla\Firefox\Profiles\idt8m96x.default\cookies.txt[.advertising.com/]
00408671 Adware/MicroAntivirus2009 Adware No 1 Yes No C:\Documents and Settings\usuario\Configurações locais\Temp\MediaXCodec.exe
00408671 Adware/MicroAntivirus2009 Adware No 1 Yes No C:\Documents and Settings\usuario\Dados de aplicativos\Adobe\Player.exe
01073279 Adware/WebSearch Adware No 0 Yes No C:\Arquivos de programas\TEXTware\QUICKfind\PlugIns\IEHelp.dll
01073279 Adware/WebSearch Adware Yes 1 Yes No C:\ARQUIV~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll
01606636 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\usuario\Dados de aplicativos\Mozilla\Firefox\Profiles\idt8m96x.default\cookies.txt[.adserver.easyad.info/]
03819469 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{E13D5CD8-1955-4406-B580-77E2A942CEE6}\RP1546\A0218860.exe
03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{E13D5CD8-1955-4406-B580-77E2A942CEE6}\RP1548\A0219012.sys
03839851 Trj/Downloader.MDW Virus/Trojan No 1 Yes No C:\System Volume Information\_restore{E13D5CD8-1955-4406-B580-77E2A942CEE6}\RP1548\A0219013.sys
03857217 Generic Malware Virus/Trojan No 0 Yes No C:\System Volume Information\_restore{E13D5CD8-1955-4406-B580-77E2A942CEE6}\RP1546\A0218858.exe
;===============================================================================
SUSPECTS
Sent Location 
;===============================================================================
No C:\Documents and Settings\usuario\Configurações locais\Temp\57329.exe[C:\Documents and Settings\usuario\Configura├º├╡es locais\Temp\57329.exe][5.exe]
No C:\Documents and Settings\usuario\Configurações locais\Temp\57329.exe[C:\Documents and Settings\usuario\Configura├º├╡es locais\Temp\57329.exe][7.exe]
No C:\WINDOWS\system32\YUR11.exe 
;===============================================================================
=
VULNERABILITIES
Id Severity Description 
;===============================================================================
=
;===============================================================================
=

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:34:29, on 15/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\D-Tools\daemon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4T1.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\uTorrent\utorrent.exe
C:\Arquivos de programas\Webteh\BSplayer\bsplayer.exe
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://200.165.104.28/home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {81CE65E0-77F6-4C28-B2D2-FA74DB732742} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\ARQUIV~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll
O2 - BHO: {841254df-05e8-871a-9b84-a8ce42709e6c} - {c6e90724-ec8a-48b9-a178-8e50fd452148} - C:\WINDOWS\system32\fzcvoc.dll
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Arquivos de programas\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4T1.EXE /P23 "EPSON Stylus C45 Series" /M "Stylus C45" /EF "HKCU"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Web Entry - {B4E30F61-16D9-11D3-85D1-005004229569} - c:\lotus\organize\bandobjs.dll
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Arquivos de programas\PokerStars.NET\PokerStarsUpdate.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{389C889C-B558-42BB-932D-C911DCD62162}: NameServer = 192.168.254.254
O20 - AppInit_DLLs: fzcvoc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/usuario/CONFIG~1/Temp/msohtml1/01/clip_image002.jpg
O24 - Desktop Component 1: Privacy Protection - (no file)

--
End of file - 4879 bytes

There, thanks.
AdvancedSetup
Oct 16 2008, 12:53 AM
You need to shut down your uTorrent program while we're working on your computer.
Using Torrent sharing programs is often how you can get infected.

STEP 01
Update Java Runtime

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 7.
  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Go to Java Runtime Environment (JRE) 6 Update 7 and click on Download button.
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says "jre-6u7-windows-i586-p.exe" and save the downloaded file to your desktop.
  • Go to Start => Control Panel => Add or Remove Programs
  • Uninstall all all old versions of Java (Java 3 Runtime Environment, JRE or JSE), etc...
  • Browse to C:\Program Files\Java and remove the JAVA folder.
  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
  • Reboot your computer


STEP 02
Please upload this file C:\WINDOWS\system32\fzcvoc.dll to here

STEP 03
Start MB go to the MORE TOOLS tab, and select the Run Tool for FileASSASSIN and browse to this file
C:\WINDOWS\system32\wscntfy.exe and delete it.

STEP 04
Start HJT and do a Scan only and place a check mark on the following items.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://200.165.104.28/home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: (no name) - {81CE65E0-77F6-4C28-B2D2-FA74DB732742} - (no file)
O2 - BHO: {841254df-05e8-871a-9b84-a8ce42709e6c} - {c6e90724-ec8a-48b9-a178-8e50fd452148} - C:\WINDOWS\system32\fzcvoc.dll
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: PokerStars.net - {FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - C:\Arquivos de programas\PokerStars.NET\PokerStarsUpdate.exe
O20 - AppInit_DLLs: fzcvoc.dll
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/usuario/CONFIG~1/Temp/msohtml1/01/clip_image002.jpg
O24 - Desktop Component 1: Privacy Protection - (no file)

Then click on Fix selected...


STEP 05
  • Download FixPolicies.exe by Bill Castner and save it to your desktop.
  • Double click on FixPolicies.exe to run it.
  • Click on Install. It will create a folder named FixPolicies on your desktop.
  • Open the FixPolicies folder.
  • Double click on Fix_policies.cmd to run it. Command Prompt will open and close quickly this is normal.
  • Reboot your computer after it runs

STEP 06
Run MB and UPDATE it and do a Quick Scan and fix anything found.
Reboot the computer when MB is done.

STEP 07
Start HJT and do a Scan and save log.

STEP 08
Post back the MB and HJT logs.
Cat
Oct 16 2008, 12:54 PM
I tried to delete the file wscnfty.exe, like you said, and the program was not able to delete it.

O24 - Desktop Component 1: Privacy Protection - (no file) was not deleted.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:54:20, on 16/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Arquivos de programas\D-Tools\daemon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4T1.EXE
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\ARQUIV~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Arquivos de programas\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4T1.EXE /P23 "EPSON Stylus C45 Series" /M "Stylus C45" /EF "HKCU"
O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Web Entry - {B4E30F61-16D9-11D3-85D1-005004229569} - c:\lotus\organize\bandobjs.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{389C889C-B558-42BB-932D-C911DCD62162}: NameServer = 192.168.254.254
O23 - Service: Adobe LM Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
O24 - Desktop Component 1: Privacy Protection - (no file)

--
End of file - 4076 bytes

Malwarebytes' Anti-Malware 1.28
Database version: 1271
Windows 5.1.2600 Service Pack 2

16/10/2008 10:52:48
mbam-log-2008-10-16 (10-52-48).txt

Scan type: Quick Scan
Objects scanned: 48641
Time elapsed: 3 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
AdvancedSetup
Oct 16 2008, 08:24 PM
Please find this file C:\WINDOWS\system32\fzcvoc.dll and attach it in a zipped folder here in a new topic you start, link back to your thread in the HJT forum please.

How To Use Compressed (Zipped) Folders in Windows XP


For now please ignore the C:\WINDOWS\system32\wscntfy.exe as it may be the legitimate one for XP. It was flagged by another site as being part of KAVPersonal90 Malware. Once we get and analyze the DLL file above that will help us to determine what else is going on.

Thanks.
AdvancedSetup
Oct 16 2008, 11:49 PM
Just a minor note while waiting to get the file. Sun Java has been updated to version 10 now.
Once ALL older versions are removed you will no longer need to remove them in the future. This update includes a new method of updating that will update the files in place. So with the next version 11 update it will actually update 10 instead of a new installation.


Update Java Runtime

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 10.
  • Go to http://java.sun.com/javase/downloads/index.jsp
  • Go to Java Runtime Environment (JRE) 6 Update 10 about half way down the page and click on the Download button.
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says "jre-6u10-windows-i586-p.exe" and save the downloaded file to your desktop.
  • Go to Start => Control Panel => Add or Remove Programs
  • Uninstall all all old versions of Java (Java 3 Runtime Environment, JRE or JSE), etc...
  • Browse to C:\Program Files\Java and remove the JAVA folder.
  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
  • Reboot your computer
AdvancedSetup
Oct 18 2008, 01:12 AM
MBAM has been updated. Please run MBAM and go to the UPDATE tab and update the program. Run another Quick Scan, fix anything found and reboot.

After the reboot please run HJT and Scan save log.

Post back both of the logs
Cat
Oct 18 2008, 01:15 PM
Malwarebytes' Anti-Malware 1.29
Database version: 1284
Windows 5.1.2600 Service Pack 2

18/10/2008 11:39:50
mbam-log-2008-10-18 (11-39-50).txt

Scan type: Quick Scan
Objects scanned: 49104
Time elapsed: 2 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:40:10, on 18/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Arquivos de programas\D-Tools\daemon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4T1.EXE
C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\ARQUIV~1\TEXTware\QUICKF~1\PlugIns\IEHelp.dll
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Arquivos de programas\D-Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4T1.EXE /P23 "EPSON Stylus C45 Series" /M "Stylus C45" /EF "HKCU"
O4 - HKCU\..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Arquivos de programas\Java\j2re1.4.1_01\bin\npjpi141_01.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Web Entry - {B4E30F61-16D9-11D3-85D1-005004229569} - c:\lotus\organize\bandobjs.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{389C889C-B558-42BB-932D-C911DCD62162}: NameServer = 192.168.254.254
O23 - Service: Adobe LM Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe
O24 - Desktop Component 1: Privacy Protection - (no file)

--
End of file - 4043 bytes


Looks like it's clean for the moment, thanks.

But O24 - Desktop Component 1: Privacy Protection - (no file) still does not want to be deleted.
AdvancedSetup
Oct 18 2008, 05:37 PM
Click on START - RUN and type in SIGVERIF and click OK
This is a Microsoft File Signature Verification program that will check some file status for us.
  • Click on the START button and let it run.
  • It will popup a box when it's done to show the status, you can close that box.
  • Close the File Signature Verification application.
  • Find and attach the file C:\WINDOWS\SIGVERIF.TXT to your reply.
  • DO NOT post the log directly into your reply, attach the file please.


Important!
All of the following instructions must be run on the affected computer. Logs from a different computer will not help me help you. So, if you need to download all of this and then copy it to CD or memory stick and take it to the other computer, please do so. Either way, it's important. The logs have to be made by the computer with the problem.

I also need for you to download this program OTListIt.exe to your desktop.
  • Close all applications and windows so that you have nothing open and are at your Desktop
  • Double-click on the OTListIt.exe file to start OTListIt. OK any warning about running OTListIt.
  • Place a checkmark in the Scan All Users checkbox (Leave the 'Use Whitelist' checked' and the 'File Age:' at 30 days)
  • Click the Run Scan button
  • NOTE: Please be patient and let the scan run without using the computer
  • When the scan is complete, a text file (OTListIt.Txt) will open in Notepad (if not, it can be found on your Desktop)
  • In Notepad, click Edit, Select all then Edit, Copy
  • Reply to this topic, click in the topic reply window, and press Ctrl+V to paste the log or Righ click paste.
  • Submit your reply and close the Notepad window with OTList.txt
  • Also OTListIt's Extras.txt log file will be minimized in the Taskbar (and located on your Desktop) - click on this and maximize the window
  • In Notepad, click Edit, Select all then Edit, Copy
  • Reply to this topic again, click in the topic reply window, and press Ctrl+V to paste the extras log or Right click paste.
  • NOTE: If the files (OTListIt.txt, Extras.txt) do not appear in your taskbar, just open the files in notepad from your desktop.

Please allow me time to analyze your post. If you don't see a reply from me after 24 hours, feel free to PM me.
AdvancedSetup
Oct 21 2008, 04:57 AM
Hi there.... we're still looking to get that log so we can help you out further and hopefully see what the underlying cause is.

Thanks.
Cat
Oct 23 2008, 05:03 PM
OTListIt logfile created on: 23/10/2008 14:58:26 - Run
OTListIt by OldTimer - Version 1.0.11.0 Folder = C:\Documents and Settings\usuario\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000416 | Country: Brasil | Language: PTB | Date Format: d/M/yyyy

1022,73 Mb Total Physical Memory | 712,79 Mb Available Physical Memory | 69,69% Memory free
1,65 Gb Paging File | 1,48 Gb Available in Paging File | 89,49% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Arquivos de programas
Drive C: | 74,55 Gb Total Space | 36,11 Gb Free Space | 48,43% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 149,04 Gb Total Space | 88,17 Gb Free Space | 59,16% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CAT
Current User Name: usuario
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== Processes ==========

[2002/07/01 08:02:00 | 00,062,464 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\WINDOWS\system32\E_S00RP1.EXE
[2005/01/28 02:36:00 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe
[2004/08/03 19:45:46 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
[2004/08/22 18:05:02 | 00,081,920 | ---- | M] (DAEMON'S HOME) -- C:\Arquivos de programas\D-Tools\daemon.exe
[2004/01/14 09:00:00 | 00,099,840 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\E_S4I4T1.EXE
[2007/01/19 13:54:56 | 05,674,352 | ---- | M] (Microsoft Corporation) -- C:\Arquivos de programas\MSN Messenger\msnmsgr.exe
[2008/10/23 14:57:36 | 00,417,792 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\usuario\Desktop\OTListIt.exe

========== (O23) Win32 Services ==========

[2003/08/30 19:41:41 | 00,068,096 | ---- | M] () -- C:\Arquivos de programas\Arquivos comuns\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service [On_Demand | Stopped])
[2008/01/15 03:40:04 | 00,110,592 | ---- | M] (Apple, Inc.) -- C:\Arquivos de programas\Arquivos comuns\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device [Disabled | Stopped])
[2004/07/15 02:49:26 | 00,032,768 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe -- (aspnet_state [On_Demand | Stopped])
[2003/09/30 11:19:56 | 00,376,832 | ---- | M] () -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller [Disabled | Stopped])
[2003/10/13 22:10:00 | 00,114,688 | ---- | M] () -- C:\WINDOWS\system32\ati2sgag.exe -- (ATI Smart [Disabled | Stopped])
[2007/07/24 16:17:08 | 00,229,376 | ---- | M] (Apple Inc.) -- C:\Arquivos de programas\Bonjour\mDNSResponder.exe -- (Bonjour Service [Disabled | Stopped])
[2003/05/23 02:38:26 | 00,106,496 | ---- | M] (Matsushita Electric Industrial Co., Ltd.) -- C:\WINDOWS\system32\DVDRAMSV.exe -- (DVD-RAM_Service [Disabled | Stopped])
[2002/07/01 08:02:00 | 00,062,464 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\WINDOWS\system32\E_S00RP1.EXE -- (EPSON_PM_RPCV2_01 [Auto | Running])
[2004/08/20 15:46:35 | 00,040,960 | ---- | M] (F-Secure Corporation) -- C:\Arquivos de programas\F-Secure Internet Security\fswsclds.exe -- (Fswsclds [Disabled | Stopped])
[2005/04/04 01:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) -- C:\Arquivos de programas\Arquivos comuns\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT [On_Demand | Stopped])
[2008/03/30 11:36:30 | 00,504,104 | ---- | M] (Apple Inc.) -- C:\Arquivos de programas\iPod\bin\iPodService.exe -- (iPod Service [Disabled | Stopped])
[2003/06/19 23:25:00 | 00,322,120 | ---- | M] (Microsoft Corporation) -- C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\MDM.EXE -- (MDM [Disabled | Stopped])
[2003/07/28 20:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Source Engine\OSE.EXE -- (ose [Disabled | Stopped])
[2008/04/07 20:26:40 | 00,098,488 | ---- | M] (SiSoftware) -- C:\Arquivos de programas\SiSoftware\SiSoftware Sandra Professional Business XII.SP2\RpcAgentSrv.exe -- (SandraAgentSrv [Disabled | Stopped])
[2003/07/02 07:40:08 | 00,045,056 | ---- | M] ( ) -- C:\WINDOWS\system32\slserv.exe -- (SLService [Disabled | Stopped])
[2005/04/05 12:17:22 | 00,206,552 | ---- | M] (Symantec Corporation) -- C:\Arquivos de programas\Arquivos comuns\Symantec Shared\SNDSrvc.exe -- (SNDSrvc [On_Demand | Stopped])
[2002/09/20 17:50:10 | 00,045,056 | ---- | M] (Analog Devices, Inc.) -- C:\Arquivos de programas\Analog Devices\SoundMAX\SMAgent.exe -- (SoundMAX Agent Service (default) [Disabled | Stopped])
[2005/01/28 02:36:00 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wdfmgr.exe -- (UMWdf [Auto | Running])
[2007/01/19 13:54:14 | 00,097,136 | ---- | M] (Microsoft Corporation) -- C:\Arquivos de programas\MSN Messenger\usnsvc.exe -- (usnjsvc [Disabled | Stopped])

========== Driver Services ==========

[2002/04/01 04:15:00 | 00,004,816 | ---- | M] (Andrea Electronics Corporation) -- C:\WINDOWS\system32\drivers\aeaudio.sys -- (aeaudio [On_Demand | Running])
[2003/05/28 19:53:46 | 00,017,005 | ---- | M] (Adaptec) -- C:\WINDOWS\System32\drivers\ASPI32.SYS -- (Aspi32 [Auto | Running])
[2005/08/31 03:11:52 | 00,701,440 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag [On_Demand | Running])
[2002/06/06 02:07:00 | 00,009,344 | ---- | M] (B.H.A Co.,Ltd.) -- C:\WINDOWS\System32\drivers\BsStor.sys -- (BsStor [Boot | Running])
[2004/03/08 13:55:50 | 00,013,567 | ---- | M] (B.H.A Corporation) -- C:\WINDOWS\System32\drivers\CDRBSDRV.SYS -- (cdrbsdrv [System | Running])
[2003/12/03 18:44:58 | 00,013,566 | ---- | M] (B.H.A Corporation) -- C:\WINDOWS\System32\drivers\cdrbsvsd.sys -- (cdrbsvsd [System | Running])
[2004/08/22 17:31:10 | 00,155,136 | ---- | M] ( ) -- C:\WINDOWS\system32\drivers\d347bus.sys -- (d347bus [Boot | Running])
[2004/08/22 17:31:48 | 00,005,248 | ---- | M] ( ) -- C:\WINDOWS\system32\drivers\d347prt.sys -- (d347prt [Boot | Running])
[2002/11/28 12:18:04 | 00,015,360 | ---- | M] (Elaborate Bytes AG) -- C:\WINDOWS\system32\drivers\ElbyCDFL.sys -- (ElbyCDFL [On_Demand | Running])
[2002/11/29 09:38:16 | 00,016,320 | ---- | M] (Elaborate Bytes AG) -- C:\WINDOWS\system32\drivers\ElbyCDIO.sys -- (ElbyCDIO [Auto | Running])
[2003/01/31 21:08:54 | 00,028,005 | ---- | M] (Efficient Networks, Inc.) -- C:\WINDOWS\system32\drivers\enethusb.sys -- (ENETHUSB [On_Demand | Running])
[2001/08/17 21:13:08 | 00,027,165 | ---- | M] (VIA Technologies, Inc. ) -- C:\WINDOWS\system32\drivers\fetnd5.sys -- (FETNDIS [On_Demand | Stopped])
[2003/01/16 02:17:00 | 00,040,960 | R--- | M] (VIA Technologies, Inc. ) -- C:\WINDOWS\system32\drivers\fetnd5b.sys -- (FETNDISB [On_Demand | Stopped])
[2008/01/29 13:01:28 | 00,016,168 | ---- | M] (GEAR Software Inc.) -- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys -- (GEARAspiWDM [On_Demand | Running])
[2003/08/21 12:56:36 | 00,025,520 | ---- | M] (Ahead Software AG) -- C:\WINDOWS\System32\drivers\incdrm.sys -- (incdrm [System | Running])
[2003/10/24 02:53:14 | 00,090,416 | ---- | M] (Matsushita Electric Industrial Co.,Ltd.) -- C:\WINDOWS\system32\drivers\meiudf.sys -- (meiudf [System | Running])
[2001/08/17 22:57:38 | 00,016,128 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\MODEMCSA.sys -- (MODEMCSA [On_Demand | Running])
[2003/07/16 02:30:26 | 00,221,736 | ---- | M] ( ) -- C:\WINDOWS\system32\drivers\mtlmnt5.sys -- (Mtlmnt5 [On_Demand | Running])
[2003/07/02 06:26:36 | 01,301,128 | ---- | M] ( ) -- C:\WINDOWS\system32\drivers\mtlstrm.sys -- (Mtlstrm [On_Demand | Stopped])
[2005/08/31 03:11:26 | 00,032,840 | ---- | M] (NETGEAR Corporation.) -- C:\WINDOWS\system32\drivers\Ngrpci.sys -- (ngrpci [On_Demand | Stopped])
[2003/07/02 05:57:10 | 00,167,384 | ---- | M] ( ) -- C:\WINDOWS\system32\drivers\ntmtlfax.sys -- (NtMtlFax [On_Demand | Stopped])
[2002/09/12 22:29:00 | 00,006,016 | R--- | M] (VIA Technologies, Inc. ) -- C:\WINDOWS\system32\ntsim.sys -- (NTSIM [On_Demand | Stopped])
[2008/06/19 17:24:30 | 00,028,544 | ---- | M] (Panda Security, S.L.) -- C:\WINDOWS\system32\drivers\pavboot.sys -- (pavboot [Boot | Running])
[2007/05/28 20:39:19 | 00,047,360 | ---- | M] (VSO Software) -- C:\WINDOWS\system32\drivers\pcouffin.sys -- (Pcouffin [On_Demand | Running])
[2004/01/31 00:40:08 | 00,010,368 | ---- | M] (Padus, Inc.) -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc [On_Demand | Running])
[2001/10/28 09:07:22 | 00,017,792 | ---- | M] (Parallel Technologies, Inc.) -- C:\WINDOWS\system32\drivers\ptilink.sys -- (Ptilink [On_Demand | Running])
[2007/02/23 02:29:52 | 00,036,624 | ---- | M] (Sonic Solutions) -- C:\WINDOWS\system32\drivers\pxhelp20.sys -- (PxHelp20 [Boot | Running])
[2004/08/04 04:41:40 | 00,013,776 | ---- | M] (Smart Link) -- C:\WINDOWS\system32\drivers\recagent.sys -- (RecAgent [On_Demand | Stopped])
[2002/06/10 01:09:08 | 00,031,232 | ---- | M] (Robert Schlabbach) -- C:\WINDOWS\system32\drivers\RMSPPPOE.SYS -- (RMSPPPOE [On_Demand | Running])
[2008/03/10 20:30:36 | 00,021,408 | ---- | M] (SiSoftware) -- C:\Arquivos de programas\SiSoftware\SiSoftware Sandra Professional Business XII.SP2\WNt500x86\sandra.sys -- (SANDRA [On_Demand | Stopped])
[2007/11/13 08:25:56 | 00,020,480 | ---- | M] (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K.) -- C:\WINDOWS\system32\drivers\secdrv.sys -- (Secdrv [On_Demand | Stopped])
[2001/09/05 23:27:44 | 00,018,176 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\sermouse.sys -- (sermouse [On_Demand | Stopped])
[2003/07/16 02:39:32 | 00,545,528 | ---- | M] ( ) -- C:\WINDOWS\system32\drivers\slntamr.sys -- (Slntamr [On_Demand | Running])
[2003/07/02 06:24:36 | 00,086,128 | ---- | M] ( ) -- C:\WINDOWS\system32\drivers\slnthal.sys -- (SlNtHal [On_Demand | Stopped])
[2003/07/02 06:12:52 | 00,039,348 | ---- | M] (Vireo Software) -- C:\WINDOWS\system32\drivers\slwdmsup.sys -- (SlWdmSup [On_Demand | Running])
[2003/07/15 17:00:00 | 00,578,368 | ---- | M] (Analog Devices, Inc.) -- C:\WINDOWS\system32\drivers\smwdm.sys -- (smwdm [On_Demand | Running])
[2001/08/17 21:56:16 | 00,007,552 | ---- | M] (Sony Corporation) -- C:\WINDOWS\system32\drivers\SONYPVU1.SYS -- (SONYPVU1 [On_Demand | Stopped])
[2006/09/15 23:52:12 | 00,124,016 | ---- | M] (Symantec Corporation) -- C:\Arquivos de programas\Symantec\SYMEVENT.SYS -- (SymEvent [On_Demand | Running])
[2005/04/05 12:17:00 | 00,017,976 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symredrv.sys -- (SYMREDRV [On_Demand | Stopped])
[2005/04/05 12:17:02 | 00,267,192 | ---- | M] (Symantec Corporation) -- C:\WINDOWS\system32\drivers\symtdi.sys -- (SYMTDI [System | Running])
[2003/07/02 05:42:00 | 00,027,904 | ---- | M] (VIA Technologies, Inc.) -- C:\WINDOWS\system32\drivers\VIAAGP1.SYS -- (viaagp1 [Boot | Running])
[2005/09/01 10:22:22 | 00,077,312 | ---- | M] (VIA Technologies inc,.ltd) -- C:\WINDOWS\system32\drivers\viasraid.sys -- (viasraid [Boot | Running])
[2003/08/04 05:29:08 | 00,006,912 | ---- | M] (VIA Technologies, Inc.) -- C:\WINDOWS\system32\drivers\vulfnth.sys -- (vulfnths [On_Demand | Running])
[2003/08/04 05:29:32 | 00,011,392 | ---- | M] (VIA Technologies, Inc.) -- C:\WINDOWS\system32\drivers\vulfntr.sys -- (vulfntrs [On_Demand | Running])

========== Internet Explorer ==========

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...&ar=msnhome
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.com/
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions =
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

HKU\S-1-5-19\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions =
HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
HKU\S-1-5-21-220523388-688789844-1417001333-1003\S-1-5-21-220523388-688789844-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

O1 HOSTS File: (316782 bytes) - C:\WINDOWS\System32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 0.0.0.0 acestats.com
O1 - Hosts: 0.0.0.0 www.acestats.com
O1 - Hosts: 0.0.0.0 www.activesearch.com #[Adware.ActiveSearch]
O1 - Hosts: 0.0.0.0 actualnames.com #[Parasite.ActualNames][Spyware.ActualNames]
O1 - Hosts: 0.0.0.0 www.actualnames.com
O1 - Hosts: 0.0.0.0 ad-up.com
O1 - Hosts: 0.0.0.0 www.ad-up.com
O1 - Hosts: 0.0.0.0 adatom.com
O1 - Hosts: 0.0.0.0 aesp.adatom.com
O1 - Hosts: 0.0.0.0 adbest.com #[IE-SpyAd]
O1 - Hosts: 0.0.0.0 www.adcipta.net #[W32/Malware]
O1 - Hosts: 0.0.0.0 adserv.adbonus.com #[IE-SpyAd]
O1 - Hosts: 0.0.0.0 www.adbonus.com
O1 - Hosts: 0.0.0.0 media.adcentriconline.com #[IE-SpyAd]
O1 - Hosts: 0.0.0.0 ad2.adcept.net
O1 - Hosts: 0.0.0.0 ad3.adcept.net
O1 - Hosts: 0.0.0.0 www.adcept.net #[IE-SpyAd]
O1 - Hosts: 0.0.0.0 adcomplete.com #[IE-SpyAd]
O1 - Hosts: 0.0.0.0 www.adcomplete.com
O1 - Hosts: 0.0.0.0 www.adcopy.info
O1 - Hosts: 0.0.0.0 ads.adcorps.com #[verticalwebventures.com]
O1 - Hosts: 0.0.0.0 ads2.adcorps.com
O1 - Hosts: 0.0.0.0 ads.addynamix.com #[IE-SpyAd]
O1 - Hosts: 0.0.0.0 pt.server1.adexit.com
O1 - Hosts: 9001 more lines...
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx ()
O2 - BHO: (Windows Live Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2 - BHO: (QUICKfind BHO Object) - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\Arquivos de programas\TEXTware\QUICKfind\PlugIns\IEHelp.dll ()
O3 - HKCU\..\Toolbar: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Error: Key does not exist or could not be opened. File not found
O3 - HKCU\..\Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key does not exist or could not be opened. File not found
O3 - HKCU\..\Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key does not exist or could not be opened. File not found
O3 - HKCU\..\Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key does not exist or could not be opened. File not found
O3 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\..\Toolbar: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Error: Key does not exist or could not be opened. File not found
O3 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\..\Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key does not exist or could not be opened. File not found
O3 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\..\Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key does not exist or could not be opened. File not found
O3 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\..\Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key does not exist or could not be opened. File not found
O4 - HKLM..\Run: [DAEMON Tools-1033] "C:\Arquivos de programas\D-Tools\daemon.exe" -lang 1033 (DAEMON'S HOME)
O4 - HKCU..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4T1.EXE /P23 "EPSON Stylus C45 Series" /M "Stylus C45" /EF "HKCU" (SEIKO EPSON CORPORATION)
O4 - HKCU..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background (Microsoft Corporation)
O4 - HKU\S-1-5-21-220523388-688789844-1417001333-1003..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I4T1.EXE /P23 "EPSON Stylus C45 Series" /M "Stylus C45" /EF "HKCU" (SEIKO EPSON CORPORATION)
O4 - HKU\S-1-5-21-220523388-688789844-1417001333-1003..\Run: [msnmsgr] "C:\Arquivos de programas\MSN Messenger\msnmsgr.exe" /background (Microsoft Corporation)

O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuMorePrograms = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogOff = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoToolbarCustomize = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispSettingPage = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispBackgroundPage = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispScrSavPage = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispCPL = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispAppearancePage = 0
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuMorePrograms = 0
O7 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogOff = 0
O7 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoToolbarCustomize = 0
O7 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispSettingPage = 1
O7 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispBackgroundPage = 0
O7 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispScrSavPage = 0
O7 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispCPL = 0
O7 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispAppearancePage = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - Reg Error: Value does not exist or could not be read.
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem : Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - Reg Error: Key does not exist or could not be opened. File not found
O9 - Extra Button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Arquivos de programas\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: Web Entry - {B4E30F61-16D9-11D3-85D1-005004229569} - c:\lotus\organize\bandobjs.dll ()
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe (Microsoft Corporation)
O12 - Plugin for .spop: C:\Arquivos de programas\Internet Explorer\PLUGINS\NPDocBox.dll [2001/01/30 14:56:24 | 00,225,280 | ---- | M] (InterTrust Technologies Corporation, Inc.)
O15 - HKLM\..Trusted Sites: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Sites: (msn in Meu computador)
O15 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\..Trusted Sites: (msn in Meu computador)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/get/shock...director/sw.cab (Shockwave ActiveX Control)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeupdate/content/opuc.cab (Office Update Installation Engine)
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab (Symantec RuFSI Utility Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/products/plugin/1.4/ji...indows-i586.cab (Java Plug-in 1.4.1_01)
O16 - DPF: {CAFEEFAC-0014-0001-0001-ABCDEFFEDCBA} http://java.sun.com/products/plugin/1.4/ji...indows-i586.cab (Java Plug-in 1.4.1_01)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwa...ash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 192.168.254.254
O18 - Protocol\Handler: - cetihpz - C:\Arquivos de programas\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler: - ipp - No CLSID value found
O18 - Protocol\Handler: - ipp\0x00000001 - C:\Arquivos de programas\Arquivos comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler: - livecall - C:\Arquivos de programas\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Handler: - msdaipp - No CLSID value found
O18 - Protocol\Handler: - msdaipp\0x00000001 - C:\Arquivos de programas\Arquivos comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler: - msdaipp\oledb - C:\Arquivos de programas\Arquivos comuns\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler: - ms-itss - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Information Retrieval\MSITSS.DLL (Microsoft Corporation)
O18 - Protocol\Handler: - msnim - C:\Arquivos de programas\MSN Messenger\msgrapp.8.1.0178.00.dll (Microsoft Corporation)
O18 - Protocol\Handler: - mso-offdap - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Web Components\10\OWC10.DLL (Microsoft Corporation)
O18 - Protocol\Handler: - mso-offdap11 - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\Web Components\11\OWC11.DLL (Microsoft Corporation)
O18 - Protocol\Filter: - text/xml - C:\Arquivos de programas\Arquivos comuns\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - See sections below for AppInitDlls and Winlogon settings

========== LSA *Authentication Packages* ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages" = msv1_0,C:\WINDOWS\system32\awtUOefC,
>File not found --

========== Safeboot Options ==========

"AlternateShell" = cmd.exe

========== CDRom AutoRun Settings ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom]
"AutoRun" = 1

========== Autorun Files on Drives ==========

autoAlbum.log [-i="C:\Documents and Settings\usuario\Configurações locais\Dados de aplicativos\HP\Digital Imaging\tmpAlb_2\tmpAlb_2_0.txt" -o="C:\Documents and Settings\usuario\Configurações locais\Dados de aplicativos\HP\Digital Imaging\tmpAlb_2\tmpAlb_2_0_out.txt" -g -b -s=4 -f="text"input text file: C:\Documents and Settings\usuario\Configurações locais\Dados de aplicativos\HP\Digital Imaging\tmpAlb_2\tmpAlb_2_0.txt | output file: C:\Documents and Settings\usuario\Configurações locais\Dados de aplicativos\HP\Digital Imaging\tmpAlb_2\tmpAlb_2_0_out.txt | | Value of width is 1529 and ht is 1284creating book layout ... | layout is complete, writing output file of type 1... | ]
[2005/03/12 16:24:16 | 00,000,667 | ---- | M] () -- C:\autoAlbum.log -- [ NTFS ]

AUTOEXEC.BAT [PATH=%PATH%;C:\ARQUIV~1\ARQUIV~1\MUVEET~1\030625 | ]
[2006/05/23 13:29:55 | 00,000,050 | ---- | M] () -- C:\AUTOEXEC.BAT -- [ NTFS ]

AUTOEXEC.BAT []
[2008/05/18 14:58:35 | 00,000,000 | ---- | M] () -- G:\AUTOEXEC.BAT -- [ NTFS ]

========== Files/Folders - Created Within 30 Days ==========

[3 C:\Documents and Settings\All Users\Dados de aplicativos\*.tmp files]
[2008/10/23 14:57:33 | 00,417,792 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\usuario\Desktop\OTListIt.exe
[2008/10/23 14:37:22 | 49,801,8304 | ---- | C] () -- C:\Documents and Settings\usuario\Desktop\Imagine - The Story of the Guitar, Out of the Frying Pan (12th October 2008) [TVRip (XviD)].avi
[2008/10/23 14:12:46 | 00,014,413 | ---- | C] () -- C:\Documents and Settings\usuario\Desktop\The Longest Yard.torrent
[2008/10/23 08:25:20 | 00,020,480 | ---- | C] () -- C:\Documents and Settings\usuario\Meus documentos\members need deleting.doc
[2008/10/21 08:16:52 | 00,063,755 | ---- | C] () -- C:\Documents and Settings\usuario\Desktop\smallvilleavvy.jpg
[2008/10/21 08:09:04 | 00,047,527 | ---- | C] () -- C:\Documents and Settings\usuario\Desktop\smallville.jpg
[2008/10/20 18:25:33 | 00,017,006 | ---- | C] () -- C:\Documents and Settings\usuario\Desktop\13.Hours.In.A.Warehouse.2008.DVDRip.XviD-DOMiNO(2).torrent
[2008/10/20 17:23:36 | 00,025,088 | ---- | C] () -- C:\Documents and Settings\usuario\Desktop\Adopt a torrent.doc
[2008/10/20 13:15:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\usuario\Desktop\Washington DC Suburb Offers Tale of Two Economies
[2008/10/16 10:47:07 | 00,000,000 | ---D | C] -- C:\Documents and Settings\usuario\Desktop\FixPolicies
[2008/10/16 10:46:33 | 00,185,065 | ---- | C] () -- C:\Documents and Settings\usuario\Desktop\FixPolicies.exe
[2008/10/16 08:47:22 | 00,025,088 | ---- | C] () -- C:\Documents and Settings\usuario\Desktop\Fix.doc
[2008/10/15 20:36:57 | 00,030,720 | ---- | C] () -- C:\Documents and Settings\usuario\Desktop\Malwarebytes Full report.doc
[2008/10/15 18:25:41 | 00,028,544 | ---- | C] (Panda Security, S.L.) -- C:\WINDOWS\System32\drivers\pavboot.sys
[2008/10/15 18:13:56 | 00,000,000 | ---D | C] -- C:\Arquivos de programas\Panda Security
[2008/10/15 18:13:29 | 00,175,648 | ---- | C] () -- C:\Documents and Settings\usuario\Desktop\activescan2_en.exe
[2008/10/15 18:10:31 | 00,001,806 | ---- | C] () -- C:\Documents and Settings\usuario\Desktop\HijackThis.lnk
[2008/10/15 18:10:30 | 00,000,000 | ---D | C] -- C:\Arquivos de programas\Trend Micro
[2008/10/15 10:48:18 | 00,001,632 | ---- | C] () -- C:\Documents and Settings\usuario\Desktop\CCleaner.lnk
[2008/10/15 10:40:58 | 01,392,109 | -HS- | C] () -- C:\WINDOWS\System32\clnxdwxy.ini
[2008/10/15 09:30:16 | 00,000,000 | ---D | C] -- C:\Documents and Settings\usuario\Dados de aplicativos\Malwarebytes
[2008/10/15 09:30:06 | 00,015,504 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2008/10/15 09:30:06 | 00,000,736 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2008/10/15 09:30:05 | 00,038,496 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2008/10/15 09:30:03 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Dados de aplicativos\Malwarebytes
[2008/10/15 09:30:02 | 00,000,000 | ---D | C] -- C:\Arquivos de programas\Malwarebytes' Anti-Malware
[2008/10/15 08:53:12 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Dados de aplicativos\TEMP
@Alternate Data Stream - 148 bytes -> C:\Documents and Settings\All Users\Dados de aplicativos\TEMP:DFC5A2B2
[2008/10/15 08:51:29 | 00,074,752 | ---- | C] () -- C:\WINDOWS\System32\YUR11.exe
[2008/10/15 08:44:12 | 00,024,064 | ---- | C] () -- C:\WINDOWS\System32\YUR4.exe
[2008/10/15 08:44:11 | 00,025,088 | ---- | C] () -- C:\WINDOWS\System32\YUR3.exe
[2008/10/15 08:44:10 | 00,025,088 | ---- | C] () -- C:\WINDOWS\System32\YUR1.exe
[2008/10/15 08:44:10 | 00,024,064 | ---- | C] () -- C:\WINDOWS\System32\YUR2.exe
[2008/10/15 08:38:47 | 00,000,000 | ---D | C] -- C:\Documents and Settings\usuario\Dados de aplicativos\TmpRecentIcons
[2008/10/15 08:38:37 | 00,094,208 | ---- | C] () -- C:\WINDOWS\evsw.exe
[2008/10/15 08:38:18 | 00,000,000 | ---D | C] -- C:\Documents and Settings\usuario\Dados de aplicativos\0000005738
[2008/10/15 08:37:46 | 00,701,952 | ---- | C] () -- C:\0000005738.exe
[2008/10/15 08:37:39 | 00,025,088 | ---- | C] () -- C:\WINDOWS\System32\YUR18.exe
[2008/10/15 08:37:19 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Dados de aplicativos\wpebgbmb
[2008/10/15 08:37:17 | 00,077,824 | ---- | C] () -- C:\WINDOWS\System32\vqfsvgvs.exe
[2008/10/14 14:14:30 | 00,000,000 | ---D | C] -- C:\Arquivos de programas\HalloweenPack
[2008/10/09 16:09:26 | 00,001,445 | ---- | C] () -- C:\Documents and Settings\usuario\Meus documentos\Candy nfo.nfo
[2008/10/07 16:25:36 | 00,033,792 | ---- | C] () -- C:\Documents and Settings\All Users\Documentos\Curriculum Vitae - Mateus.doc
[2008/10/05 21:44:49 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documentos\Burn.Notice.S01.DVDRip.XviD-TOPAZ


========== Files - Modified Within 30 Days ==========

[2 C:\*.tmp files]
[3 C:\WINDOWS\System32\*.tmp files]
[8 C:\WINDOWS\*.tmp files]
[3 C:\Documents and Settings\All Users\Dados de aplicativos\*.tmp files]
[2008/10/23 14:57:36 | 00,417,792 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\usuario\Desktop\OTListIt.exe
[2008/10/23 14:57:18 | 00,368,128 | ---- | M] () -- C:\Documents and Settings\usuario\Desktop\Torrential Greetings.doc
[2008/10/23 14:40:25 | 00,080,384 | ---- | M] () -- C:\Documents and Settings\usuario\Configurações locais\Dados de aplicativos\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/10/23 14:12:44 | 00,014,413 | ---- | M] () -- C:\Documents and Settings\usuario\Desktop\The Longest Yard.torrent
[2008/10/23 14:00:00 | 00,000,274 | -H-- | M] () -- C:\WINDOWS\tasks\ABABD9D491884F38.job
[2008/10/23 08:25:20 | 00,020,480 | ---- | M] () -- C:\Documents and Settings\usuario\Meus documentos\members need deleting.doc
[2008/10/23 08:01:02 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2008/10/23 08:01:00 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2008/10/23 08:00:59 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2008/10/22 08:14:02 | 00,000,300 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2008/10/21 08:16:52 | 00,063,755 | ---- | M] () -- C:\Documents and Settings\usuario\Desktop\smallvilleavvy.jpg
[2008/10/21 08:10:05 | 00,047,527 | ---- | M] () -- C:\Documents and Settings\usuario\Desktop\smallville.jpg
[2008/10/20 18:25:32 | 00,017,006 | ---- | M] () -- C:\Documents and Settings\usuario\Desktop\13.Hours.In.A.Warehouse.2008.DVDRip.XviD-DOMiNO(2).torrent
[2008/10/20 17:23:36 | 00,025,088 | ---- | M] () -- C:\Documents and Settings\usuario\Desktop\Adopt a torrent.doc
[2008/10/16 20:25:46 | 00,038,496 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2008/10/16 20:25:34 | 00,015,504 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2008/10/16 10:46:04 | 00,185,065 | ---- | M] () -- C:\Documents and Settings\usuario\Desktop\FixPolicies.exe
[2008/10/16 10:39:45 | 00,076,648 | ---- | M] () -- C:\Documents and Settings\usuario\Configurações locais\Dados de aplicativos\GDIPFONTCACHEV1.DAT
[2008/10/16 10:39:21 | 00,270,984 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2008/10/16 08:51:02 | 00,000,142 | ---- | M] () -- C:\WINDOWS\TEXTware.ini
[2008/10/16 08:47:22 | 00,025,088 | ---- | M] () -- C:\Documents and Settings\usuario\Desktop\Fix.doc
[2008/10/15 20:36:57 | 00,030,720 | ---- | M] () -- C:\Documents and Settings\usuario\Desktop\Malwarebytes Full report.doc
[2008/10/15 18:13:45 | 00,175,648 | ---- | M] () -- C:\Documents and Settings\usuario\Desktop\activescan2_en.exe
[2008/10/15 18:10:31 | 00,001,806 | ---- | M] () -- C:\Documents and Settings\usuario\Desktop\HijackThis.lnk
[2008/10/15 11:23:16 | 00,000,477 | ---- | M] () -- C:\WINDOWS\win.ini
[2008/10/15 11:23:16 | 00,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2008/10/15 11:23:16 | 00,000,210 | RHS- | M] () -- C:\boot.ini
[2008/10/15 10:41:08 | 01,392,109 | -HS- | M] () -- C:\WINDOWS\System32\clnxdwxy.ini
[2008/10/15 09:30:06 | 00,000,736 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2008/10/15 08:54:31 | 00,339,292 | ---- | M] () -- C:\WINDOWS\System32\perfh016.dat
[2008/10/15 08:54:31 | 00,305,898 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2008/10/15 08:54:31 | 00,046,778 | ---- | M] () -- C:\WINDOWS\System32\perfc016.dat
[2008/10/15 08:54:31 | 00,038,148 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2008/10/15 08:54:30 | 00,737,568 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2008/10/15 08:47:40 | 00,701,952 | ---- | M] () -- C:\0000005738.exe
[2008/10/15 08:37:17 | 00,077,824 | ---- | M] () -- C:\WINDOWS\System32\vqfsvgvs.exe
[2008/10/15 03:15:18 | 00,094,208 | ---- | M] () -- C:\WINDOWS\evsw.exe
[2008/10/14 17:01:19 | 49,801,8304 | ---- | M] () -- C:\Documents and Settings\usuario\Desktop\Imagine - The Story of the Guitar, Out of the Frying Pan (12th October 2008) [TVRip (XviD)].avi
[2008/10/12 18:15:48 | 00,054,156 | -H-- | M] () -- C:\WINDOWS\QTFont.qfn
[2008/10/10 10:54:43 | 00,074,752 | ---- | M] () -- C:\WINDOWS\System32\YUR11.exe
[2008/10/10 10:54:42 | 00,024,064 | ---- | M] () -- C:\WINDOWS\System32\YUR2.exe
[2008/10/10 10:54:41 | 00,025,088 | ---- | M] () -- C:\WINDOWS\System32\YUR3.exe
[2008/10/10 10:54:41 | 00,025,088 | ---- | M] () -- C:\WINDOWS\System32\YUR18.exe
[2008/10/10 10:54:41 | 00,025,088 | ---- | M] () -- C:\WINDOWS\System32\YUR1.exe
[2008/10/10 10:54:41 | 00,024,064 | ---- | M] () -- C:\WINDOWS\System32\YUR4.exe
[2008/10/09 23:47:44 | 00,421,888 | ---- | M] () -- C:\Documents and Settings\usuario\Desktop\Welcome1.doc
[2008/10/08 18:09:25 | 00,001,445 | ---- | M] () -- C:\Documents and Settings\usuario\Meus documentos\Candy nfo.nfo
[2008/10/06 12:54:47 | 00,000,192 | ---- | M] () -- C:\WINDOWS\winamp.ini
[2008/10/04 19:30:54 | 00,036,352 | ---- | M] () -- C:\Documents and Settings\usuario\Desktop\PreToMe.doc
[2008/09/27 08:21:37 | 00,000,597 | ---- | M] () -- C:\Documents and Settings\usuario\Meus documentos\My Sharing Folders.lnk

< End of report >
Cat
Oct 23 2008, 05:03 PM
OTListIt Extras logfile created on: 23/10/2008 14:58:26 - Run
OTListIt by OldTimer - Version 1.0.11.0 Folder = C:\Documents and Settings\usuario\Desktop
Windows XP Professional Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 6.0.2900.2180)
Locale: 00000416 | Country: Brasil | Language: PTB | Date Format: d/M/yyyy

1022,73 Mb Total Physical Memory | 712,79 Mb Available Physical Memory | 69,69% Memory free
1,65 Gb Paging File | 1,48 Gb Available in Paging File | 89,49% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Arquivos de programas
Drive C: | 74,55 Gb Total Space | 36,11 Gb Free Space | 48,43% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Drive G: | 149,04 Gb Total Space | 88,17 Gb Free Space | 59,16% Space Free | Partition Type: NTFS
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: CAT
Current User Name: usuario
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Whitelist: On
File Age = 30 Days

========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Arquivos de programas\Mozilla Firefox\firefox.exe (Mozilla Corporation)
========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 1
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\IcmpSettings]

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
[2007/01/19 13:54:56 | 05,674,352 | ---- | M] (Microsoft Corporation) -- C:\Arquivos de programas\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1
[2007/01/04 17:10:02 | 00,297,752 | ---- | M] (Microsoft Corporation) -- C:\Arquivos de programas\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
[2004/10/13 14:24:37 | 01,694,208 | ---- | M] (Microsoft Corporation) -- C:\Arquivos de programas\Messenger\msmsgs.exe:*:Enabled:Windows Messenger
File not found -- C:\Arquivos de programas\DAP\DAP.exe:*:Enabled:Download Accelerator Plus
[2005/03/04 15:33:11 | 00,204,845 | ---- | M] (RealNetworks, Inc.) -- C:\Arquivos de programas\Real\RealPlayer\realplay.exe:*:Enabled:RealPlayer
[2003/11/12 07:04:00 | 00,110,592 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\SAGENT4.EXE:*:Enabled:SAgent4
[2004/08/04 05:45:34 | 00,093,184 | ---- | M] (Microsoft Corporation) -- C:\Arquivos de programas\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer
[2004/08/16 19:18:33 | 00,147,460 | ---- | M] () -- C:\Arquivos de programas\AnalogX\Proxy\proxy.exe:*:Enabled:proxy
[1999/09/15 02:23:00 | 04,042,798 | ---- | M] (Lotus Development Corporation) -- C:\lotus\organize\org6.exe:*:Disabled:Lotus Organizer
[2008/05/18 15:41:01 | 00,219,952 | ---- | M] () -- C:\Arquivos de programas\uTorrent\utorrent.exe:*:Enabled:µTorrent
File not found -- C:\Arquivos de programas\mIRC\mirc.exe:*:Enabled:mIRC
[2006/10/12 11:15:57 | 02,023,424 | ---- | M] (mIRC Co. Ltd.) -- C:\Arquivos de programas\CyberScript32\mirc.exe:*:Enabled:mIRC
File not found -- C:\Arquivos de programas\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)
[2004/08/03 19:45:42 | 00,078,336 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\rtcshare.exe:*:Enabled:Compartilhamento de aplicativo RTC
[2004/08/04 05:45:31 | 01,040,384 | ---- | M] (Microsoft Corporation) -- C:\Arquivos de programas\NetMeeting\conf.exe:*:Enabled:Windows® NetMeeting®
[2007/01/01 19:22:02 | 03,739,648 | ---- | M] (Google) -- C:\Arquivos de programas\Google\Google Talk\googletalk.exe:*:Enabled:Google Talk
[2007/01/19 13:54:56 | 05,674,352 | ---- | M] (Microsoft Corporation) -- C:\Arquivos de programas\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1
[2007/01/04 17:10:02 | 00,297,752 | ---- | M] (Microsoft Corporation) -- C:\Arquivos de programas\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)
File not found -- C:\Arquivos de programas\BitComet\BitComet.exe:*:Disabled:BitComet
File not found -- C:\Arquivos de programas\eMule\emule.exe:*:Disabled:eMule
File not found -- C:\Arquivos de programas\Kazaa Lite K++\KazaaLite.kpp:*:Disabled:KazaaLite
File not found -- C:\Arquivos de programas\LimeWire\LimeWire.exe:*:Disabled:LimeWire
File not found -- C:\StubInstaller.exe:*:Disabled:LimeWire swarmed installer
[2008/04/07 20:26:40 | 00,098,488 | ---- | M] (SiSoftware) -- C:\Arquivos de programas\SiSoftware\SiSoftware Sandra Professional Business XII.SP2\RpcAgentSrv.exe:*:Enabled:SiSoftware Deployment Agent Service
[2008/04/07 20:26:40 | 01,429,680 | ---- | M] (SiSoftware) -- C:\Arquivos de programas\SiSoftware\SiSoftware Sandra Professional Business XII.SP2\WNt500x86\RpcSandraSrv.exe:*:Enabled:SiSoftware Sandra Agent Service
[2007/07/24 16:17:08 | 00,229,376 | ---- | M] (Apple Inc.) -- C:\Arquivos de programas\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour
[2008/03/30 11:36:34 | 20,638,504 | ---- | M] (Apple Inc.) -- C:\Arquivos de programas\iTunes\iTunes.exe:*:Enabled:iTunes
[2008/06/19 23:10:36 | 07,101,216 | ---- | M] (SmartSoft Ltd.) -- C:\Arquivos de programas\SmartFTP Client\SmartFTP.exe:*:Enabled:SmartFTP Client 3.0
[2004/08/03 19:45:34 | 00,045,056 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ftp.exe:*:Enabled:FileTransferProtocol

========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{028814FB-D05F-495E-81D7-636A87321025}" = CreativeProjectsTemplates
"{02DFF6B1-1654-411C-8D7B-FD6052EF016F}" = Apple Software Update
"{0BEDBD4E-2D34-47B5-9973-57E62B29307C}" = ATI Control Panel
"{0CBADDF4-2CF6-4CDB-B4F5-29B8FCA7FE07}" = Microsoft .NET Framework 1.1 Brazilian Portuguese Language Pack
"{11680998-6792-4DE9-8DE1-D6D041418B26}" = SkinsHP1
"{15EE79F4-4ED1-4267-9B0F-351009325D7D}" = HP Software Update
"{1666FA7C-CB5F-11D6-A78C-00B0D079AF64}" = Java 2 Runtime Environment, SE v1.4.1_01
"{1838C5A2-AB32-4145-85C1-BB9B8DFA24CD}" = QuickTime
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1E2F8AE3-3437-44E6-BB75-E95751D6B83F}" = Picture Package
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = Multimedia Launcher
"{21E75254-410E-49C4-8981-2E1A2A2221F2}" = HP Diagnostic Assistant
"{226b64e8-dc75-4eea-a6c8-abcb496320f2}-Google Talk" = Google Talk (remove only)
"{350C9416-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{3662AF19-6E4B-4F6D-A61C-F3CB6D67097D}" = QuickProjects
"{3C216C29-D74B-4ACF-852A-82C4F3EED2F7}" = Copy
"{3CF78481-FB7B-4B51-99A2-D5E0CD0B3AAF}" = HPSystemDiagnostics
"{3DED3A72-61A8-4B87-98A5-EF0BC8038AA0}" = DAEMON Tools
"{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}" = ATI HydraVision
"{41254D7B-EADF-4078-AE4A-BD73B300EE86}" = Unload
"{44734179-8A79-4DEE-BB08-73037F065543}" = Apple Mobile Device Support
"{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}" = Bonjour
"{49672EC2-171B-47B4-8CE7-50D7806360D7}" = Windows Live Sign-in Assistant
"{4E05249B-CC02-40E7-85B6-29627BFE9454}" = Scan
"{571700F0-DB9D-4B3A-B03D-35A14BB5939F}" = Windows Live Messenger
"{585776BC-4BD6-4BD2-A19A-1D6CB44A403B}" = iTunes
"{58EDAD68-7839-42D8-A6AD-854A9ECB8224}" = FileMaker Pro 6
"{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}" = Sony USB Driver
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{696C94BC-44BC-4B8E-ABAA-6FFC0F11A6D3}" = PhotoGallery
"{6F23C1A3-9F62-470C-BD12-B83F04E67865}" = SmartFTP Client
"{7107A761-B2F7-4BB0-84DA-CD90B562A72D}" = Director
"{720DAF8C-F9FD-4236-8EDD-75219B21E276}" = WriteExpress 3,001 Business & Sales Letters
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7CFD1028-F6C9-4b3c-BD20-51D56E7C7C8D}" = HP Scanjet 3770
"{827ECAB7-3F8E-4A66-A663-67A8F678536C}" = CreativeProjects
"{8777AC6D-89F9-4793-8266-DE406F343E89}" = QFolder
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{90110416-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edição 2003
"{9497EBAA-87AD-41E6-8ED6-E1E52995A76C}" = VIA Integrated Setup Wizard
"{9D765FA6-F2BC-40AF-8145-50808F9BDF4E}" = DVD-RAM Driver
"{A10A14F5-DF18-4151-9EB0-B79ABBFE6863}" = WebReg
"{AC76BA86-7AD7-1033-7B44-A70700000002}" = Adobe Reader 7.0.7
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B1591C79-1C35-4E09-AA15-F7D6923AFB96}" = HP Deskjet 3840
"{B32C75F2-7495-4D01-9431-C11E97D66F8C}" = DocProc
"{B3783869-5D14-4838-A042-910DF816D070}" = Xara3D6
"{B3A77A42-DCF7-4830-AE0E-8CEE34A76200}" = CueTour
"{B6D4C963-742C-46BF-BC7A-16ADD39FF3B7}" = Destinations
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = PowerProducer
"{B97CF5C3-0487-11D8-A36E-0050BAE317E1}" = DVD Solution
"{BCC992E5-5C81-4066-9B55-03DC10B24D21}" = InstantShare
"{C3113E55-7BCB-4de3-8EBF-60E6CE6B2196}_is1" = SiSoftware Sandra Professional Business XII.SP2
"{C3502B86-FAC7-43AA-82D8-AB30EC51596A}" = PrintScreen
"{CA0A1E54-CE0F-4366-B09C-A87B61DC5633}" = Symantec Network Drivers Update
"{CAF76A13-FA1A-4659-95CB-6F8FDE6BA030}" = hpg3770
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{D186329B-1B4D-408D-ABEC-EA5CE1F182C9}" = Overland
"{E889F95A-B9E3-4580-B3D7-43DBC9C9CD43}" = TrayApp
"{EFB21DE7-8C19-4A88-BB28-A766E16493BC}" = Adobe Photoshop CS
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F8C6BABF-0837-4EA0-AD6C-8E5A392A7538}" = ImageMixer VCD2
"321 Video Converter_is1" = 321 Video Converter 1.2.12
"ActiveScan 2.0" = Panda ActiveScan 2.0
"Ad-Aware SE Personal" = Ad-Aware SE Personal
"Adobe Acrobat 5.0" = Adobe Acrobat 5.0
"Adobe Flash Player Plugin" = Adobe Flash Player Plugin
"AdobeESD" = Adobe Download Manager 2.0 (Só remoção)
"All ATI Software" = ATI - Utilitário de desinstalação de software
"AnalogX Proxy" = AnalogX Proxy
"ATI Display Driver" = ATI Display Driver
"AviSynth" = AviSynth 2.5
"BSPlayer1" = BSPlayer
"CCleaner" = CCleaner (remove only)
"CloneCD" = CloneCD
"Discador Velox_is1" = Discador Velox 0.98
"DivX Content Uploader" = DivX Content Uploader
"DVD Decrypter" = DVD Decrypter (Remove Only)
"DVD Shrink_is1" = DVD Shrink 3.2
"DVDFab Platinum_is1" = DVDFab Platinum 3.1.1.6 Ghosthunter release
"DVDRIPNBURN_is1" = DVDRIPNBURN 4.0
"EfntSSDSL" = Efficient Networks SpeedStream DSL
"EPSON Printer and Utilities" = EPSON Printer Software
"ExpressBurn" = Express Burn Uninstall
"ExpressRip" = Express Rip Uninstall
"GSpot" = GSpot Codec Information Appliance
"HijackThis" = HijackThis 2.0.2
"HP Deskjet 3840 Series_Driver" = HP Deskjet 3840 Series
"HP Photo & Imaging" = HP Image Zone 4.0
"Informações Velox_is1" = Informações Velox
"InstallShield_{9497EBAA-87AD-41E6-8ED6-E1E52995A76C}" = VIA Integrated Setup Wizard
"IsoBuster_is1" = IsoBuster 1.7
"Java Web Start" = Java Web Start
"KLiteCodecPack_is1" = K-Lite Codec Pack 2.85 Full
"L&H Power Translator Pro 7.0" = L&H Power Translator Pro 7.0
"LHTTSPTB" = L&H TTS3000 Português (Brasil)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Messenger Plus! Live" = Messenger Plus! Live & Sponsor (CiD)
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"mIRC" = mIRC
"Mozilla Firefox (2.0.0.17)" = Mozilla Firefox (2.0.0.17)
"MRW!UninstallKey" = Ahead InCD EasyWrite Reader
"MSTTS" = Microsoft Text-to-Speech Engine 4.0 (English)
"MV RegClean 5.5_is1" = MV RegClean 5.5
"Nero - Burning Rom!UninstallKey" = Nero 6
"NeroVision!UninstallKey" = NeroVision Express 2
"NMPUninstallKey" = Nero Media Player
"Organizer V99.1" = Lotus Organizer 6.0
"Oxford Advanced Genie" = Oxford Advanced Genie
"QuickSFV" = QuickSFV (Remove only)
"RealPlayer 6.0" = RealPlayer
"RecordPad" = RecordPad Sound Recorder Uninstall
"Shockwave" = Shockwave
"ShockwaveFlash" = Macromedia Flash Player 8
"SHOUTcastDSP" = SHOUTcast Source DSP 1.9.0 (remove only)
"SLAMRNTV" = NetoDragon 56K Voice Modem
"SmartFTP Client 2.5 Setup Files" = SmartFTP Client 2.5 Setup Files (remove only)
"SmartFTP Client 3.0 Setup Files" = SmartFTP Client 3.0 Setup Files (remove only)
"Total Video Player 1.03_is1" = Total Video Player 1.03
"UltraISO_is1" = UltraISO V7.6 ME
"WavePad" = WavePad Uninstall
"Winamp" = Winamp (remove only)
"Windows Media Format Runtime" = Windows Media Format Runtime
"Windows Media Player" = Windows Media Player 10
"Windows XP Service Pack" = Windows XP Service Pack 2
"WinRAR archiver" = WinRAR archiver
"WinZip" = WinZip
"Xilisoft iPod Manager" = Xilisoft iPod Rip

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"InstallShield_{720DAF8C-F9FD-4236-8EDD-75219B21E276}" = WriteExpress 3,001 Business & Sales Letters
"uTorrent" = µTorrent

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"InstallShield_{720DAF8C-F9FD-4236-8EDD-75219B21E276}" = WriteExpress 3,001 Business & Sales Letters
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ System Events ]
Error - 23/10/2008 03:11:24 | Computer Name = CAT | Source = DCOM | ID = 10005
Description = Erro "%1058" no DCOM na tentativa de iniciar o serviço usnjsvc com
argumentos "" para iniciar o servidor: {98AC5C33-EE18-4EC2-BE25-3B16EE8F75F1}

Error - 23/10/2008 03:11:35 | Computer Name = CAT | Source = DCOM | ID = 10005
Description = Erro "%1058" no DCOM na tentativa de iniciar o serviço usnjsvc com
argumentos "" para iniciar o servidor: {98AC5C33-EE18-4EC2-BE25-3B16EE8F75F1}

Error - 23/10/2008 03:55:55 | Computer Name = CAT | Source = DCOM | ID = 10005
Description = Erro "%1058" no DCOM na tentativa de iniciar o serviço usnjsvc com
argumentos "" para iniciar o servidor: {98AC5C33-EE18-4EC2-BE25-3B16EE8F75F1}

Error - 23/10/2008 03:56:06 | Computer Name = CAT | Source = DCOM | ID = 10005
Description = Erro "%1058" no DCOM na tentativa de iniciar o serviço usnjsvc com
argumentos "" para iniciar o servidor: {98AC5C33-EE18-4EC2-BE25-3B16EE8F75F1}

Error - 23/10/2008 03:56:16 | Computer Name = CAT | Source = DCOM | ID = 10005
Description = Erro "%1058" no DCOM na tentativa de iniciar o serviço usnjsvc com
argumentos "" para iniciar o servidor: {98AC5C33-EE18-4EC2-BE25-3B16EE8F75F1}

Error - 23/10/2008 03:56:27 | Computer Name = CAT | Source = DCOM | ID = 10005
Description = Erro "%1058" no DCOM na tentativa de iniciar o serviço usnjsvc com
argumentos "" para iniciar o servidor: {98AC5C33-EE18-4EC2-BE25-3B16EE8F75F1}

Error - 23/10/2008 06:03:40 | Computer Name = CAT | Source = DCOM | ID = 10005
Description = Erro "%1058" no DCOM na tentativa de iniciar o serviço usnjsvc com
argumentos "" para iniciar o servidor: {98AC5C33-EE18-4EC2-BE25-3B16EE8F75F1}

Error - 23/10/2008 06:03:51 | Computer Name = CAT | Source = DCOM | ID = 10005
Description = Erro "%1058" no DCOM na tentativa de iniciar o serviço usnjsvc com
argumentos "" para iniciar o servidor: {98AC5C33-EE18-4EC2-BE25-3B16EE8F75F1}

Error - 23/10/2008 06:04:01 | Computer Name = CAT | Source = DCOM | ID = 10005
Description = Erro "%1058" no DCOM na tentativa de iniciar o serviço usnjsvc com
argumentos "" para iniciar o servidor: {98AC5C33-EE18-4EC2-BE25-3B16EE8F75F1}

Error - 23/10/2008 06:04:12 | Computer Name = CAT | Source = DCOM | ID = 10005
Description = Erro "%1058" no DCOM na tentativa de iniciar o serviço usnjsvc com
argumentos "" para iniciar o servidor: {98AC5C33-EE18-4EC2-BE25-3B16EE8F75F1}


< End of report >
Cat
Oct 23 2008, 05:06 PM
Hi, sorry for the delay, I had some urget work I had to get done before I could go back to my PC.
AdvancedSetup
Oct 24 2008, 02:51 AM
Due to the use of Peer2Peer software and signs of illegal activity you need to uninstall these tools and quit using them if you want us to help you.

Delete this file for now and you can install a "Managaged hosts file" later on.
C:\WINDOWS\System32\drivers\etc\Hosts

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

This key is invalid and needs repair. Make a backup first. Then edit it with REGEDIT and remove the trailing portion.
It should only have msv1_0 in that key.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages" = msv1_0,C:\WINDOWS\system32\awtUOefC,


Close ALL applications and browsers first.
Then start HJT and do a scan only and put a check mark on all of these entries if they're still there. Then click on Fix selected...
R0 - HKLM \ Software \ Microsoft \ Internet Explorer \ Main, Start Page = http://200.165.104.28/home
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
R1 - HKCU \ Software \ Microsoft \ Windows \ CurrentVersion \ Internet Settings, ProxyOverride = localhost; local *.
O2 - BHO: (no name) - (81CE65E0-77F6-4C28-B2D2-FA74DB732742) - (no file)
O2 - BHO: (841254df-05e8-871st-9b84-a8ce42709e6c) - (c6e90724-ec8a-48b9-a178-8e50fd452148) - C: \ WINDOWS \ system32 \ fzcvoc.dll
O6 - HKCU \ Software \ Policies \ Microsoft \ Internet Explorer \ Restrictions present
O9 - Extra button: (no name) - (08B0E5C0-4FCB-11CF-AAA5-00401C608501) - C: \ Program Arquivos \ Java \ j2re1.4.1_01 \ bin \ npjpi141_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - (08B0E5C0-4FCB-11CF-AAA5-00401C608501) - C: \ Program Arquivos \ Java \ j2re1.4.1_01 \ bin \ npjpi141_01.dll
O9 - Extra button: PokerStars.net - (FA9B9510-9FCB-4ca0-818C-5D0987B47C4D) - C: \ Program Arquivos \ PokerStars.NET \ PokerStarsUpdate.exe
O14 - IERESET.INF: SEARCH_PAGE_URL = & http://home.microsoft.com/intl/br/access/allinone.asp
O17 - HKLM \ System \ CCS \ Services \ Tcpip \ .. \ (389C889C-B558-932D-42BB-C911DCD62162): NameServer = 192,168,254,254
O20 - AppInit_DLLs: fzcvoc.dll
O3 - HKCU\..\Toolbar: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Error: Key does not exist or could not be opened. File not found
O3 - HKCU\..\Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key does not exist or could not be opened. File not found
O3 - HKCU\..\Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key does not exist or could not be opened. File not found
O3 - HKCU\..\Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key does not exist or could not be opened. File not found
O3 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\..\Toolbar: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - Reg Error: Key does not exist or could not be opened. File not found
O3 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\..\Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key does not exist or could not be opened. File not found
O3 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\..\Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - Reg Error: Key does not exist or could not be opened. File not found
O3 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\..\Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - Reg Error: Key does not exist or could not be opened. File not found
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuMorePrograms = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogOff = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoToolbarCustomize = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispSettingPage = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispBackgroundPage = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispScrSavPage = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispCPL = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispAppearancePage = 0
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartMenuMorePrograms = 0
O7 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: StartMenuLogOff = 0
O7 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoToolbarCustomize = 0
O7 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispSettingPage = 1
O7 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispBackgroundPage = 0
O7 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispScrSavPage = 0
O7 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispCPL = 0
O7 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: NoDispAppearancePage = 0
O15 - HKLM\..Trusted Sites: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKCU\..Trusted Sites: (msn in Meu computador)
O15 - HKU\S-1-5-21-220523388-688789844-1417001333-1003\..Trusted Sites: (msn in Meu computador)


Using REGEDIT browse to this location: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components
and look for that Desktop Component 1: and remove it and any file it may point to.

Download SmitFraudFix by S!Ri and run it according to the instructions there.


Then run MBAM and go to the UPDATE tab and run a Quick Scan, fix anything found, REBOOT
Then after the reboot run another HJT and post back all the logs.
AdvancedSetup
Oct 25 2008, 01:56 AM
Were you able to run this yet? How is the system doing?

Please post back the logs so we know what's going on.
AdvancedSetup
Oct 27 2008, 07:10 PM
Hi Cat,

Please provide the requested information or a status update. If I don't hear back by tomorrow I will be closing this thread.
AdvancedSetup
Oct 28 2008, 07:51 PM
Since there has been no response in 5 days I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post Instructions


Also don't forget that we offer FREE assistance with General PC questions and repair here PC Help
If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.