Remoção de vírus

[Mr.Wolf]

вяυиασ 1988, delete a ferramenta autorunsc.exe e a pasta Autoruns. Delete o catchme.log do desktop.

Vá em Iniciar > Executar, digite os dois comandos abaixo (um após o outro) na caixa e dê um OK em cada um deles:

REG ADD “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPK” /v FARMING /t REG_DWORD /d 000000a8 /f

REG ADD “HKCU\SYSTEM\CurrentControlSet\Control\Lsa” /v /s upkkscr /t REG_DWORD /d 000000x891 /f

Logo após isto, execute novamente a ferramenta catchme.exe e clique na guia "Script".

Cole este texto abaixo na janela em branco da ferramenta e clique no botão Run:

Files to kill:
C:\WINDOWS\system32\upkkscr.sys 
C:\WINDOWS\system32\drivers\ingru.sys 
C:\WINDOWS\system32\drivers\njahs.sys 
C:\Windows\System32\drivers\ohdusb.sys 
C:\WINDOWS\system32\drivers\pdfgii.sys 
C:\WINDOWS\system32\drivers\routad.sys 
C:\WINDOWS\system32\drivers\vuduu33.sys 
C:\WINDOWS\system32\drivers\w5bbu.sys

Dê um OK na mensagem que aparecerá.
Ainda no painel do catchme, clique no botão Restart para reiniciar o PC.

Após o reinicio do sistema, gere um novo log do catchme.exe (clicando em Scan) e poste-o aqui вяυиασ 1988.

 

[вяυиασ 1988]

Blz ta na mao Mr wolf

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-05-24 18:40:13
Windows 6.00.1905 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UPK]
"Farming"=dword:000000a8
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"upkkscr"=dword:000000x891

scanning hidden files ...

C:\WINDOWS\system32\upkkscr.sys 227996 bytes executable

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1

 

[Mr.Wolf]

Este Rootkit Goldun.Fam é duro na queda! Além de executar em nível de kernel, e ser extremamente complicado de remover, vai danificando alguns arquivos importantes do Windows. Talvez, se conseguirmos resolver seu problema вяυиασ 1988, será necessário rodar um sfc /scannow em seu sistema pois senão ficará muito bugado ao ponto de você não conseguir nem abrir o Painel de Controle.

Poste um novo log do HijackThis aqui вяυиασ 1988, por gentileza.

 

[вяυиασ 1988]

Tae.......
Cara vlws por tudo aew......
Parabens pelo trabalho mto bom.......

Spoiler

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:04:55, on 24/05/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Stardock\ObjectDock\ObjectDock.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\SysWOW64\conime.exe
C:\Program Files (x86)\Winamp\winampa.exe
C:\Windows\system32\taskeng.exe
C:\Program Files (x86)\Windows Defender\MSASCui.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\SysMonitor.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files (x86)\MagicDisc\MagicDisc.exe
C:\Program Files (x86)\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files (x86)\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\Windows Media Player\wmpnscfg.exe
C:\Program Files (x86)\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files (x86)\Stardock\ObjectDock\ObjectDock.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Users\PITCHUCA\AppData\Local\Temp\atmadm2.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Auxiliar de Conexão do Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2009\ievkbd.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files (x86)\Free Download Manager\iefdm2.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [Windows Defender] C:\Program Files (x86)Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files (x86)\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [w3dr.exe] C:\Program Files (x86)\Warcraft III\w3dr.exe
O4 - HKLM\..\Run: [Norton Ghost 12.0] "C:\Program Files (x86)\Norton Ghost\Agent\VProTray.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Babylon Client] "C:\Program Files (x86)\Babylon\Babylon-Pro\Babylon.exe" -AutoStart
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files (x86)\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [DW6] "C:\Program Files (x86)\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [Free Download Manager] C:\Program Files (x86)\Free Download Manager\fdm.exe -autorun
O4 - HKCU\..\Run: [Skype] "C:\Program Files (x86)\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] C:\Program Files (x86)\Windows Sidebar\Sidebar.exe /detectMem (User 'SERVIÇO DE REDE')
O4 - Startup: MiniMinder.lnk = C:\Program Files (x86)\MiniMind\MiniMind.exe
O4 - Startup: Stardock ObjectDock.lnk = C:\Program Files (x86)\Stardock\ObjectDock\ObjectDock.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Arquivos de programas\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Arquivos de programas\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~2\Microsoft Office\Office12\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files (x86)\AIM\aim.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O11 - Options group: [JWDSearch] JWord ƒvƒ‰ƒOƒCƒ“
O13 - Gopher Prefix:
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.Microsoft.com/intl/br/access/allinone.asp
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{57EE6B48-5B52-494A-93E2-C97B23939C93}: NameServer = 200.169.116.22 200.169.116.23
O20 - AppInit_DLLs: C:\PROGRA~2\KASPER~1\KASPER~1\mzvkbd.dll,C:\PROGRA~2\KASPER~1\KASPER~1\adia lhk.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files (x86)\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: TeamViewer 3 (TeamViewer) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer3\TeamViewer_Host.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files (x86)\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files (x86)\LogMeIn\x86\LogMeIn.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files (x86)\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files (x86)\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\Windows\system32\PnkBstrB.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe

--
End of file - 7120 bytes

 

[Mr.Wolf]

вяυиασ 1988, siga as instruções abaixo no spoiler:

Spoiler

1ª Etapa

Baixe o Spy the Spy e salve-o no desktop.

Instale o programa normalmente e após a instalação clique com o botão direito do mouse no ícone dele ao lado do relógio ->

<- e selecione a opção "Settings".
Clique no botão Add Folder e selecione as seguintes pastas:

C:\Windows\System <-
C:\Window\System32\Drivers <-

Clique em OK. Marque a opção "Include Subfolders" > OK.

Após isto atente-se especialmente nesta configuração amigo вяυиασ 1988. Se algum arquivo tentar ser adicionado/modificado nestas pastas, surgirá um alerta do programa Spy the Spy. Se ocorrer isto, clique no botão Move to Quarentine em todos os alertas para proibir as mudanças nestas pastas, temporariamente.


2ª Etapa

Abra o Bloco de Notas e cole este texto abaixo dentro:

@echo off
regedit /e C:\cp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa"
more C:\cp.reg >> C:\Display.txt
notepad C:\Display.txt
del /q c:\cp.reg
del /q C:\Display.txt

Salve no desktop como SEARCH.bat e execute este arquivo como administrador.

Será aberto algumas informações no Bloco de Notas (Display.txt) para você. Copie e cole aqui o conteúdo deste arquivo вяυиασ 1988.

 

[Pedrinn]

Acabou o scan na Kapersky Mr.Wolf !
Aqui vai o resultado.
Ver anexo Scan Kapersky.txt

 

[Mr.Wolf]

Pedrinn, como pôde ver no resultado, nada foi encontrado! Isso quer dizer que você finalmente está livre do Sality.

Delete todas as ferramentas que utilizamos em seu caso Pedrinn. Exceto o Malwarebytes, se quiser mantê-lo não há problemas, é até recomendado. As outras ferramentas, pode remover todas, sem exceção e não utilize-as por conta própria.

Como está o PC Pedrinn?

 

[Pedrinn]

Nossa,Mr.Wolf estou muito contente com esta notícia depois de 1 semana brigando contra esse maldito Sality !

Graças a voçê né ( Mr.Wolf voçê é muito bom cara ! )


Estou muito agradecido pela sua ajuda

Meu PC esta melhor nao esta acusando nada de virus !

Qualquer problema que eu tiver concerteza vou te comunicar porque vc é FERA.

 

[вяυиασ 1988]

вяυиασ 1988, siga as instruções abaixo no spoiler:

Spoiler

1ª Etapa

Baixe o Spy the Spy e salve-o no desktop.

Instale o programa normalmente e após a instalação clique com o botão direito do mouse no ícone dele ao lado do relógio ->

<- e selecione a opção "Settings".
Clique no botão Add Folder e selecione as seguintes pastas:

C:\Windows\System <-
C:\Window\System32\Drivers <-

Clique em OK. Marque a opção "Include Subfolders" > OK.

Após isto atente-se especialmente nesta configuração amigo вяυиασ 1988. Se algum arquivo tentar ser adicionado/modificado nestas pastas, surgirá um alerta do programa Spy the Spy. Se ocorrer isto, clique no botão Move to Quarentine em todos os alertas para proibir as mudanças nestas pastas, temporariamente.


2ª Etapa

Abra o Bloco de Notas e cole este texto abaixo dentro:

@echo off
regedit /e C:\cp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa"
more C:\cp.reg >> C:\Display.txt
notepad C:\Display.txt
del /q c:\cp.reg
del /q C:\Display.txt

Salve no desktop como SEARCH.bat e execute este arquivo como administrador.

Será aberto algumas informações no Bloco de Notas (Display.txt) para você. Copie e cole aqui o conteúdo deste arquivo вяυиασ 1988.

Blz instalei o spy the spy aki.....
Dai logo na hora q puis a configuraçao q vc falou ele ja deu alerta nao sei se era um arquivo q tava tentando entrar ou tava se mexendo na pasta,mais cliquei em move to quarentine como vc falou,fiz certo???
Legal esse programinha velhow pra q serve ele soh pra monitorar essas pastas assim??? ou eh um anti-virus e tals????
Depois fiz essa parada ae no bloco de notas e deu isso aqui....

Spoiler

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\
00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\
6e,00,65,00,6c,00,00,00,77,00,64,00,69,00,67,00,65,00,73,00,74,00,00,00,00,\
00
"ImpersonatePrivilegeUpgradeToolHasRun"=dword:00000001
"LsaPid"=dword:00000200
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"fulladminin"=hex:01
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):73,00,63,00,65,00,63,00,6c,00,69,00,00,00,00,00
"enabledcom"="y"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,4e,00,\
54,00,20,00,41,00,63,00,63,00,65,00,73,00,73,00,20,00,50,00,72,00,6f,00,76,\
00,69,00,64,00,65,00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
6e,00,74,00,6d,00,61,00,72,00,74,00,61,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Force Desktop]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:33,44,80,d1,32,92,ac,03,9d,a8,76,06,62,53,6a,2b,33,62,64,65,36,\
39,61,31,00,fd,07,00,c6,15,00,00,34,fa,07,00,56,82,4a,75,20,fa,07,00,40,fd,\
07,00,4c,fd,07,00,cb,e5,5a,af,43,82,de,28,6b,c6,5b,3b
"Active"=hex(7):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,4e,00,\
54,00,20,00,41,00,63,00,63,00,65,00,73,00,73,00,20,00,50,00,72,00,6f,00,76,\
00,69,00,64,00,65,00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:4a,9f,34,81,a0,7a,bf,af,ba

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:a0,5d,69,ff,54,1e

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
"Auth132"="IISSUBA"
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:48,47,46,67,1e,d8,28,16,f9,62,6b,c0,82,a4,67,89

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:e0,58,5f,23,35,c5,c9,01

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,75,e9,77,d5,79,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,a2,1a,79,d5,79,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"UPK Force"=dword:00000001
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,cf,4b,7a,d5,79,c4,01
"Type"=dword:00000031

:yes:

 

[Pedrinn]

Mr.Wolf só mais uma coisa !

Eu ja posso reativar a Restauração Do Sistema ?



Agradeço !

 

[Mr.Wolf]

Dai logo na hora q puis a configuraçao q vc falou ele ja deu alerta nao sei se era um arquivo q tava tentando entrar ou tava se mexendo na pasta,mais cliquei em move to quarentine como vc falou,fiz certo???

Sim, fez certo. :thumbs_up

Faça isso sempre que aparecer um alerta do programa.

Legal esse programinha velhow pra q serve ele soh pra monitorar essas pastas assim??? ou eh um anti-virus e tals????

Não é um antivirus. Trata-se de um HIPS.

Siga as instruções do spoiler abaixo вяυиασ 1988.
OBS: Feche todas as janelas abertas para seguir os procedimentos abaixo. É necessário também desativar o antivirus.

Spoiler

1ª Etapa

Baixe esta ferramenta abaixo e extraia os arquivos do zip no desktop:
ftp://ftp.f-secure.com/anti-virus/tools/f-mem10.zip

Execute o arquivo F-mem.exe como administrador e siga as instruções na tela.
Se no final lhe pedir que reinicie o computador, faça isso.


2ª Etapa

Baixe o RegDelNull e extraia o arquivo em C:\

Execute o arquivo RegDelNull.exe como administrador.
Abra o Bloco de Notas do PC e cole este texto abaixo dentro:

C:> RegDelNull *

DEL:> [-s] HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa - RegDelNull -> Key "fulladminin" -s
DEL:> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Force Desktop -> Value "Force Desktop" -m

C:> RegDelNull | Properties (9) | NT's "\dev\kmem"

NULL:> Hex:> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data - RegDelNull -> Key Hex "Active" -s
NULL:> REG_DWORD:> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\ DLL UNREGISTERED -> 
msnsspc.dll - RegDelNull -> ROOTKIT "UPK Force"

C:> RegDelNull -exit

C:> Exit

Salve como DelReg.txt em C:. Arraste o arquivo para o RegDelNull.exe conforme a imagem abaixo e aguarde a execução automática da ferramenta:

Seu computador talvez será reiniciado automaticamente, apenas aguarde!

3ª Etapa

Crie novamente o arquivo SEARCH.bat conforme passei anteriormente e poste o conteúdo do log aqui:

Abra o Bloco de Notas e cole este texto abaixo dentro:

@echo off
regedit /e C:\cp.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa"
more C:\cp.reg >> C:\Display.txt
notepad C:\Display.txt
del /q c:\cp.reg
del /q C:\Display.txt

Salve no desktop como SEARCH.bat e execute este arquivo como administrador.

Será aberto algumas informações no Bloco de Notas (Display.txt) para você. Copie e cole aqui o conteúdo deste arquivo brunao.

 

[Mr.Wolf]

Mr.Wolf só mais uma coisa !

Eu ja posso reativar a Restauração Do Sistema ?



Agradeço !

Opa, Pedrinn, pode ativar a restauração sim.

Recomendo também uma limpeza no computador com o CCleaner.

Abraços

 

[вяυиασ 1988]

Sim, fez certo. :thumbs_up

Faça isso sempre que aparecer um alerta do programa.


Não é um antivirus. Trata-se de um HIPS.

Siga as instruções do spoiler abaixo вяυиασ 1988.
OBS: Feche todas as janelas abertas para seguir os procedimentos abaixo. É necessário também desativar o antivirus.

Spoiler

1ª Etapa

Baixe esta ferramenta abaixo e extraia os arquivos do zip no desktop:
ftp://ftp.f-secure.com/anti-virus/tools/f-mem10.zip

Execute o arquivo F-mem.exe como administrador e siga as instruções na tela.
Se no final lhe pedir que reinicie o computador, faça isso.


2ª Etapa

Baixe o RegDelNull e extraia o arquivo em C:\

Execute o arquivo RegDelNull.exe como administrador.
Abra o Bloco de Notas do PC e cole este texto abaixo dentro:

C:> RegDelNull *

DEL:> [-s] HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa - RegDelNull -> Key "fulladminin" -s
DEL:> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Force Desktop -> Value "Force Desktop" -m

C:> RegDelNull | Properties (9) | NT's "\dev\kmem"

NULL:> Hex:> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data - RegDelNull -> Key Hex "Active" -s
NULL:> REG_DWORD:> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\ DLL UNREGISTERED -> 
msnsspc.dll - RegDelNull -> ROOTKIT "UPK Force"

C:> RegDelNull -exit

C:> Exit

3ª Etapa

Crie novamente o arquivo SEARCH.bat conforme passei anteriormente e poste o conteúdo do log aqui:

Mr wolf eu fiz a parada no bloco de notas lah mais eh pra faze o q depois???? :cry:
Tipo eu baixei os 2 programas e fiz tdo com o 1 lah f-mem q foi rapidinho e nem pediu pra reiniciar......
Depois executei o regdelnull e colei os negocios no bloco de notas eh só isso???
E jah vou pra etapa 3??? :cry:

 

[Mr.Wolf]

Nossa, amigo вяυиασ 1988, desculpe a distração em não colocar o resto do procedimento.

Já editei o post anterior.

 

[вяυиασ 1988]

Tae o novo search.bat Mr wolf.....
Qual o proximo passo??

Vlws.....

Cara como vc sabe tdo isso???? eu antigamente sabia alguns comandos bat assim mais nao to mais em forma pra isso.....hauheuehuahauehauha

Spoiler

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,00,\
00
"Bounds"=hex:00,30,00,00,00,20,00,00
"Security Packages"=hex(7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\
00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00,\
6e,00,65,00,6c,00,00,00,77,00,64,00,69,00,67,00,65,00,73,00,74,00,00,00,00,\
00
"ImpersonatePrivilegeUpgradeToolHasRun"=dword:00000001
"LsaPid"=dword:00000200
"SecureBoot"=dword:00000001
"auditbaseobjects"=dword:00000000
"crashonauditfail"=dword:00000000
"disabledomaincreds"=dword:00000000
"everyoneincludesanonymous"=dword:00000000
"fipsalgorithmpolicy"=dword:00000000
"forceguest"=dword:00000001
"fullprivilegeauditing"=hex:00
"limitblankpassworduse"=dword:00000001
"lmcompatibilitylevel"=dword:00000000
"nodefaultadminowner"=dword:00000001
"nolmhash"=dword:00000000
"restrictanonymous"=dword:00000000
"restrictanonymoussam"=dword:00000001
"Notification Packages"=hex(7):73,00,63,00,65,00,63,00,6c,00,69,00,00,00,00,00
"enabledcom"="y"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders]
"ProviderOrder"=hex(7):57,00,69,00,6e,00,64,00,6f,00,77,00,73,00,20,00,4e,00,\
54,00,20,00,41,00,63,00,63,00,65,00,73,00,73,00,20,00,50,00,72,00,6f,00,76,\
00,69,00,64,00,65,00,72,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider]
"ProviderPath"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,\
00,74,00,25,00,5c,00,73,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,\
6e,00,74,00,6d,00,61,00,72,00,74,00,61,00,2e,00,64,00,6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data]
"Pattern"=hex:33,44,80,d1,32,92,ac,03,9d,a8,76,06,62,53,6a,2b,33,62,64,65,36,\
39,61,31,00,fd,07,00,c6,15,00,00,34,fa,07,00,56,82,4a,75,20,fa,07,00,40,fd,\
07,00,4c,fd,07,00,cb,e5,5a,af,43,82,de,28,6b,c6,5b,3b

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG]
"GrafBlumGroup"=hex:4a,9f,34,81,a0,7a,bf,af,ba

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD]
"Lookup"=hex:a0,5d,69,ff,54,1e

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
"Auth132"="IISSUBA"
"ntlmminclientsec"=dword:00000000
"ntlmminserversec"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1]
"SkewMatrix"=hex:48,47,46,67,1e,d8,28,16,f9,62,6b,c0,82,a4,67,89

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4]
"SSOURL"="http://www.passport.com"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache]
"Time"=hex:e0,58,5f,23,35,c5,c9,01

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll]
"Name"="Digest"
"Comment"="Digest SSPI Authentication Package"
"Capabilities"=dword:00004050
"RpcId"=dword:0000ffff
"Version"=dword:00000001
"TokenSize"=dword:0000ffff
"Time"=hex:00,75,e9,77,d5,79,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll]
"Name"="DPA"
"Comment"="DPA Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000011
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,a2,1a,79,d5,79,c4,01
"Type"=dword:00000031

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll]
"Name"="MSN"
"Comment"="MSN Security Package"
"Capabilities"=dword:00000037
"RpcId"=dword:00000012
"Version"=dword:00000001
"TokenSize"=dword:00000300
"Time"=hex:00,cf,4b,7a,d5,79,c4,01
"Type"=dword:00000031

 

[Rhyrioth]

Tente desfragmentar a máquina Carol.

________________________________________


Rhyrioth, siga abaixo:

Spoiler

- Faça o download do ComboFix e salve-o na área de trabalho;

● Desative temporariamente o seu antivirus para não detectar a ferramenta como vírus;
● Duplo clique no ícone combofix.exe para iniciar o scan;
● Leia o contrato que aparecerá e clique em Sim para continuar;
● Abrirá uma janela do Console de Recuperação, clique em Sim para instalar. Se aparecer outra janela do Console, clique em OK > Sim;
● Aguarde enquanto o ComboFix faz o scan;
● Se ocorrer algum problema durante o scan, reinicie seu computador em Modo de Segurança e repita o procedimento;
● Não clique na janela do ComboFix e procure não utilizar o teclado também, para não atrapalhar a varredura da ferramenta;
● Se quiser sair ou parar o ComboFix, tecle N;
● Quando terminar seu micro será reiniciado. Após o reinicio, a ferramenta executará novamente, aguarde;
● Será gerado um log em C:\ComboFix.txt.

Cole este log em sua próxima resposta.

Olá pessoal, boa tarde!

Amigo Rhyrioth, os três links aqui estão funcionando perfeitamente, sem problema algum! Os dois links que você disse que não abrem, aqui abriram e estão abrindo perfeitamente, 100%. O problema é somente com você mesmo caro amigo.
Não precisa fazer o cadastro no ForoSpyware para baixar a ferramenta. O link do ComboFix no servidor do fórum está com problemas mesmo.

Mas para sermos mais rápidos Rhyrioth, upei o arquivo para você:

http://rapidshare.com/files/236816273/ComboFix.exe.html

Acho que deixei meu post meio mal explicado, eu fiz o cadastro no site, consegui baixar e já tinha mandado pro e-mail da empresa...não precisava ter hosteado pra mim não brother, mas de qualquer forma vlw a intenção

Segui os passos e segue o log:

Spoiler

ComboFix 09-05-24.07 - Raphael 25/05/2009 9:25.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.55.1046.18.895.665 [GMT -3:00]
Executando de: c:\documents and settings\Raphael\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

(((((((((((((((( Arquivos/Ficheiros criados de 2009-04-25 to 2009-05-25 ))))))))))))))))))))))))))))
.

2009-05-22 11:57 . 2009-05-22 11:57 -------- d-----w C:\KillBox
2009-05-21 20:51 . 2009-05-21 20:52 -------- d-----w C:\LinhaDefensiva
2009-05-21 14:59 . 2009-05-21 14:59 579072 ----a-w c:\windows\system32\dllcache\user32.dll
2009-05-20 11:47 . 2009-05-20 11:47 -------- d-----w c:\arquivos de programas\Trend Micro
2009-05-19 13:43 . 2000-03-01 05:06 59492 ----a-w c:\windows\system32\EBPMON2.DLL
2009-05-19 13:43 . 2009-05-19 13:43 -------- d-----w c:\arquivos de programas\Arquivos comuns\EPSON
2009-05-19 13:43 . 1999-07-19 13:27 203776 ----a-w c:\windows\system32\EBAPI.dll
2009-05-19 13:43 . 1999-07-16 04:01 100864 ----a-w c:\windows\system32\ebpthp.dll
2009-05-19 13:43 . 1998-04-03 20:15 108032 ----a-w c:\windows\system32\EBUtil.dll
2009-05-19 11:50 . 2008-04-13 22:20 21504 ----a-w c:\windows\system32\hidserv.dll
2009-05-19 11:50 . 2008-04-13 22:20 21504 ----a-w c:\windows\system32\dllcache\hidserv.dll
2009-05-19 11:49 . 2008-04-13 14:45 32128 ----a-w c:\windows\system32\drivers\usbccgp.sys
2009-05-19 11:49 . 2008-04-13 14:45 32128 ----a-w c:\windows\system32\dllcache\usbccgp.sys
2009-05-18 11:40 . 2009-05-18 11:40 -------- d-sh--w C:\FOUND.000
2009-05-15 14:19 . 2009-05-15 14:19 -------- d--h--w c:\arquivos de programas\Scpad
2009-05-14 16:07 . 2009-05-14 16:07 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-05-13 14:30 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-05-13 14:30 . 2009-02-09 11:25 2193280 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-05-13 14:30 . 2009-03-06 14:20 286208 ------w c:\windows\system32\dllcache\pdh.dll
2009-05-13 14:30 . 2009-02-09 11:25 111104 ------w c:\windows\system32\dllcache\services.exe
2009-05-13 14:30 . 2009-02-09 10:53 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-05-13 14:30 . 2009-02-09 10:53 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-05-13 14:30 . 2009-02-09 10:53 683520 ------w c:\windows\system32\dllcache\advapi32.dll
2009-05-13 14:30 . 2009-02-09 10:53 731648 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-05-13 14:30 . 2009-02-09 10:53 730624 ------w c:\windows\system32\dllcache\ntdll.dll
2009-05-13 14:30 . 2009-02-09 10:53 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-13 14:30 . 2009-02-09 11:25 2149376 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-05-13 14:30 . 2009-02-09 11:25 2028032 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-05-13 14:29 . 2008-04-21 21:15 216064 ------w c:\windows\system32\dllcache\wordpad.exe
2009-05-13 14:28 . 2008-12-11 10:57 333952 ------w c:\windows\system32\dllcache\srv.sys
2009-05-13 14:26 . 2008-10-24 11:21 455296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2009-05-13 14:26 . 2008-09-04 17:16 1106944 ------w c:\windows\system32\dllcache\msxml3.dll
2009-05-13 14:26 . 2008-10-15 16:36 337408 ------w c:\windows\system32\dllcache\netapi32.dll
2009-05-13 14:25 . 2008-05-01 14:36 331776 ------w c:\windows\system32\dllcache\msadce.dll
2009-05-13 14:25 . 2008-04-11 19:05 691712 ------w c:\windows\system32\dllcache\inetcomm.dll
2009-05-13 14:24 . 2008-05-09 10:55 90112 ------w c:\windows\system32\dllcache\wshext.dll
2009-05-13 14:24 . 2008-05-09 10:55 180224 ------w c:\windows\system32\dllcache\scrobj.dll
2009-05-13 14:24 . 2008-05-09 10:55 172032 ------w c:\windows\system32\dllcache\scrrun.dll
2009-05-13 14:24 . 2008-05-09 08:45 135168 ------w c:\windows\system32\dllcache\cscript.exe
2009-05-13 14:24 . 2008-05-08 11:24 155648 ------w c:\windows\system32\dllcache\wscript.exe
2009-05-13 14:24 . 2008-06-14 17:34 272384 ------w c:\windows\system32\dllcache\bthport.sys
2009-05-13 14:24 . 2008-05-08 14:02 203136 ------w c:\windows\system32\dllcache\rmcast.sys
2009-05-13 14:11 . 2008-09-10 01:15 1307648 ----a-w c:\windows\system32\msxml6.dll
2009-05-13 14:11 . 2008-09-10 01:15 1307648 ------w c:\windows\system32\dllcache\msxml6.dll
2009-05-13 14:11 . 2008-04-13 21:58 86016 ------w c:\windows\system32\msxml6r.dll
2009-05-13 14:11 . 2008-04-13 21:58 86016 ------w c:\windows\system32\dllcache\msxml6r.dll
2009-05-13 14:04 . 2009-05-13 14:04 -------- d-----w c:\windows\ServicePackFiles
2009-05-13 14:03 . 2008-04-13 22:20 294912 ------w c:\windows\system32\dllcache\dlimport.exe
2009-05-13 13:54 . 2009-05-13 13:54 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-05-13 13:53 . 2009-05-13 13:53 -------- d-----w c:\windows\EHome
2009-05-13 13:50 . 2009-05-13 13:50 -------- d-----r c:\documents and settings\LocalService\Favoritos
2009-05-13 13:37 . 2009-05-13 13:37 -------- d-sh--w c:\documents and settings\Raphael\IECompatCache
2009-05-13 13:34 . 2009-05-13 13:34 -------- d-sh--w c:\documents and settings\Raphael\PrivacIE
2009-05-13 13:33 . 2009-05-13 13:33 -------- d-sh--w c:\documents and settings\Raphael\IETldCache
2009-05-13 13:25 . 2009-05-13 13:25 -------- d-----w c:\windows\ie8updates
2009-05-13 13:22 . 2009-05-13 13:22 -------- d--h--w c:\windows\ie8
2009-05-13 13:22 . 2009-05-13 13:22 -------- d-----w c:\windows\system32\pt-BR
2009-05-13 13:17 . 2009-04-25 05:30 102400 ------w c:\windows\system32\dllcache\iecompat.dll
2009-05-13 12:28 . 2005-04-06 14:30 26752 ----a-w c:\windows\system32\drivers\ipfnd51.sys
2009-05-13 12:06 . 2009-05-13 12:06 9728 ----a-w c:\windows\system32\37.scr
2009-05-13 11:49 . 2009-01-07 21:21 26144 ----a-w c:\windows\system32\spupdsvc.exe
2009-05-12 20:52 . 2009-05-12 20:52 -------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Messenger Plus!
2009-05-12 20:49 . 2009-05-12 20:50 -------- d-----w c:\arquivos de programas\Lavalys
2009-05-12 19:25 . 2009-05-22 22:35 1 ----a-w c:\documents and settings\Raphael\Dados de aplicativos\BrOffice.org\3\user\uno_packages\cache\stamp.sys
2009-05-12 19:25 . 2009-05-12 19:25 -------- d-----w c:\documents and settings\Raphael\Dados de aplicativos\BrOffice.org
2009-05-12 18:36 . 2008-10-16 17:06 268648 ----a-w c:\windows\system32\mucltui.dll
2009-05-12 18:36 . 2008-10-16 17:06 208744 ----a-w c:\windows\system32\muweb.dll
2009-05-12 18:33 . 2009-05-12 18:33 -------- d-----w c:\arquivos de programas\Messenger Plus! Live
2009-05-12 18:32 . 2009-05-12 18:32 -------- d-sh--w c:\documents and settings\Raphael\UserData
2009-05-12 18:27 . 2009-05-12 18:27 -------- d-----w c:\arquivos de programas\BrOffice.org 3
2009-05-12 17:52 . 2009-05-12 17:52 -------- d-----w c:\arquivos de programas\winsic
2009-05-12 17:41 . 2009-05-12 17:41 -------- d-----w c:\documents and settings\Raphael\Dados de aplicativos\Tibia
2009-05-12 17:41 . 2009-05-12 17:41 -------- d-----w c:\arquivos de programas\Tibia
2009-05-12 17:01 . 2009-05-12 17:01 -------- d-----w c:\documents and settings\Raphael\Dados de aplicativos\Foxit
2009-05-12 17:01 . 2009-05-12 17:01 -------- d-----w c:\arquivos de programas\Foxit Software
2009-05-12 16:57 . 2009-05-12 16:57 -------- d-----w c:\documents and settings\Raphael\Contacts
2009-05-12 14:55 . 1997-04-18 14:53 298496 ----a-w c:\windows\unin0416.exe
2009-05-12 14:55 . 2009-05-12 14:55 -------- d-----w c:\documents and settings\Raphael\WINDOWS
2009-05-12 14:55 . 2009-05-12 14:55 -------- d-----w C:\LXKZ600
2009-05-12 14:54 . 2009-05-12 14:54 -------- d-----w c:\windows\system32\DRVSTORE
2009-05-12 14:38 . 2009-05-12 14:38 -------- d-sh--w c:\arquivos de programas\Arquivos comuns\WindowsLiveInstaller
2009-05-12 14:37 . 2009-05-12 14:37 -------- d-----w c:\arquivos de programas\Windows Live
2009-05-12 14:37 . 2009-05-12 14:37 -------- d-----w c:\documents and settings\All Users\Dados de aplicativos\WLInstaller
2009-05-12 14:03 . 2009-03-30 13:33 96104 ----a-w c:\windows\system32\drivers\avipbb.sys
2009-05-12 14:03 . 2009-03-24 19:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-05-12 14:03 . 2009-02-13 15:29 22360 ----a-w c:\windows\system32\drivers\avgntmgr.sys
2009-05-12 14:03 . 2009-02-13 15:17 45416 ----a-w c:\windows\system32\drivers\avgntdd.sys
2009-05-12 14:03 . 2009-05-12 14:03 -------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Avira
2009-05-12 14:03 . 2009-05-12 14:03 -------- d-----w c:\arquivos de programas\Avira
2009-05-12 13:41 . 2009-05-12 13:41 0 ----a-w c:\windows\nsreg.dat
2009-05-12 13:22 . 2009-05-12 13:22 11656 ----a-w c:\windows\system32\drivers\sysdrv32.VIR
2009-05-12 13:13 . 2009-05-12 13:13 -------- d-----w c:\windows\nview
2009-05-12 13:13 . 2008-05-02 14:46 442368 ----a-w c:\windows\system32\nvudisp.exe
2009-05-12 13:11 . 2009-05-12 13:11 -------- d-----w c:\arquivos de programas\Arquivos comuns\InstallShield
2009-05-12 12:55 . 2008-03-25 03:48 54400 ----a-r c:\windows\system32\drivers\NVENETFD.sys
2009-05-12 12:55 . 2008-03-25 03:47 200704 ----a-r c:\windows\system32\fdco1ins.dll
2009-05-12 12:55 . 2008-03-25 03:47 200704 ----a-r c:\windows\system32\fdco1.dll
2009-05-12 12:55 . 2008-03-12 04:14 3948 ----a-r c:\windows\system32\drivers\nvphy.bin
2009-05-12 12:55 . 2008-03-14 02:47 442368 ----a-w c:\windows\system32\nvunrm.exe
2009-05-12 12:55 . 2008-03-25 03:48 22016 ----a-r c:\windows\system32\drivers\nvnetbus.sys
2009-05-12 12:55 . 2008-03-25 03:47 953088 ----a-r c:\windows\system32\drivers\nvnrm.sys
2009-05-12 12:55 . 2008-03-25 03:46 9216 ----a-r c:\windows\system32\bdco1ins.dll
2009-05-12 12:55 . 2008-03-25 03:46 9216 ----a-r c:\windows\system32\bdco1.dll
2009-05-12 12:55 . 2008-03-14 02:47 35840 ----a-r c:\windows\system32\nvconrm.dll
2009-05-12 12:55 . 2008-01-10 06:30 442368 ----a-r c:\windows\system32\nvusmb.exe
2009-05-12 12:55 . 2008-05-08 18:57 446464 ----a-w c:\windows\system32\NVUNINST.EXE
2009-05-12 12:54 . 2006-10-11 03:33 10288 ----a-w c:\windows\system32\drivers\ASUSHWIO.SYS
2009-05-12 11:48 . 2008-04-13 14:47 25856 ----a-w c:\windows\system32\drivers\usbprint.sys

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-13 17:18 . 2006-03-02 15:00 48628 ----a-w c:\windows\system32\perfc016.dat
2009-05-13 17:18 . 2006-03-02 15:00 344380 ----a-w c:\windows\system32\perfh016.dat
2009-05-12 13:09 . 2009-05-12 07:26 76487 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-12 07:39 . 2009-05-12 07:39 -------- d-----w c:\arquivos de programas\Arquivos comuns\Borland Shared
2009-05-12 07:27 . 2009-05-12 07:27 -------- d-----w c:\arquivos de programas\microsoft frontpage
2009-05-12 07:25 . 2009-05-12 07:25 -------- d-----w c:\arquivos de programas\Serviços on-line
2009-05-12 07:23 . 2009-05-12 07:23 -------- d-----w c:\arquivos de programas\Arquivos comuns\Serviços
2009-05-12 07:22 . 2009-05-12 07:22 21844 ----a-w c:\windows\system32\emptyregdb.dat
2009-03-08 07:34 . 2006-03-02 15:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 07:34 . 2006-03-02 15:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 07:33 . 2006-03-02 15:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 07:33 . 2006-03-02 15:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 07:32 . 2006-03-02 15:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 07:32 . 2006-03-02 15:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 07:31 . 2006-03-02 15:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 07:31 . 2006-03-02 15:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 07:31 . 2006-03-02 15:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 07:22 . 2006-03-02 15:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:20 . 2006-03-02 15:00 286208 ----a-w c:\windows\system32\pdh.dll
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\arquivos de programas\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-02 86016]
"avgnt"="c:\arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-02 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\
EPSON Status Monitor 3 Environment Check.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [2000-2-3 222720]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\arquivos de programas\Avira\AntiVir Desktop\sched.exe [12/5/2009 11:03 108289]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\arquivos de programas\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [12/5/2009 17:50 26224]
S3 ip100xp;ENCORE 10/100Mbps Fast Ethernet PCI Adapter NT Driver;c:\windows\system32\drivers\ipfnd51.sys [13/5/2009 09:28 26752]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Scan Suplementar -------
.
uStart Page = about:blank
FF - ProfilePath - c:\documents and settings\Raphael\Dados de aplicativos\Mozilla\Firefox\Profiles\wzktma3t.default\

---- FIREFOX POLICIES ----
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-25 09:26
Windows 5.1.2600 Service Pack 3 FAT NTAPI

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...


**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\c:\arquivos de programas\Lavalys\EVEREST Ultimate Edition\kerneld.wnt"
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'explorer.exe'(3912)
c:\docume~1\Raphael\CONFIG~1\Temp\catchme.dll
.
Tempo para conclusão: 2009-05-25 9:28
ComboFix-quarantined-files.txt 2009-05-25 12:26
ComboFix2.txt 2009-05-25 12:15

Pré-execução: 2.948.268.032 bytes disponíveis
Pós execução: 2.938.249.216 bytes disponíveis

WindowsXP-KB310994-SP2-Home-BootDisk-PTB.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

202

 

[Tello]

Bom dia Mr.. Chegou minha vez, hehe.
Vc poderia analisar para mim este log, por favor?
Ah, como faz para ocultar (colocando aquele "mostrar"), pra naum ficar deixando a página gigante?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:43:46, on 25/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe
C:\Arquivos de programas\Bonjour\mDNSResponder.exe
C:\Documents and Settings\All Users\Dados de aplicativos\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
C:\Arquivos de programas\Java\jre6\bin\jqs.exe
C:\ARQUIV~1\AVG\AVG8\avgrsx.exe
C:\Arquivos de programas\MySQL\MySQL Server 5.1\bin\mysqld.exe
C:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe
C:\Arquivos de programas\VMware\VMware Server\vmware-authd.exe
C:\WINDOWS\Explorer.EXE
C:\Arquivos de programas\Arquivos comuns\VMware\VMware Virtual Image Editing\vmount2.exe
C:\WINDOWS\system32\vmnat.exe
C:\Arquivos de programas\Zope-2.9.0\bin\PythonService.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\ARQUIV~1\AVG\AVG8\avgemc.exe
C:\Arquivos de programas\Zope-2.9.0\bin\python.exe
C:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\ARQUIV~1\AVG\AVG8\avgtray.exe
C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Arquivos de programas\AVG\AVG8\avgcsrvx.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Arquivos de programas\Java\jre6\bin\jusched.exe
C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
C:\Arquivos de programas\AVG\AVG8\avgcsrvx.exe
C:\Arquivos de programas\VMware\VMware Server\vmserverdWin32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Arquivos de programas\Microsoft Office\Office12\EXCEL.EXE
C:\ARQUIV~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Informática\Desktop\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = &http://home.microsoft.com/intl/br/access/allinone.asp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.camaracampinas.sp.gov.br/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - Default URLSearchHook is missing
O1 - Hosts: 69.162.118.164 santander.com.br
O1 - Hosts: 69.162.118.165 www.itau.com.br
O1 - Hosts: 69.162.118.165 itau.com.br
O1 - Hosts: 69.162.118.165 www.itaupersonnalite.com.br
O1 - Hosts: 69.162.118.165 itaupersonnalite.com.br
O1 - Hosts: 69.162.118.165 www.itauprivatebank.com.br
O1 - Hosts: 69.162.118.165 itauprivatebank.com.br
O1 - Hosts: 69.162.118.166 www.bradesco.com.br
O1 - Hosts: 69.162.118.166 bradesco.com.br
O1 - Hosts: 69.162.118.166 www.bradescoprime.com.br
O1 - Hosts: 69.162.118.163 www.nossacaixa.com.br
O1 - Hosts: 69.162.118.163 nossacaixa.com.br
O1 - Hosts: 69.162.118.167 infobusca.informarketing.com
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\ARQUIV~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\S-1-5-21-776561741-1935655697-1417001333-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-21-776561741-1935655697-1417001333-1003 Startup: BrOffice.org 3.0.lnk = C:\Arquivos de programas\BrOffice.org 3\program\quickstart.exe (User '?')
O4 - S-1-5-21-776561741-1935655697-1417001333-1003 Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe (User '?')
O4 - S-1-5-21-776561741-1935655697-1417001333-1003 Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe (User '?')
O4 - Startup: BrOffice.org 3.0.lnk = C:\Arquivos de programas\BrOffice.org 3\program\quickstart.exe
O4 - Startup: RocketDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\RocketDock\RocketDock.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat 2\UberIcon\UberIcon Manager.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\ARQUIV~1\Microsoft Office\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\Microsoft Office\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Arquivos de programas\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\ARQUIV~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Arquivos de programas\Bonjour\mDNSResponder.exe
O23 - Service: Aplicativo de sistema COM+ (COMSysApp) - Unknown owner - C:\WINDOWS\system32\dllhost.exe
O23 - Service: Serviço administrativo do gerenciador de disco lógico (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Dados de aplicativos\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: FLEXnet Licensing Service - Unknown owner - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: Compartilhamento remoto da área de trabalho do NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: MySQL - Unknown owner - C:\Arquivos.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Gerenciador de sessão de ajuda de área de trabalho remota (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe
O23 - Service: QoS RSVP (RSVP) - Unknown owner - C:\WINDOWS\system32\rsvp.exe
O23 - Service: Cartão inteligente (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: MS Software Shadow Copy Provider (SwPrv) - Unknown owner - C:\WINDOWS\system32\dllhost.exe
O23 - Service: Telnet (TlntSvr) - Unknown owner - C:\WINDOWS\system32\tlntsvr.exe
O23 - Service: Sistema de alimentação ininterrupta (UPS) - Unknown owner - C:\WINDOWS\System32\ups.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Arquivos de programas\VMware\VMware Server\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Arquivos de programas\Arquivos comuns\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Arquivos de programas\VMware\VMware Server\vmserverdWin32.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Arquivos de programas\Windows Live\installer\WLSetupSvc.exe
O23 - Service: Adaptador de desempenho WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Serviço de Compartilhamento de Rede do Windows Media Player (WMPNetworkSvc) - Unknown owner - C:\Arquivos de programas\Windows Media Player\WMPNetwk.exe
O23 - Service: Zope instance at C:\Zope-Instance (Zope_-1444516661) - Unknown owner - C:\Arquivos de programas\Zope-2.9.0\bin\PythonService.exe

--
End of file - 12646 bytes

 

[Mr.Wolf]

Olá pessoal, boa tarde a todos!


вяυиασ 1988, siga as instruções no spoiler abaixo:

Spoiler

- Baixe o IceSword e salve no desktop.

- Extraia os arquivos do zip no desktop e feche todas as janelas abertas.
- Execute o arquivo IceSword.exe como administrador.
- Quando abrir a tela da ferramenta, ao lado esquerdo, clique no botão "Kernel Module".
- Aguarde a listagem dos arquivos e após isto clique no botão

(localizado na parte superior direita do programa).
- Salve o relatório em seu desktop como KernelFiles.txt.

Poste este log em sua próxima resposta вяυиασ 1988.

_______________________________________


Amigo Rhyrioth, siga as instruções abaixo:

Spoiler

Selecione e copie este texto abaixo. Cole-o dentro do Bloco de Notas e salve-o no desktop como CFScript.txt

Folder::
C:\FOUND.000
File::
c:\windows\system32\37.scr
c:\windows\system32\drivers\sysdrv32.VIR
Reboot::

Arraste o CFScript para o ComboFix como na imagem aqui abaixo e aguarde a execução automática da ferramenta:

● Se for solicitado à você, pressione Enter para iniciar o processo de remoção;
● Não use o mouse nem o teclado quando o ComboFix estiver rodando;
● Quando terminar, será gerado um novo log que estará em C:\ComboFix.txt;
● Talvez seu computador seja reiniciado automaticamente. Caso não ocorra, reinicie-o manualmente.

Na sua próxima resposta, cole o ComboFix.txt e um novo log do HijackThis.

_______________________________________


Opa amigo Tello, seu log apresenta Trojans Bankers. Este vírus tem a função de capturar senhas digitadas no PC e enviá-las ao cracker criador do vírus, para fins de roubo das mesmas. Recomendo que, por enquanto, não acesse MSN, Orkut, Internet Banking (principalmente) e/ou qualquer site ou programa que seja necessário introduzir dados pessoais como senhas, e, após a remoção dos vírus troque todas as senhas.
Entretanto, os bankers que estão em seu computador são novos amigo Tello, e possuem a famosa técnica conhecida como BanHost (onde os vírus modificam também o arquivo hosts do sistema adicionando entradas maliciosas).

Este novo banker foi disseminado através da página de torpedos da operadora OI (problema já corrigido por nós, mas que infectou muitos usuários antes de corrigirmos), amigo Tello. Por acaso acessou a este site dias atrás? Veja mais informações no link abaixo - o vírus que está em seu computador é exatamente o citado no link:

http://www.linhadefensiva.org/2009/05/pagina-de-torpedos-web-da-oi-e-invadida-para-distribuir-virus/

Siga as instruções abaixo Tello:

Spoiler

- Faça o download do HostsXpert e salve-o no desktop;
- Extraia o arquivo para seu desktop e execute o HostsXpert.exe;
- Clique no botão Restore MS Hosts Files e feche o programa.


- Faça o download do BankerFix e salve-o no desktop;

● Desabilite o seu antivírus temporariamente para não detectar a ferramenta como vírus;
● Dê um duplo clique em bankerfix.exe;
● Surgirá uma mensagem dizendo que o mesmo será baixado via internet;
● Clique em OK > OK. Tecle Enter e aguarde o término do scan;
● Terminado o scan, leia a mensagem na tela e tecle Enter novamente.
● Será gerado um log em C:\LinhaDefensiva\relatorio.txt.

Cole este log em sua próxima resposta, juntamente com um novo log do HijackThis.

Delete a pasta C:\LinhaDefensiva após colar seu log aqui.

Ah, como faz para ocultar (colocando aquele "mostrar"), pra naum ficar deixando a página gigante?

Basta colocar seu texto dentro de spoiler's amigo Tello. Para isto: Digite a tag [!spoiler] (sem o ponto de exclamação "!" pois coloquei somente para não esconder a explicação) e digite seu texto. Ao final, digite a tag [/spoiler] e pronto.
Caso utilize a resposta avançada no tópico, basta clicar no botão

(localizado ao lado dos botões do Google, YouTube...). :thumbs_up

 

[вяυиασ 1988]

вяυиασ 1988, siga as instruções no spoiler abaixo:

Spoiler

- Baixe o IceSword e salve no desktop.

- Extraia os arquivos do zip no desktop e feche todas as janelas abertas.
- Execute o arquivo IceSword.exe como administrador.
- Quando abrir a tela da ferramenta, ao lado esquerdo, clique no botão "Kernel Module".
- Aguarde a listagem dos arquivos e após isto clique no botão

(localizado na parte superior direita do programa).
- Salve o relatório em seu desktop como KernelFiles.txt.

Poste este log em sua próxima resposta вяυиασ 1988.

Mr wolf aqui esta.......
cara q virus chato nao????
Gostaria q se possivel saber mais sobre esse virus....
Se ele roba senhas essas coisas?? como eh o nome msm?? rootkits isso???

VLWS.....

Spoiler

Kernel Module:

\WINDOWS\system32\ntoskrnl.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
compbatt.sys
\WINDOWS\system32\DRIVERS\BATTC.SYS
intelide.sys
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
dmload.sys
pcmcia.sys
dmio.sys
ACPIEC.sys
\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
PartMgr.sys
VolSnap.sys
atapi.sys
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
speedfan.sys
sisperf.sys
sisidex.sys
fltMgr.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
Mup.sys
giveio.sys
gagp30kx.sys
\SystemRoot\System32\DRIVERS\processr.sys
\SystemRoot\system32\DRIVERS\ati2mtag.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\SynTP.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\DRIVERS\gameenum.sys
\SystemRoot\system32\drivers\ctlsb16.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\upkkscr.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\s3legacy.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\dc21x4.sys
\SystemRoot\system32\drivers\usbfoot.sys
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\flpydisk.sys
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\DRIVERS\asusrx25.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\tsavt.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\system32\DRIVERS\ipnat.sys
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\Drivers\ParVdm.SYS
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\s3legacy.dll
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\mrxdav.sys
\SystemRoot\System32\Drivers\ParVdm.SYS
\SystemRoot\system32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\System32\Drivers\HTTP.sys
\??\C:\WINDOWS\system32\socketlock.sys
\SystemRoot\System32\ati2dvag.dll
\SystemRoot\System32\ati2cqag.dll
\SystemRoot\System32\atikvmag.dll
\SystemRoot\System32\ati3duag.dll
\SystemRoot\System32\ativvaxx.dll
\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys
\SystemRoot\system32\DRIVERS\sr.sys
\SystemRoot\System32\Drivers\IsDrv122.sys
\WINDOWS\system32\ntdll.dll

:yes:

 

[Rhyrioth]

Olá pessoal, boa tarde a todos!

Amigo Rhyrioth, siga as instruções abaixo:

Spoiler

Selecione e copie este texto abaixo. Cole-o dentro do Bloco de Notas e salve-o no desktop como CFScript.txt

Folder::
C:\FOUND.000
File::
c:\windows\system32\37.scr
c:\windows\system32\drivers\sysdrv32.VIR
Reboot::

Arraste o CFScript para o ComboFix como na imagem aqui abaixo e aguarde a execução automática da ferramenta:

● Se for solicitado à você, pressione Enter para iniciar o processo de remoção;
● Não use o mouse nem o teclado quando o ComboFix estiver rodando;
● Quando terminar, será gerado um novo log que estará em C:\ComboFix.txt;
● Talvez seu computador seja reiniciado automaticamente. Caso não ocorra, reinicie-o manualmente.

Na sua próxima resposta, cole o ComboFix.txt e um novo log do HijackThis.

_______________________________________

Passos seguidos, seguem os novos logs:

Spoiler

ComboFix 09-05-25.09 - Raphael 26/05/2009 10:14.3 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.55.1046.18.895.518 [GMT -3:00]
Executando de: c:\documents and settings\Raphael\Desktop\ComboFix.exe
Comandos utilizados :: c:\documents and settings\Raphael\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\windows\system32\37.scr"
"c:\windows\system32\drivers\sysdrv32.VIR"
.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\FOUND.000
c:\found.000\FILE0000.CHK
c:\windows\system32\37.scr
c:\windows\system32\drivers\sysdrv32.VIR

.
(((((((((((((((( Arquivos/Ficheiros criados de 2009-04-26 to 2009-05-26 ))))))))))))))))))))))))))))
.

2009-05-25 16:39 . 2009-05-25 16:39 -------- d-----w c:\documents and settings\Raphael\Dados de aplicativos\Skinux
2009-05-25 16:34 . 2001-09-06 02:50 5632 ----a-w c:\windows\system32\ptpusb.dll
2009-05-25 16:34 . 2008-04-13 22:20 159232 ----a-w c:\windows\system32\ptpusd.dll
2009-05-25 16:34 . 2008-04-13 14:45 15104 ----a-w c:\windows\system32\drivers\usbscan.sys
2009-05-25 16:34 . 2008-04-13 14:45 15104 ----a-w c:\windows\system32\dllcache\usbscan.sys
2009-05-25 16:32 . 2009-05-25 16:32 -------- d-----w c:\arquivos de programas\Arquivos comuns\Kodak
2009-05-25 16:25 . 2008-05-02 13:26 466944 ------w c:\windows\system32\imapi2fs.dll
2009-05-25 16:25 . 2008-05-02 13:26 466944 ------w c:\windows\system32\dllcache\imapi2fs.dll
2009-05-25 16:25 . 2008-05-02 13:26 318464 ------w c:\windows\system32\imapi2.dll
2009-05-25 16:25 . 2008-05-02 13:26 318464 ------w c:\windows\system32\dllcache\imapi2.dll
2009-05-25 16:25 . 2008-05-02 10:49 62976 ------w c:\windows\system32\dllcache\cdrom.sys
2009-05-25 16:25 . 2009-05-25 16:25 -------- d-----w c:\arquivos de programas\Kodak
2009-05-25 16:25 . 2009-05-25 16:25 77824 ----a-w c:\documents and settings\All Users\Dados de aplicativos\Kodak\EasyShareSetup\ess\bindbins\bindbins.exe
2009-05-25 16:24 . 2009-05-25 16:25 225280 ----a-w c:\documents and settings\All Users\Dados de aplicativos\Kodak\EasyShareSetup\wtf\finish.exe
2009-05-25 16:22 . 2009-05-25 16:22 30720 ----a-w c:\documents and settings\All Users\Dados de aplicativos\Kodak\EasyShareSetup\fwork\netfw.exe
2009-05-25 16:18 . 2009-05-25 16:22 23510720 ----a-w c:\documents and settings\All Users\Dados de aplicativos\Kodak\EasyShareSetup\fwork\dotnetfx.exe
2009-05-25 16:18 . 2009-05-25 16:18 45056 ----a-w c:\documents and settings\All Users\Dados de aplicativos\Kodak\EasyShareSetup\sysfiles\kb945060\kb945060.exe
2009-05-25 16:17 . 2009-05-25 16:18 225280 ----a-w c:\documents and settings\All Users\Dados de aplicativos\Kodak\EasyShareSetup\wtf\start.exe
2009-05-25 16:17 . 2009-05-25 16:17 1187840 ----a-w c:\documents and settings\All Users\Dados de aplicativos\Kodak\EasyShareSetup\$SETUP_1e0001_43873b\EasyShrx.Dll
2009-05-25 16:17 . 2008-10-30 15:56 2295184 ----a-w c:\documents and settings\All Users\Dados de aplicativos\Kodak\EasyShareSetup\$SETUP_1e0001_43873b\Setup.exe
2009-05-25 16:17 . 2009-05-25 16:17 114688 ----a-w c:\documents and settings\All Users\Dados de aplicativos\Kodak\EasyShareSetup\$Registration\KodakCameraAPI_7.9.30.1.dll
2009-05-25 16:17 . 2009-05-25 16:17 -------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Kodak
2009-05-22 11:57 . 2009-05-22 11:57 -------- d-----w C:\KillBox
2009-05-21 20:51 . 2009-05-21 20:52 -------- d-----w C:\LinhaDefensiva
2009-05-21 14:59 . 2009-05-21 14:59 579072 ----a-w c:\windows\system32\dllcache\user32.dll
2009-05-20 11:47 . 2009-05-20 11:47 -------- d-----w c:\arquivos de programas\Trend Micro
2009-05-19 13:43 . 2000-03-01 05:06 59492 ----a-w c:\windows\system32\EBPMON2.DLL
2009-05-19 13:43 . 2009-05-19 13:43 -------- d-----w c:\arquivos de programas\Arquivos comuns\EPSON
2009-05-19 13:43 . 1999-07-19 13:27 203776 ----a-w c:\windows\system32\EBAPI.dll
2009-05-19 13:43 . 1999-07-16 04:01 100864 ----a-w c:\windows\system32\ebpthp.dll
2009-05-19 13:43 . 1998-04-03 20:15 108032 ----a-w c:\windows\system32\EBUtil.dll
2009-05-19 11:50 . 2008-04-13 22:20 21504 ----a-w c:\windows\system32\hidserv.dll
2009-05-19 11:50 . 2008-04-13 22:20 21504 ----a-w c:\windows\system32\dllcache\hidserv.dll
2009-05-19 11:49 . 2008-04-13 14:45 32128 ----a-w c:\windows\system32\drivers\usbccgp.sys
2009-05-19 11:49 . 2008-04-13 14:45 32128 ----a-w c:\windows\system32\dllcache\usbccgp.sys
2009-05-15 14:19 . 2009-05-15 14:19 -------- d--h--w c:\arquivos de programas\Scpad
2009-05-14 16:07 . 2009-05-14 16:07 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-05-13 14:30 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-05-13 14:30 . 2009-02-09 11:25 2193280 ------w c:\windows\system32\dllcache\ntoskrnl.exe
2009-05-13 14:30 . 2009-03-06 14:20 286208 ------w c:\windows\system32\dllcache\pdh.dll
2009-05-13 14:30 . 2009-02-09 11:25 111104 ------w c:\windows\system32\dllcache\services.exe
2009-05-13 14:30 . 2009-02-09 10:53 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-05-13 14:30 . 2009-02-09 10:53 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-05-13 14:30 . 2009-02-09 10:53 683520 ------w c:\windows\system32\dllcache\advapi32.dll
2009-05-13 14:30 . 2009-02-09 10:53 731648 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-05-13 14:30 . 2009-02-09 10:53 730624 ------w c:\windows\system32\dllcache\ntdll.dll
2009-05-13 14:30 . 2009-02-09 10:53 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-13 14:30 . 2009-02-09 11:25 2149376 ------w c:\windows\system32\dllcache\ntkrnlmp.exe
2009-05-13 14:30 . 2009-02-09 11:25 2028032 ------w c:\windows\system32\dllcache\ntkrpamp.exe
2009-05-13 14:29 . 2008-04-21 21:15 216064 ------w c:\windows\system32\dllcache\wordpad.exe
2009-05-13 14:28 . 2008-12-11 10:57 333952 ------w c:\windows\system32\dllcache\srv.sys
2009-05-13 14:26 . 2008-10-24 11:21 455296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2009-05-13 14:26 . 2008-09-04 17:16 1106944 ------w c:\windows\system32\dllcache\msxml3.dll
2009-05-13 14:26 . 2008-10-15 16:36 337408 ------w c:\windows\system32\dllcache\netapi32.dll
2009-05-13 14:25 . 2008-05-01 14:36 331776 ------w c:\windows\system32\dllcache\msadce.dll
2009-05-13 14:25 . 2008-04-11 19:05 691712 ------w c:\windows\system32\dllcache\inetcomm.dll
2009-05-13 14:24 . 2008-05-09 10:55 90112 ------w c:\windows\system32\dllcache\wshext.dll
2009-05-13 14:24 . 2008-05-09 10:55 180224 ------w c:\windows\system32\dllcache\scrobj.dll
2009-05-13 14:24 . 2008-05-09 10:55 172032 ------w c:\windows\system32\dllcache\scrrun.dll
2009-05-13 14:24 . 2008-05-09 08:45 135168 ------w c:\windows\system32\dllcache\cscript.exe
2009-05-13 14:24 . 2008-05-08 11:24 155648 ------w c:\windows\system32\dllcache\wscript.exe
2009-05-13 14:24 . 2008-06-14 17:34 272384 ------w c:\windows\system32\dllcache\bthport.sys
2009-05-13 14:24 . 2008-05-08 14:02 203136 ------w c:\windows\system32\dllcache\rmcast.sys
2009-05-13 14:11 . 2008-09-10 01:15 1307648 ----a-w c:\windows\system32\msxml6.dll
2009-05-13 14:11 . 2008-09-10 01:15 1307648 ------w c:\windows\system32\dllcache\msxml6.dll
2009-05-13 14:11 . 2008-04-13 21:58 86016 ------w c:\windows\system32\msxml6r.dll
2009-05-13 14:11 . 2008-04-13 21:58 86016 ------w c:\windows\system32\dllcache\msxml6r.dll
2009-05-13 14:04 . 2009-05-13 14:04 -------- d-----w c:\windows\ServicePackFiles
2009-05-13 14:03 . 2008-04-13 22:20 294912 ------w c:\windows\system32\dllcache\dlimport.exe
2009-05-13 13:54 . 2009-05-13 13:54 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-05-13 13:53 . 2009-05-13 13:53 -------- d-----w c:\windows\EHome
2009-05-13 13:50 . 2009-05-13 13:50 -------- d-----r c:\documents and settings\LocalService\Favoritos
2009-05-13 13:37 . 2009-05-13 13:37 -------- d-sh--w c:\documents and settings\Raphael\IECompatCache
2009-05-13 13:34 . 2009-05-13 13:34 -------- d-sh--w c:\documents and settings\Raphael\PrivacIE
2009-05-13 13:33 . 2009-05-13 13:33 -------- d-sh--w c:\documents and settings\Raphael\IETldCache
2009-05-13 13:25 . 2009-05-13 13:25 -------- d-----w c:\windows\ie8updates
2009-05-13 13:22 . 2009-05-13 13:22 -------- d--h--w c:\windows\ie8
2009-05-13 13:22 . 2009-05-13 13:22 -------- d-----w c:\windows\system32\pt-BR
2009-05-13 13:17 . 2009-04-25 05:30 102400 ------w c:\windows\system32\dllcache\iecompat.dll
2009-05-13 12:28 . 2005-04-06 14:30 26752 ----a-w c:\windows\system32\drivers\ipfnd51.sys
2009-05-13 11:49 . 2009-01-07 21:21 26144 ----a-w c:\windows\system32\spupdsvc.exe
2009-05-12 20:52 . 2009-05-12 20:52 -------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Messenger Plus!
2009-05-12 20:49 . 2009-05-12 20:50 -------- d-----w c:\arquivos de programas\Lavalys
2009-05-12 19:25 . 2009-05-25 20:46 1 ----a-w c:\documents and settings\Raphael\Dados de aplicativos\BrOffice.org\3\user\uno_packages\cache\stamp.sys
2009-05-12 19:25 . 2009-05-12 19:25 -------- d-----w c:\documents and settings\Raphael\Dados de aplicativos\BrOffice.org
2009-05-12 18:36 . 2008-10-16 17:06 268648 ----a-w c:\windows\system32\mucltui.dll
2009-05-12 18:36 . 2008-10-16 17:06 208744 ----a-w c:\windows\system32\muweb.dll
2009-05-12 18:33 . 2009-05-12 18:33 -------- d-----w c:\arquivos de programas\Messenger Plus! Live
2009-05-12 18:32 . 2009-05-12 18:32 -------- d-sh--w c:\documents and settings\Raphael\UserData
2009-05-12 18:27 . 2009-05-12 18:27 -------- d-----w c:\arquivos de programas\BrOffice.org 3
2009-05-12 17:52 . 2009-05-12 17:52 -------- d-----w c:\arquivos de programas\winsic
2009-05-12 17:41 . 2009-05-12 17:41 -------- d-----w c:\documents and settings\Raphael\Dados de aplicativos\Tibia
2009-05-12 17:41 . 2009-05-12 17:41 -------- d-----w c:\arquivos de programas\Tibia
2009-05-12 17:01 . 2009-05-12 17:01 -------- d-----w c:\documents and settings\Raphael\Dados de aplicativos\Foxit
2009-05-12 17:01 . 2009-05-12 17:01 -------- d-----w c:\arquivos de programas\Foxit Software
2009-05-12 16:57 . 2009-05-12 16:57 -------- d-----w c:\documents and settings\Raphael\Contacts
2009-05-12 14:55 . 1997-04-18 14:53 298496 ----a-w c:\windows\unin0416.exe
2009-05-12 14:55 . 2009-05-12 14:55 -------- d-----w c:\documents and settings\Raphael\WINDOWS
2009-05-12 14:55 . 2009-05-12 14:55 -------- d-----w C:\LXKZ600
2009-05-12 14:54 . 2009-05-12 14:54 -------- d-----w c:\windows\system32\DRVSTORE
2009-05-12 14:38 . 2009-05-12 14:38 -------- d-sh--w c:\arquivos de programas\Arquivos comuns\WindowsLiveInstaller
2009-05-12 14:37 . 2009-05-12 14:37 -------- d-----w c:\arquivos de programas\Windows Live
2009-05-12 14:37 . 2009-05-12 14:37 -------- d-----w c:\documents and settings\All Users\Dados de aplicativos\WLInstaller
2009-05-12 14:03 . 2009-03-30 13:33 96104 ----a-w c:\windows\system32\drivers\avipbb.sys
2009-05-12 14:03 . 2009-03-24 19:08 55640 ----a-w c:\windows\system32\drivers\avgntflt.sys
2009-05-12 14:03 . 2009-02-13 15:29 22360 ----a-w c:\windows\system32\drivers\avgntmgr.sys
2009-05-12 14:03 . 2009-02-13 15:17 45416 ----a-w c:\windows\system32\drivers\avgntdd.sys
2009-05-12 14:03 . 2009-05-12 14:03 -------- d-----w c:\documents and settings\All Users\Dados de aplicativos\Avira
2009-05-12 14:03 . 2009-05-12 14:03 -------- d-----w c:\arquivos de programas\Avira
2009-05-12 13:41 . 2009-05-12 13:41 0 ----a-w c:\windows\nsreg.dat
2009-05-12 13:13 . 2009-05-12 13:13 -------- d-----w c:\windows\nview
2009-05-12 13:13 . 2008-05-02 14:46 442368 ----a-w c:\windows\system32\nvudisp.exe
2009-05-12 13:11 . 2009-05-12 13:11 -------- d-----w c:\arquivos de programas\Arquivos comuns\InstallShield
2009-05-12 12:55 . 2008-03-25 03:48 54400 ----a-r c:\windows\system32\drivers\NVENETFD.sys
2009-05-12 12:55 . 2008-03-25 03:47 200704 ----a-r c:\windows\system32\fdco1ins.dll
2009-05-12 12:55 . 2008-03-25 03:47 200704 ----a-r c:\windows\system32\fdco1.dll
2009-05-12 12:55 . 2008-03-12 04:14 3948 ----a-r c:\windows\system32\drivers\nvphy.bin
2009-05-12 12:55 . 2008-03-14 02:47 442368 ----a-w c:\windows\system32\nvunrm.exe
2009-05-12 12:55 . 2008-03-25 03:48 22016 ----a-r c:\windows\system32\drivers\nvnetbus.sys
2009-05-12 12:55 . 2008-03-25 03:47 953088 ----a-r c:\windows\system32\drivers\nvnrm.sys
2009-05-12 12:55 . 2008-03-25 03:46 9216 ----a-r c:\windows\system32\bdco1ins.dll
2009-05-12 12:55 . 2008-03-25 03:46 9216 ----a-r c:\windows\system32\bdco1.dll
2009-05-12 12:55 . 2008-03-14 02:47 35840 ----a-r c:\windows\system32\nvconrm.dll
2009-05-12 12:55 . 2008-01-10 06:30 442368 ----a-r c:\windows\system32\nvusmb.exe
2009-05-12 12:55 . 2008-05-08 18:57 446464 ----a-w c:\windows\system32\NVUNINST.EXE

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-25 16:32 . 2006-03-02 15:00 67232 ----a-w c:\windows\system32\perfc016.dat
2009-05-25 16:32 . 2006-03-02 15:00 425072 ----a-w c:\windows\system32\perfh016.dat
2009-05-12 13:09 . 2009-05-12 07:26 76487 ----a-w c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-05-12 07:39 . 2009-05-12 07:39 -------- d-----w c:\arquivos de programas\Arquivos comuns\Borland Shared
2009-05-12 07:27 . 2009-05-12 07:27 -------- d-----w c:\arquivos de programas\microsoft frontpage
2009-05-12 07:25 . 2009-05-12 07:25 -------- d-----w c:\arquivos de programas\Serviços on-line
2009-05-12 07:23 . 2009-05-12 07:23 -------- d-----w c:\arquivos de programas\Arquivos comuns\Serviços
2009-05-12 07:22 . 2009-05-12 07:22 21844 ----a-w c:\windows\system32\emptyregdb.dat
2009-03-08 07:34 . 2006-03-02 15:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 07:34 . 2006-03-02 15:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 07:33 . 2006-03-02 15:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 07:33 . 2006-03-02 15:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 07:32 . 2006-03-02 15:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 07:32 . 2006-03-02 15:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 07:31 . 2006-03-02 15:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 07:31 . 2006-03-02 15:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 07:31 . 2006-03-02 15:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 07:22 . 2006-03-02 15:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:20 . 2006-03-02 15:00 286208 ----a-w c:\windows\system32\pdh.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-05-25_12.13.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-12-02 03:08 . 2006-12-02 03:08 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80KOR.dll
+ 2006-12-02 03:08 . 2006-12-02 03:08 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80JPN.dll
+ 2006-12-02 03:08 . 2006-12-02 03:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ITA.dll
+ 2006-12-02 03:08 . 2006-12-02 03:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80FRA.dll
+ 2006-12-02 03:08 . 2006-12-02 03:08 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ESP.dll
+ 2006-12-02 03:08 . 2006-12-02 03:08 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80ENU.dll
+ 2006-12-02 03:08 . 2006-12-02 03:08 65536 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80DEU.dll
+ 2006-12-02 03:08 . 2006-12-02 03:08 45056 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHT.dll
+ 2006-12-02 03:08 . 2006-12-02 03:08 40960 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_91481303\mfc80CHS.dll
+ 2006-12-02 03:26 . 2006-12-02 03:26 57856 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80u.dll
+ 2006-12-02 03:25 . 2006-12-02 03:25 69632 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfcm80.dll
+ 2006-12-02 01:56 . 2006-12-02 01:56 96256 c:\windows\WinSxS\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_cbb27474\ATL80.dll
+ 2009-05-25 16:26 . 2009-05-25 16:26 82432 c:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a\msxml4r.dll
+ 2006-03-02 15:00 . 2009-05-25 16:32 58596 c:\windows\system32\perfc009.dat
+ 2005-09-23 10:28 . 2005-09-23 10:28 32768 c:\windows\system32\netfxperf.dll
+ 2003-04-18 19:29 . 2003-04-18 19:29 82432 c:\windows\system32\msxml4r.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 74240 c:\windows\system32\mscories.dll
- 2006-03-02 15:00 . 2008-04-13 14:40 62976 c:\windows\system32\drivers\cdrom.sys
+ 2006-03-02 15:00 . 2008-05-02 10:49 62976 c:\windows\system32\drivers\cdrom.sys
+ 2005-09-23 10:28 . 2005-09-23 10:28 83456 c:\windows\system32\dfshim.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 28160 c:\windows\Microsoft.NET\Framework\v2.0.50727\WMINet_Utils.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 71680 c:\windows\Microsoft.NET\Framework\v2.0.50727\TLBREF.DLL
+ 2005-09-23 10:28 . 2005-09-23 10:28 86016 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.RegularExpressions.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 47616 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.Thunk.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 81920 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Drawing.Design.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 81920 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Configuration.Install.dll
+ 2005-09-23 10:29 . 2005-09-23 10:29 85504 c:\windows\Microsoft.NET\Framework\v2.0.50727\ShFusRes.dll
+ 2005-09-23 10:29 . 2005-09-23 10:29 59072 c:\windows\Microsoft.NET\Framework\v2.0.50727\regtlibv12.exe
+ 2005-09-23 10:28 . 2005-09-23 10:28 32768 c:\windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
+ 2005-09-23 10:28 . 2005-09-23 10:28 53248 c:\windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
+ 2005-09-23 10:28 . 2005-09-23 10:28 78336 c:\windows\Microsoft.NET\Framework\v2.0.50727\PerfCounter.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 14848 c:\windows\Microsoft.NET\Framework\v2.0.50727\normalization.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 96440 c:\windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
+ 2005-09-23 10:29 . 2005-09-23 10:29 22528 c:\windows\Microsoft.NET\Framework\v2.0.50727\MUI\0409\mscorsecr.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 10240 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscortim.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 66240 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
+ 2005-09-23 10:28 . 2005-09-23 10:28 67072 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsec.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 81408 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorld.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 36864 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorie.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 73216 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordbc.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 69632 c:\windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
+ 2005-09-23 10:28 . 2005-09-23 10:28 87552 c:\windows\Microsoft.NET\Framework\v2.0.50727\MmcAspExt.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 12800 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 32768 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Vsa.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 28672 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Vsa.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 73728 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Utilities.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 36864 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Framework.dll
+ 2005-09-23 09:36 . 2005-09-23 09:36 85504 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.3082.dll
+ 2005-09-23 09:29 . 2005-09-23 09:29 80896 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.3076.dll
+ 2005-09-23 09:47 . 2005-09-23 09:47 84480 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.2070.dll
+ 2005-09-23 09:30 . 2005-09-23 09:30 80896 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.2052.dll
+ 2005-09-23 09:47 . 2005-09-23 09:47 80896 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1055.dll
+ 2005-09-23 09:47 . 2005-09-23 09:47 81920 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1053.dll
+ 2005-09-23 09:47 . 2005-09-23 09:47 82432 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1049.dll
+ 2005-09-23 09:47 . 2005-09-23 09:47 82432 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1046.dll
+ 2005-09-23 09:46 . 2005-09-23 09:46 83456 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1045.dll
+ 2005-09-23 09:46 . 2005-09-23 09:46 81920 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1044.dll
+ 2005-09-23 09:46 . 2005-09-23 09:46 83456 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1043.dll
+ 2005-09-23 09:44 . 2005-09-23 09:44 80896 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1042.dll
+ 2005-09-23 09:42 . 2005-09-23 09:42 80896 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1041.dll
+ 2005-09-23 09:40 . 2005-09-23 09:40 84480 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1040.dll
+ 2005-09-23 09:40 . 2005-09-23 09:40 83968 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1038.dll
+ 2005-09-23 09:40 . 2005-09-23 09:40 80896 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1037.dll
+ 2005-09-23 09:38 . 2005-09-23 09:38 86016 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1036.dll
+ 2005-09-23 09:38 . 2005-09-23 09:38 81408 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1035.dll
+ 2005-09-23 06:46 . 2005-09-23 06:46 80896 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1033.dll
+ 2005-09-23 09:36 . 2005-09-23 09:36 87552 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1032.dll
+ 2005-09-23 09:34 . 2005-09-23 09:34 85504 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1031.dll
+ 2005-09-23 09:34 . 2005-09-23 09:34 81920 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1030.dll
+ 2005-09-23 09:34 . 2005-09-23 09:34 82944 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1029.dll
+ 2005-09-23 09:32 . 2005-09-23 09:32 80896 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1028.dll
+ 2005-09-23 09:29 . 2005-09-23 09:29 80896 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.res.1025.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 40960 c:\windows\Microsoft.NET\Framework\v2.0.50727\jsc.exe
+ 2005-09-23 10:28 . 2005-09-23 10:28 72192 c:\windows\Microsoft.NET\Framework\v2.0.50727\ISymWrapper.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 55296 c:\windows\Microsoft.NET\Framework\v2.0.50727\InstallUtilLib.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 28672 c:\windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
+ 2005-09-23 10:28 . 2005-09-23 10:28 36864 c:\windows\Microsoft.NET\Framework\v2.0.50727\IEHost.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 52736 c:\windows\Microsoft.NET\Framework\v2.0.50727\dfdll.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 31936 c:\windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
+ 2005-09-23 10:28 . 2005-09-23 10:28 68608 c:\windows\Microsoft.NET\Framework\v2.0.50727\CustomMarshalers.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 17920 c:\windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 13312 c:\windows\Microsoft.NET\Framework\v2.0.50727\cscompmgd.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 76984 c:\windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
+ 2005-09-23 10:28 . 2005-09-23 10:28 88576 c:\windows\Microsoft.NET\Framework\v2.0.50727\CORPerfMonExt.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 29888 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_wp.exe
+ 2005-09-23 10:28 . 2005-09-23 10:28 29896 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe
+ 2005-09-23 10:28 . 2005-09-23 10:28 26824 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regiis.exe
+ 2005-09-23 10:28 . 2005-09-23 10:28 13824 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regbrowsers.exe
+ 2005-09-23 10:28 . 2005-09-23 10:28 70656 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_rc.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 23552 c:\windows\Microsoft.NET\Framework\v2.0.50727\Aspnet_perf.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 10752 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_filter.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 36864 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
+ 2005-09-23 10:28 . 2005-09-23 10:28 55488 c:\windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
+ 2005-09-23 10:28 . 2005-09-23 10:28 87552 c:\windows\Microsoft.NET\Framework\v2.0.50727\alink.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 10752 c:\windows\Microsoft.NET\Framework\v2.0.50727\Accessibility.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 18944 c:\windows\Microsoft.NET\Framework\v2.0.50727\1033\alinkui.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 86528 c:\windows\Microsoft.NET\Framework\v1.0.3705\mscormmc.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 72704 c:\windows\Microsoft.NET\Framework\NETFXSBS10.exe
+ 2009-05-13 17:06 . 2009-05-25 16:53 29926 c:\windows\Installer\{8EADB73B-026D-4978-A8F0-1EEF5E1ECEC7}\MsblIco.Exe
- 2009-05-13 17:06 . 2009-05-13 17:06 29926 c:\windows\Installer\{8EADB73B-026D-4978-A8F0-1EEF5E1ECEC7}\MsblIco.Exe
+ 2009-05-25 16:32 . 2009-05-25 16:32 92854 c:\windows\Installer\{42938595-0D83-404D-9F73-F8177FDD531A}\EasyShareStartupShortcut10.exe
+ 2009-05-25 16:32 . 2009-05-25 16:32 92854 c:\windows\Installer\{42938595-0D83-404D-9F73-F8177FDD531A}\EasyShareStartMenu10_1.exe
+ 2009-05-25 16:32 . 2009-05-25 16:32 92854 c:\windows\Installer\{42938595-0D83-404D-9F73-F8177FDD531A}\EasyShareDesktopShortcut10.exe
+ 2009-05-25 16:25 . 2008-05-02 10:49 62976 c:\windows\Driver Cache\i386\cdrom.sys
+ 2009-05-25 17:46 . 2009-05-25 17:46 81920 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\0530a3acfc4259429344a414b3adbada\Microsoft.Build.Framework.ni.dll
+ 2009-05-25 17:46 . 2009-05-25 17:46 15360 c:\windows\assembly\NativeImages_v2.0.50727_32\dfsvc\37a4a1f082540e48a81ea3cc3ab66152\dfsvc.ni.exe
+ 2009-05-25 17:46 . 2009-05-25 17:46 26624 c:\windows\assembly\NativeImages_v2.0.50727_32\Accessibility\05f711aad3a3174e8f760475ae2197ea\Accessibility.ni.dll
+ 2009-05-25 16:32 . 2009-05-25 16:32 86016 c:\windows\assembly\GAC_MSIL\VirtualCollectionBase-Defs-PlatReq\1.0.4508.8032__b0cfd8589c27b05f\VirtualCollectionBase-Defs-PlatReq.dll
+ 2009-05-25 16:29 . 2009-05-25 16:29 86016 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2009-05-25 16:29 . 2009-05-25 16:29 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2009-05-25 16:29 . 2009-05-25 16:29 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2009-05-25 16:28 . 2009-05-25 16:28 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2009-05-25 16:28 . 2009-05-25 16:28 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2009-05-25 16:28 . 2009-05-25 16:28 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2009-05-25 16:28 . 2009-05-25 16:28 73728 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2009-05-25 16:28 . 2009-05-25 16:28 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2009-05-25 16:29 . 2009-05-25 16:29 36864 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2009-05-25 16:28 . 2009-05-25 16:28 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2009-05-25 16:28 . 2009-05-25 16:28 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2009-05-25 16:32 . 2009-05-25 16:32 38400 c:\windows\assembly\GAC_32\PeopleRecognition-Defs-PlatReq\1.1.4508.8032__b0cfd8589c27b05f\PeopleRecognition-Defs-PlatReq.dll
+ 2009-05-25 16:29 . 2009-05-25 16:29 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2009-05-25 16:28 . 2009-05-25 16:29 68608 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2005-09-23 10:29 . 2005-09-23 10:29 6144 c:\windows\system32\mui\0409\mscorees.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 7680 c:\windows\Microsoft.NET\Framework\v2.0.50727\sbscmp20_mscorlib.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 9216 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsn.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 7168 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft_VsaVb.dll
+ 2005-09-23 10:29 . 2005-09-23 10:29 5632 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualC.Dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 5632 c:\windows\Microsoft.NET\Framework\v2.0.50727\IIEHost.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 8192 c:\windows\Microsoft.NET\Framework\v2.0.50727\IEExecRemote.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 9728 c:\windows\Microsoft.NET\Framework\v2.0.50727\IEExec.exe
+ 2005-09-23 10:28 . 2005-09-23 10:28 9216 c:\windows\Microsoft.NET\Framework\v2.0.50727\fusion.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 4608 c:\windows\Microsoft.NET\Framework\v2.0.50727\dfsvc.exe
+ 2005-09-23 10:28 . 2005-09-23 10:28 8192 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 4608 c:\windows\Microsoft.NET\Framework\v2.0.50727\1033\CvtResUI.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 7680 c:\windows\Microsoft.NET\Framework\SharedReg12.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 7680 c:\windows\Microsoft.NET\Framework\sbscmp20_perfcounter.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 7680 c:\windows\Microsoft.NET\Framework\sbscmp20_mscorwks.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 7680 c:\windows\Microsoft.NET\Framework\sbscmp10.dll
+ 2005-09-23 10:29 . 2005-09-23 10:29 5120 c:\windows\Microsoft.NET\Framework\sbs_wminet_utils.dll
+ 2005-09-23 10:29 . 2005-09-23 10:29 5120 c:\windows\Microsoft.NET\Framework\sbs_VsaVb7rt.dll
+ 2005-09-23 10:29 . 2005-09-23 10:29 5120 c:\windows\Microsoft.NET\Framework\sbs_system.enterpriseservices.dll
+ 2005-09-23 10:29 . 2005-09-23 10:29 5120 c:\windows\Microsoft.NET\Framework\sbs_system.data.dll
+ 2005-09-23 10:29 . 2005-09-23 10:29 5120 c:\windows\Microsoft.NET\Framework\sbs_system.configuration.install.dll
+ 2005-09-23 10:29 . 2005-09-23 10:29 5120 c:\windows\Microsoft.NET\Framework\sbs_mscorsec.dll
+ 2005-09-23 10:29 . 2005-09-23 10:29 5120 c:\windows\Microsoft.NET\Framework\sbs_mscorrc.dll
+ 2005-09-23 10:29 . 2005-09-23 10:29 5120 c:\windows\Microsoft.NET\Framework\sbs_mscordbi.dll
+ 2005-09-23 10:29 . 2005-09-23 10:29 5632 c:\windows\Microsoft.NET\Framework\sbs_microsoft.vsa.vb.codedomprocessor.dll
+ 2005-09-23 10:29 . 2005-09-23 10:29 5120 c:\windows\Microsoft.NET\Framework\sbs_microsoft.jscript.dll
+ 2005-09-23 10:29 . 2005-09-23 10:29 5120 c:\windows\Microsoft.NET\Framework\sbs_iehost.dll
+ 2005-09-23 10:29 . 2005-09-23 10:29 5120 c:\windows\Microsoft.NET\Framework\sbs_diasymreader.dll
+ 2009-05-25 16:28 . 2009-05-25 16:28 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2009-05-25 16:29 . 2009-05-25 16:29 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2009-05-25 16:29 . 2009-05-25 16:29 5632 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2009-05-25 16:29 . 2009-05-25 16:29 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2009-05-25 16:33 . 2009-05-25 16:33 3072 c:\windows\assembly\GAC_32\policy.2.0.EastmanKodakCompany.EasyShare\2.0.4523.7930__e736f44e197b3380\policy.2.0.EastmanKodakCompany.EasyShare.dll
+ 2009-05-25 16:33 . 2009-05-25 16:33 3072 c:\windows\assembly\GAC_32\policy.1.0.EastmanKodakCompany.EasyShare\1.0.0.2__e736f44e197b3380\policy.1.0.EastmanKodakCompany.EasyShare.dll
+ 2006-12-02 01:54 . 2006-12-02 01:54 626688 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcr80.dll
+ 2006-12-02 01:54 . 2006-12-02 01:54 548864 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcp80.dll
+ 2006-12-02 01:54 . 2006-12-02 01:54 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_6b128700\msvcm80.dll
+ 2005-09-23 10:29 . 2005-09-23 10:29 626688 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcr80.dll
+ 2005-09-23 10:29 . 2005-09-23 10:29 548864 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcp80.dll
+ 2005-09-23 10:29 . 2005-09-23 10:29 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_x-ww_0de06acd\msvcm80.dll
+ 2006-03-02 15:00 . 2009-05-25 16:32 392296 c:\windows\system32\perfh009.dat
+ 2005-09-23 10:28 . 2005-09-23 10:28 150016 c:\windows\system32\mscorier.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 270848 c:\windows\system32\mscoree.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 298496 c:\windows\Microsoft.NET\Framework\v2.0.50727\webengine.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 823296 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.Services.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 835584 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.Mobile.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 260096 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Transactions.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 114688 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.ServiceProcess.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 258048 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Security.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 131072 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Runtime.Serialization.Formatters.Soap.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 299008 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Runtime.Remoting.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 258048 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Messaging.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 368640 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Management.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 114176 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.Wrapper.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 258048 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.EnterpriseServices.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 700416 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Drawing.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 188416 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.DirectoryServices.Protocols.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 397312 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.DirectoryServices.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 884736 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Deployment.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 716800 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Data.SqlXml.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 482304 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Data.OracleClient.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 389120 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.configuration.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 110592 c:\windows\Microsoft.NET\Framework\v2.0.50727\sysglobl.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 377344 c:\windows\Microsoft.NET\Framework\v2.0.50727\SOS.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 107520 c:\windows\Microsoft.NET\Framework\v2.0.50727\shfusion.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 136192 c:\windows\Microsoft.NET\Framework\v2.0.50727\peverify.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 226816 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorsvc.dll
+ 2005-09-23 10:29 . 2005-09-23 10:29 330752 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 102400 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorpe.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 326144 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 288768 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 800768 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll
+ 2005-09-23 10:29 . 2005-09-23 10:29 667648 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.dll
+ 2005-09-23 10:29 . 2005-09-23 10:29 372736 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Compatibility.dll
+ 2005-09-23 10:29 . 2005-09-23 10:29 110592 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 745472 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.JScript.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 647168 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Tasks.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 413696 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft.Build.Engine.dll
+ 2005-09-23 10:57 . 2005-09-23 10:57 245408 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\unicows.dll
+ 2005-09-23 10:01 . 2005-09-23 10:01 609472 c:\windows\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
+ 2005-09-23 10:28 . 2005-09-23 10:28 224952 c:\windows\Microsoft.NET\Framework\v2.0.50727\ilasm.exe
+ 2005-09-23 10:28 . 2005-09-23 10:28 788992 c:\windows\Microsoft.NET\Framework\v2.0.50727\EventLogMessages.dll
+ 2005-09-23 10:29 . 2005-09-23 10:29 547840 c:\windows\Microsoft.NET\Framework\v2.0.50727\diasymreader.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 106496 c:\windows\Microsoft.NET\Framework\v2.0.50727\CasPol.exe
+ 2005-09-23 10:28 . 2005-09-23 10:28 503808 c:\windows\Microsoft.NET\Framework\v2.0.50727\AspNetMMCExt.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 106496 c:\windows\Microsoft.NET\Framework\v2.0.50727\aspnet_regsql.exe
+ 2005-09-23 10:28 . 2005-09-23 10:28 138240 c:\windows\Microsoft.NET\Framework\v2.0.50727\AdoNetDiag.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 208896 c:\windows\Microsoft.NET\Framework\v2.0.50727\1033\Vsavb7rtUI.dll
+ 2005-09-23 10:29 . 2005-09-23 10:29 183808 c:\windows\Microsoft.NET\Framework\v2.0.50727\1033\vbc7ui.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 136192 c:\windows\Microsoft.NET\Framework\v2.0.50727\1033\cscompui.dll
+ 2009-05-25 17:46 . 2009-05-25 17:47 237568 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\74abde06894b9340a604a2c49346fcd5\System.Web.RegularExpressions.ni.dll
+ 2009-05-25 17:46 . 2009-05-25 17:46 684032 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\38a8a09832d3f64cabdf920e2803b36b\System.Transactions.ni.dll
+ 2009-05-25 17:46 . 2009-05-25 17:46 729088 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Security\04e21bf91712a749ac3fee8fc560bbdc\System.Security.ni.dll
+ 2009-05-25 17:46 . 2009-05-25 17:46 294912 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\51f6f74eac24184baa50351cbdacfce5\System.EnterpriseServices.Wrapper.dll
+ 2009-05-25 17:46 . 2009-05-25 17:46 659456 c:\windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\51f6f74eac24184baa50351cbdacfce5\System.EnterpriseServices.ni.dll
+ 2009-05-25 16:30 . 2009-05-25 16:30 229376 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\52bbd26bd614d649ab534ceb5bdf294b\System.Drawing.Design.ni.dll
+ 2009-05-25 17:46 . 2009-05-25 17:46 512000 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\4528f10a69107f4685cdabffe43b380e\System.DirectoryServices.Protocols.ni.dll
+ 2009-05-25 17:46 . 2009-05-25 17:46 962560 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\dbf26819ce85804c8a820cd31921aca7\System.Configuration.ni.dll
+ 2009-05-25 17:46 . 2009-05-25 17:46 163840 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\58818ca74848f549b584c5d496231219\Microsoft.Build.Utilities.ni.dll
+ 2009-05-25 17:46 . 2009-05-25 17:46 880640 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\6fba933f6512df40a3c9e6ff715be351\Microsoft.Build.Engine.ni.dll
+ 2009-05-25 17:46 . 2009-05-25 17:46 237568 c:\windows\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\4691ff68fb27034fa867afa45108cc77\CustomMarshalers.ni.dll
+ 2009-05-25 17:46 . 2009-05-25 17:46 860160 c:\windows\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\242424bb57c6254090bcd8836f618c44\AspNetMMCExt.ni.dll
+ 2009-05-25 16:29 . 2009-05-25 16:29 823296 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2009-05-25 16:29 . 2009-05-25 16:29 835584 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2009-05-25 16:29 . 2009-05-25 16:29 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2009-05-25 16:28 . 2009-05-25 16:29 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2009-05-25 16:29 . 2009-05-25 16:29 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2009-05-25 16:29 . 2009-05-25 16:29 299008 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2009-05-25 16:29 . 2009-05-25 16:29 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2009-05-25 16:29 . 2009-05-25 16:29 368640 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2009-05-25 16:29 . 2009-05-25 16:29 700416 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2009-05-25 16:29 . 2009-05-25 16:29 397312 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2009-05-25 16:29 . 2009-05-25 16:29 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2009-05-25 16:28 . 2009-05-25 16:28 884736 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2009-05-25 16:29 . 2009-05-25 16:29 716800 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2009-05-25 16:29 . 2009-05-25 16:29 389120 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2009-05-25 16:29 . 2009-05-25 16:29 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2009-05-25 16:29 . 2009-05-25 16:29 667648 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2009-05-25 16:29 . 2009-05-25 16:29 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2009-05-25 16:29 . 2009-05-25 16:29 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2009-05-25 16:28 . 2009-05-25 16:28 745472 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2009-05-25 16:28 . 2009-05-25 16:28 647168 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2009-05-25 16:28 . 2009-05-25 16:28 413696 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2009-05-25 16:28 . 2009-05-25 16:28 503808 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2009-05-25 16:32 . 2009-05-25 16:32 303104 c:\windows\assembly\GAC_32\WicFileFormat-PlatOpt\1.0.4508.8032__b0cfd8589c27b05f\WicFileFormat-PlatOpt.dll
+ 2009-05-25 16:29 . 2009-05-25 16:29 260096 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2009-05-25 16:28 . 2009-05-25 16:28 114176 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2009-05-25 16:28 . 2009-05-25 16:28 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2009-05-25 16:29 . 2009-05-25 16:29 482304 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2009-05-25 16:33 . 2009-05-25 16:33 258048 c:\windows\assembly\GAC_32\EastmanKodakCompany.EasyShare\2.0.4523.7930__e736f44e197b3380\EastmanKodakCompany.EasyShare.dll
+ 2009-05-25 16:33 . 2009-05-25 16:33 282624 c:\windows\assembly\GAC_32\EastmanKodakCompany.EasyShare\1.0.2698.25402__e736f44e197b3380\EastmanKodakCompany.EasyShare.dll
+ 2006-12-02 03:25 . 2006-12-02 03:25 1093120 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80u.dll
+ 2006-12-02 03:25 . 2006-12-02 03:25 1101824 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\mfc80.dll
+ 2009-05-25 16:26 . 2009-05-25 16:26 1233920 c:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9818.0_x-ww_8ff50c5d\msxml4.dll
+ 2003-04-18 19:46 . 2003-04-18 19:46 1233920 c:\windows\system32\msxml4.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 1306624 c:\windows\Microsoft.NET\Framework\v2.0.50727\VsaVb7rt.dll
+ 2005-09-23 10:29 . 2005-09-23 10:29 1140920 c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
+ 2005-09-23 10:28 . 2005-09-23 10:28 2035712 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.XML.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 5316608 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Windows.Forms.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 5025792 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Web.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 3018752 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 5050368 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Design.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 2878976 c:\windows\Microsoft.NET\Framework\v2.0.50727\System.Data.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 5615616 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 4308992 c:\windows\Microsoft.NET\Framework\v2.0.50727\mscorlib.dll
+ 2005-09-23 10:28 . 2005-09-23 10:28 1144832 c:\windows\Microsoft.NET\Framework\v2.0.50727\cscomp.dll
+ 2009-05-25 16:30 . 2009-05-25 16:30 8093696 c:\windows\assembly\NativeImages_v2.0.50727_32\System\ff1afce603d990469bf554429610fb38\System.ni.dll
+ 2009-05-25 16:31 . 2009-05-25 16:31 5640192 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml\0450e5a355f4c24f963e4eece3d49957\System.Xml.ni.dll
+ 2009-05-25 17:47 . 2009-05-25 17:47 1945600 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\e645022f24e6e84f9bfc08b85b3fbe66\System.Web.Services.ni.dll
+ 2009-05-25 17:46 . 2009-05-25 17:46 2310144 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\9d50b3003a6b0545b34afba8b30c73ff\System.Web.Mobile.ni.dll
+ 2009-05-25 16:30 . 2009-05-25 16:30 1626112 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\1753381af9668d4e90dd67ae3495e34f\System.Drawing.ni.dll
+ 2009-05-25 17:46 . 2009-05-25 17:46 1220608 c:\windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\438a1697f881da41af505006b3d260c1\System.DirectoryServices.ni.dll
+ 2009-05-25 17:46 . 2009-05-25 17:46 1712128 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\77d5c620349f3a43ae305c87fd6f580e\System.Deployment.ni.dll
+ 2009-05-25 16:31 . 2009-05-25 16:31 6688768 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Data\2e82ec7b0eb1ba488d6b62bc46593a51\System.Data.ni.dll
+ 2009-05-25 17:46 . 2009-05-25 17:46 1724416 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\42dd30ef6828a944beae52caab271058\Microsoft.VisualBasic.ni.dll
+ 2009-05-25 17:46 . 2009-05-25 17:46 1691648 c:\windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\bf1d6774a951de4a96257b5b2ce44044\Microsoft.Build.Tasks.ni.dll
+ 2009-05-25 16:29 . 2009-05-25 16:29 3018752 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
+ 2009-05-25 16:29 . 2009-05-25 16:29 2035712 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2009-05-25 16:29 . 2009-05-25 16:29 5316608 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2009-05-25 16:29 . 2009-05-25 16:29 5050368 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2009-05-25 16:29 . 2009-05-25 16:29 5025792 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2009-05-25 16:29 . 2009-05-25 16:29 2878976 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2009-05-25 16:29 . 2009-05-25 16:29 4308992 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2009-05-25 16:30 . 2009-05-25 16:31 13107200 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\ccdf8e59c26c5d4db8212650abd0a833\System.Windows.Forms.ni.dll
+ 2009-05-25 17:46 . 2009-05-25 17:46 11808768 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Web\f7f473e814a27f4f9bd3e0f6b1c24a5d\System.Web.ni.dll
+ 2009-05-25 16:31 . 2009-05-25 16:31 10723328 c:\windows\assembly\NativeImages_v2.0.50727_32\System.Design\7ff300bc64b97549969384d2cd551073\System.Design.ni.dll
+ 2009-05-25 16:30 . 2009-05-25 16:30 11415552 c:\windows\assembly\NativeImages_v2.0.50727_32\mscorlib\427fc9f6f9c74d468d7fef9b4c8f2dc8\mscorlib.ni.dll
.
-- Snapshot resetado para data atual --
.
(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\arquivos de programas\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-05-02 13529088]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-05-02 86016]
"avgnt"="c:\arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2008-05-02 1630208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\All Users\Menu Iniciar\Programas\Inicializar\
EPSON Status Monitor 3 Environment Check.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV03.EXE [2000-2-3 222720]
Software Kodak EasyShare.lnk - c:\arquivos de programas\Kodak\Kodak EasyShare software\bin\EasyShare.exe [2008-10-30 282624]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Arquivos de programas\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\livecall.exe"=

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\arquivos de programas\Avira\AntiVir Desktop\sched.exe [12/5/2009 11:03 108289]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;c:\arquivos de programas\Lavalys\EVEREST Ultimate Edition\kerneld.wnt [12/5/2009 17:50 26224]
S3 ip100xp;ENCORE 10/100Mbps Fast Ethernet PCI Adapter NT Driver;c:\windows\system32\drivers\ipfnd51.sys [13/5/2009 09:28 26752]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Scan Suplementar -------
.
uStart Page = about:blank
FF - ProfilePath - c:\documents and settings\Raphael\Dados de aplicativos\Mozilla\Firefox\Profiles\wzktma3t.default\

---- FIREFOX POLICIES ----
c:\arquivos de programas\Mozilla Firefox\defaults\pref\firefox-l10n.js - pref("browser.fixup.alternate.suffix", ".com.br");
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-05-26 10:17
Windows 5.1.2600 Service Pack 3 FAT NTAPI

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\c:\arquivos de programas\Lavalys\EVEREST Ultimate Edition\kerneld.wnt"
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'explorer.exe'(2864)
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\arquivos de programas\Scpad\scpLIB.dll
c:\arquivos de programas\Scpad\scpMIB.dll
c:\arquivos de programas\Scpad\sshib.dll
.
------------------------ Outros Processos em Execução ------------------------
.
c:\windows\SYSTEM32\LEXBCES.EXE
c:\windows\SYSTEM32\LEXPPS.EXE
c:\arquivos de programas\AVIRA\ANTIVIR DESKTOP\AVGUARD.EXE
c:\windows\SYSTEM32\NVSVC32.EXE
c:\windows\SYSTEM32\WSCNTFY.EXE
c:\windows\SYSTEM32\RUNDLL32.EXE
.
**************************************************************************
.
Tempo para conclusão: 2009-05-26 10:20 - Máquina reiniciou
ComboFix-quarantined-files.txt 2009-05-26 13:20
ComboFix3.txt 2009-05-25 12:15
ComboFix2.txt 2009-05-25 12:28

Pré-execução: 2.369.708.032 bytes disponíveis
Pós execução: 2.401.632.256 bytes disponíveis

538

Spoiler

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:29:37, on 26/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe
C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Messenger\msmsgs.exe
C:\Arquivos de programas\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Arquivos de programas\winsic\sic.exe
C:\Arquivos de programas\Windows Live\Messenger\msnmsgr.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Arquivos de programas\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: CompSegIB - {2E3C3651-B19C-4DD9-A979-901EC3E930AF} - C:\Arquivos de programas\Scpad\scpsssh2.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avgnt] "C:\Arquivos de programas\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Arquivos de programas\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Software Kodak EasyShare.lnk = C:\Arquivos de programas\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O21 - SSODL: CompIBBrd - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll
O22 - SharedTaskScheduler: scpLIB - {A3717295-941D-416F-9384-ED1736729F1C} - C:\Arquivos de programas\Scpad\scpLIB.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Arquivos de programas\Avira\AntiVir Desktop\avguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4241 bytes

 

[Tello]

Voltei cara...

Log do BankerFix

Spoiler

BankerFix 3.0 VALKYRIE - Removedor de Bankers
Linha Defensiva | http://www.linhadefensiva.org
http://www.linhadefensiva.org/bankerfix/
-------------------------------------------------------
Data: 2009-05-26 - 11:32
-------------------------------------------------------
Lista de Definição: 2009-05-04-2 | CORE: 2009-01-21-1
=======================================================



----- Fim -------------------------

e o log do Hijack:

Spoiler

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:36:12, on 26/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Arquivos de programas\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrador\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: Facilitador de Leitor de Link Adobe PDF - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Arquivos de programas\Arquivos comuns\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Arquivos de programas\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Arquivos de programas\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\ARQUIV~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Arquivos de programas\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Arquivos de programas\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Arquivos de programas\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Arquivos de programas\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Arquivos de programas\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Arquivos de programas\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARQUIV~1\Microsoft Office\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Arquivos de programas\Messenger\msmsgs.exe
O14 - IERESET.INF: SEARCH_PAGE_URL=&http://home.microsoft.com/intl/br/access/allinone.asp
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Arquivos de programas\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\ARQUIV~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\ARQUIV~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Dados de aplicativos\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Arquivos de programas\Arquivos comuns\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Arquivos de programas\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Arquivos de programas\Java\jre6\bin\jqs.exe
O23 - Service: MySQL - Unknown owner - C:\Arquivos.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Arquivos de programas\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Arquivos de programas\Arquivos comuns\Ahead\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Arquivos de programas\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Arquivos de programas\CyberLink\Shared Files\RichVideo.exe
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Arquivos de programas\VMware\VMware Server\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware Virtual Mount Manager Extended (vmount2) - VMware, Inc. - C:\Arquivos de programas\Arquivos comuns\VMware\VMware Virtual Image Editing\vmount2.exe
O23 - Service: VMware Registration Service (vmserverdWin32) - VMware, Inc. - C:\Arquivos de programas\VMware\VMware Server\vmserverdWin32.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe
O23 - Service: Zope instance at C:\Zope-Instance (Zope_-1444516661) - Unknown owner - C:\Arquivos de programas\Zope-2.9.0\bin\PythonService.exe

--
End of file - 6982 bytes

Tô livre será?!!??
Cara, um dia vou aprender esses eskemas, tentei entender o log do hijack mas num deu.. uahuahua

abraço

 

[Mr.Wolf]

Olá pessoal, boa tarde!

Gostaria q se possivel saber mais sobre esse virus....
Se ele roba senhas essas coisas?? como eh o nome msm?? rootkits isso???

вяυиασ 1988, rootkits não roubam senhas, podem instalar um malware que faça isso, mas eles em si não fazem. Rootkits são malwares que utilizam técnicas de camuflagem de softwares maliciosos. Ou seja, uma vez que um rootkit está em seu sistema, ele pode se camuflar e/ou camuflar outras pragas, de seu antivirus, anti-spyware, etc... não sendo possível detectá-lo, dependendo do tempo em que ele esteja na máquina. Rootkits também podem instalar backdoors para que um cracker possa ter controle total em seu sistema, keyloggers para roubos de senhas. Resumindo: Os rootkits monitoram todas as chamadas do Windows e um rootkit pode fazer com que a ferramenta anti-rootkit ou antivirus acredite que o arquivo foi renomedo/removido quando ele não foi, além do mais, estes malwares ficam sob processos legítmos, e o pior, ficam em nível de kernel - somente por este fato a atenção na análise deve ser redobrada! Por sorte já conseguimos fazer com que o rootkit não fique mais carregado nos processos legítmos. Agora a briga é para remover o rootkit propriamente dito!

Se quiser saber mais, basta procurar por Rootkits no Google.

Siga abaixo no spoiler вяυиασ 1988:

Spoiler

- Abra o IceSword novamente, clique no menu File > Setting e marque as seguintes opções: Donot display Deleting process, Forbid all process/thread creating e Enhanced reg keys writing (dangerous) > OK.
- Clique em Kernel Module.

OBS: Muita atenção agora, amigo вяυиασ 1988! Pois se você selecionar e marcar o processo errado, danificará seu sistema.

- Clique com o botão direito do mouse sobre os seguintes processos abaixo (um de cada vez) e clique no botão Refresh. Logo após isto, selecione um processo de cada vez e clique no botão

(localizado também na parte superior direita da ferramenta, ao lado do botão Log que você apertou anteriormente).

\SystemRoot\system32\upkkscr.sys
\SystemRoot\system32\drivers\usbfoot.sys
\SystemRoot\System32\DRIVERS\asusrx25.sys
\SystemRoot\system32\DRIVERS\tsavt.sys

- Clique em OK > Yes nas mensagens que aparecerem.
- Após isto, clique no menu File > Reboot and Monitor. Seu computador será reiniciado automaticamente, apenas aguarde!
- Após inicializar novamente, abra o IceSword, clique em Kernel Module e depois em Log para salvar o relatório.

Poste o novo relatório em sua próxima resposta вяυиασ 1988.

_____________________________________


Amigo Rhyrioth, seus logs estão limpos

Vá em Iniciar > Executar, digite ComboFix /u e dê um OK para remover a ferramenta. Delete as pastas: C:\LinhaDefensiva e C:\!KillBox.

Algum problema ainda, Rhyrioth?

_____________________________________


Tello, ainda não terminamos...

Siga as instruções abaixo amigo Tello:

Spoiler

- Faça o download do ComboFix e salve-o na área de trabalho;

● Desative temporariamente o seu antivirus para não detectar a ferramenta como vírus;
● Duplo clique no ícone combofix.exe para iniciar o scan;
● Leia o contrato que aparecerá e clique em Sim para continuar;
● Abrirá uma janela do Console de Recuperação, clique em Sim para instalar. Se aparecer outra janela do Console, clique em OK > Sim;
● Aguarde enquanto o ComboFix faz o scan;
● Se ocorrer algum problema durante o scan, reinicie seu computador em Modo de Segurança e repita o procedimento;
● Não clique na janela do ComboFix e procure não utilizar o teclado também, para não atrapalhar a varredura da ferramenta;
● Se quiser sair ou parar o ComboFix, tecle N;
● Quando terminar seu micro será reiniciado. Após o reinicio, a ferramenta executará novamente, aguarde;
● Será gerado um log em C:\ComboFix.txt.

Cole este log em sua próxima resposta.

 

[Rhyrioth]

Olá pessoal, boa tarde!


Amigo Rhyrioth, seus logs estão limpos

Vá em Iniciar > Executar, digite ComboFix /u e dê um OK para remover a ferramenta. Delete as pastas: C:\LinhaDefensiva e C:\!KillBox.

Algum problema ainda, Rhyrioth?

Pc limpinho, nenhum alerta do avira já há algum tempo!
Valeu mais uma vez brother

Precisando de alguma coisa, qualquer coisa aí pode mandar mp!

 

[вяυиασ 1988]

Olá pessoal, boa tarde!



вяυиασ 1988, rootkits não roubam senhas, podem instalar um malware que faça isso, mas eles em si não fazem. Rootkits são malwares que utilizam técnicas de camuflagem de softwares maliciosos. Ou seja, uma vez que um rootkit está em seu sistema, ele pode se camuflar e/ou camuflar outras pragas, de seu antivirus, anti-spyware, etc... não sendo possível detectá-lo, dependendo do tempo em que ele esteja na máquina. Rootkits também podem instalar backdoors para que um cracker possa ter controle total em seu sistema, keyloggers para roubos de senhas. Resumindo: Os rootkits monitoram todas as chamadas do Windows e um rootkit pode fazer com que a ferramenta anti-rootkit ou antivirus acredite que o arquivo foi renomedo/removido quando ele não foi, além do mais, estes malwares ficam sob processos legítmos, e o pior, ficam em nível de kernel - somente por este fato a atenção na análise deve ser redobrada! Por sorte já conseguimos fazer com que o rootkit não fique mais carregado nos processos legítmos. Agora a briga é para remover o rootkit propriamente dito!

Se quiser saber mais, basta procurar por Rootkits no Google.

Siga abaixo no spoiler вяυиασ 1988:

Spoiler

- Abra o IceSword novamente, clique no menu File > Setting e marque as seguintes opções: Donot display Deleting process, Forbid all process/thread creating e Enhanced reg keys writing (dangerous) > OK.
- Clique em Kernel Module.

OBS: Muita atenção agora, amigo вяυиασ 1988! Pois se você selecionar e marcar o processo errado, danificará seu sistema.

- Clique com o botão direito do mouse sobre os seguintes processos abaixo (um de cada vez) e clique no botão Refresh. Logo após isto, selecione um processo de cada vez e clique no botão

(localizado também na parte superior direita da ferramenta, ao lado do botão Log que você apertou anteriormente).



- Clique em OK > Yes nas mensagens que aparecerem.
- Após isto, clique no menu File > Reboot and Monitor. Seu computador será reiniciado automaticamente, apenas aguarde!
- Após inicializar novamente, abra o IceSword, clique em Kernel Module e depois em Log para salvar o relatório.

Poste o novo relatório em sua próxima resposta вяυиασ 1988.

_____________________________________

Cara fiquei ate com medo de fazer isso q vc me disse aew....
Tipo enorme cuidado para clicar no arquivo certo e nao danificar o pc....
Quase paguei uma passagem de busao pra vc vir aqui clicar no arquivo certo pra mim hauheuahuehuaheuahuehehauheuahue........
Ahhh vlws pela explicaçao desse virus cara q *** em???? nem sabia da existencia de um virus assim........como fui pegar uma ***** dessas????
Segue o novo log q deu.....

Vlws.......

Spoiler

Kernel Module:

\WINDOWS\system32\ntoskrnl.exe
\WINDOWS\system32\hal.dll
\WINDOWS\system32\KDCOM.DLL
\WINDOWS\system32\BOOTVID.dll
ACPI.sys
\WINDOWS\system32\DRIVERS\WMILIB.SYS
pci.sys
isapnp.sys
compbatt.sys
\WINDOWS\system32\DRIVERS\BATTC.SYS
intelide.sys
pciide.sys
\WINDOWS\system32\DRIVERS\PCIIDEX.SYS
MountMgr.sys
ftdisk.sys
dmload.sys
pcmcia.sys
dmio.sys
ACPIEC.sys
\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
PartMgr.sys
VolSnap.sys
atapi.sys
disk.sys
\WINDOWS\system32\DRIVERS\CLASSPNP.SYS
speedfan.sys
sisperf.sys
sisidex.sys
fltMgr.sys
KSecDD.sys
Ntfs.sys
NDIS.sys
Mup.sys
giveio.sys
gagp30kx.sys
\SystemRoot\System32\DRIVERS\processr.sys
\SystemRoot\system32\DRIVERS\ati2mtag.sys
\SystemRoot\system32\DRIVERS\usbuhci.sys
\SystemRoot\system32\DRIVERS\USBPORT.SYS
\SystemRoot\system32\DRIVERS\usbehci.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\imapi.sys
\SystemRoot\system32\DRIVERS\i8042prt.sys
\SystemRoot\system32\DRIVERS\kbdclass.sys
\SystemRoot\system32\DRIVERS\SynTP.sys
\SystemRoot\system32\DRIVERS\USBD.SYS
\SystemRoot\system32\DRIVERS\mouclass.sys
\SystemRoot\system32\DRIVERS\serial.sys
\SystemRoot\system32\DRIVERS\serenum.sys
\SystemRoot\system32\DRIVERS\fdc.sys
\SystemRoot\system32\DRIVERS\parport.sys
\SystemRoot\system32\DRIVERS\gameenum.sys
\SystemRoot\system32\drivers\ctlsb16.sys
\SystemRoot\system32\drivers\portcls.sys
\SystemRoot\system32\upkkscr.sys
\SystemRoot\system32\drivers\drmk.sys
\SystemRoot\system32\drivers\ks.sys
\SystemRoot\system32\DRIVERS\cdrom.sys
\SystemRoot\system32\DRIVERS\s3legacy.sys
\SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
\SystemRoot\system32\DRIVERS\dc21x4.sys
\SystemRoot\system32\DRIVERS\audstub.sys
\SystemRoot\system32\DRIVERS\rasl2tp.sys
\SystemRoot\system32\DRIVERS\ndistapi.sys
\SystemRoot\system32\DRIVERS\ndiswan.sys
\SystemRoot\system32\DRIVERS\raspppoe.sys
\SystemRoot\system32\DRIVERS\raspptp.sys
\SystemRoot\system32\DRIVERS\TDI.SYS
\SystemRoot\system32\DRIVERS\psched.sys
\SystemRoot\system32\DRIVERS\msgpc.sys
\SystemRoot\system32\DRIVERS\ptilink.sys
\SystemRoot\system32\DRIVERS\raspti.sys
\SystemRoot\system32\DRIVERS\rdpdr.sys
\SystemRoot\system32\DRIVERS\termdd.sys
\SystemRoot\system32\DRIVERS\swenum.sys
\SystemRoot\system32\DRIVERS\update.sys
\SystemRoot\system32\DRIVERS\mssmbios.sys
\SystemRoot\System32\Drivers\NDProxy.SYS
\SystemRoot\system32\DRIVERS\flpydisk.sys
\SystemRoot\System32\Drivers\Fs_Rec.SYS
\SystemRoot\System32\Drivers\Null.SYS
\SystemRoot\System32\Drivers\Beep.SYS
\SystemRoot\System32\drivers\vga.sys
\SystemRoot\System32\Drivers\mnmdd.SYS
\SystemRoot\System32\DRIVERS\RDPCDD.sys
\SystemRoot\System32\Drivers\Msfs.SYS
\SystemRoot\System32\Drivers\Npfs.SYS
\SystemRoot\system32\DRIVERS\rasacd.sys
\SystemRoot\system32\DRIVERS\ipsec.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
\SystemRoot\system32\DRIVERS\netbt.sys
\SystemRoot\System32\drivers\afd.sys
\SystemRoot\system32\DRIVERS\netbios.sys
\SystemRoot\system32\DRIVERS\rdbss.sys
\SystemRoot\system32\DRIVERS\mrxsmb.sys
\SystemRoot\System32\Drivers\Fips.SYS
\SystemRoot\system32\DRIVERS\ipnat.sys
\SystemRoot\System32\Drivers\Cdfs.SYS
\SystemRoot\System32\Drivers\dump_atapi.sys
\SystemRoot\System32\Drivers\dump_WMILIB.SYS
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\watchdog.sys
\SystemRoot\System32\Drivers\ParVdm.SYS
\SystemRoot\System32\drivers\Dxapi.sys
\SystemRoot\System32\drivers\dxg.sys
\SystemRoot\System32\drivers\dxgthk.sys
\SystemRoot\System32\s3legacy.dll
\SystemRoot\system32\DRIVERS\wanarp.sys
\SystemRoot\system32\DRIVERS\ndisuio.sys
\SystemRoot\system32\DRIVERS\mrxdav.sys
\SystemRoot\System32\Drivers\ParVdm.SYS
\SystemRoot\system32\DRIVERS\srv.sys
\SystemRoot\system32\drivers\wdmaud.sys
\SystemRoot\system32\drivers\sysaudio.sys
\SystemRoot\System32\Drivers\HTTP.sys
\??\C:\WINDOWS\system32\socketlock.sys
\SystemRoot\System32\ati2dvag.dll
\SystemRoot\System32\ati2cqag.dll
\SystemRoot\System32\atikvmag.dll
\SystemRoot\System32\ati3duag.dll
\SystemRoot\System32\ativvaxx.dll
\??\C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\catchme.sys
\SystemRoot\system32\DRIVERS\sr.sys
\SystemRoot\System32\Drivers\IsDrv122.sys
\WINDOWS\system32\ntdll.dll

 

[Mr.Wolf]

A maior parte dos rootkits foram removidos com sucesso pelo IceSword, exceto o danado do Goldun.Fam (upkkscr.sys).

O problema com a blue screen ainda ocorre вяυиασ 1988? Pergunto para ver se é realmente o upkkscr.sys que está causando isso - que tenho quase certeza que sim - mas caso a blue screen não esteja mais ocorrendo na abertura dos programas, os causadores eram os rootkits que foram removidos anteriormente com o IceSword.

- Baixe o Rootkit Hook Analyzer e instale o programa normalmente.

- Após a instalação, execute o programa SanityCheck (ícone criado pela ferramenta no desktop) como administrador.
- Clique no botão Analyze para iniciar o scan e aguarde!
- Ao término do scan, clique no botão "Expert Mode" e selecione a guia Drivers.
- Encontre e dê um duplo clique no arquivo upkkscr.sys. Abrirá uma janela chamada Details contendo informações sobre o processo.
- Nesta janela clique no botão Copy to clipboard para copiar as informações.
- Abra o Bloco de Notas do PC, tecle Ctrl + V para colar as informações e salve o arquivo com a extensão .txt em seu desktop, com o nome de sua preferência.

Cole este relatório em sua próxima resposta вяυиασ 1988.