Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Win32/Alureon.BF [Solved]

Started by Icaro Freire , Aug 29 2009 05:11 AM

  • This topic is locked This topic is locked

#1
Icaro Freire
Posted 29 August 2009 - 05:11 AM

Icaro Freire

    Member

  • Member
  • PipPip
  • 39 posts
Hello fellows,

first, apologizes for my bad english :) but, my problem is: i was downloading some cracks for a game, and one was a virus, and the worse part, i knew it, the antivirus ( Avira ) warned me and i ignored it...

now,my pc is infected, avira recognizes the alureon.bf on the running process and when it finishes the scan it tolds me that "the following process are infected: svchost.exe, delete or ignore?". If i say delete, the windows reboot...i tried to install the Mbam.exe, but i was not succeeded...and it doesn't let me restore the windows, i tried other antivirus and antispywares and cleaners, but nothing solved my problem...even in safe mode...now i need your professional help...


sorry for my bad english, again :)
  • 0

Advertisements

#2
Essexboy
Posted 29 August 2009 - 07:51 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

i was downloading some cracks for a game, and one was a virus, and the worse part, i knew it, the antivirus ( Avira ) warned me and i ignored it...

OK now you know how to get infected lets see if we can remove it

I will need you to run three programmes for me and post the resulting logs

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop
  • Close ALL OTHER PROGRAMS.
  • Double-click on OTS.exe to start the program.
  • Check the box that says Scan All Users
  • Under Additional Scans check the following:
    • File - Lop Check
    • File - Purity Scan
    • Evnt - EvtViewer (last 10)
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Please attach the log in your next post.

To attach a file, do the following:
  • Click Add Reply
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post



THEN

Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

http://sites.google....rotantirootkit/

Unzip it into a folder on your desktop.

Start the Sysprot.exe program.

  • Click on the Log tab.
  • In the Write to log box select all items.
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new Window should appear.
  • Make sure Scan all drives is selected and click on the Start button.
  • When it is complete a new Window will appear to indicate that the scan is finished.
  • The log will be created and saved automatically in the same folder. Open the text file and copy/paste the log here.

FINALLY

Please save this file to your desktop. Double-click on it to run a scan. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please open it with notepad and post the contents here.
  • 0

#3
Icaro Freire
Posted 29 August 2009 - 01:42 PM

Icaro Freire

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Thanks for helping.

Attached File  OTS.Txt   174.95KB   239 downloads

I download the SysProt Antirootkit, but it doesn't go any further than step 3...it never opened this new window.

And here is the log of the third program...i guess there's something wrong...


-----------------
Log file is located at: C:\Documents and Settings\Administrador\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...





Finished!
-----------------

what should i do now?
  • 0

#4
Essexboy
Posted 29 August 2009 - 02:44 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
OK there is more than one way to skin a cat

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-507921405-602609370-682003330-500\] > -> HKEY_USERS\S-1-5-21-507921405-602609370-682003330-500\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\"{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{A057A204-BACC-4D26-9990-79A187E2698E}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\WINDOWS\system32\drivers\svchost.exe" -> C:\WINDOWS\System32\drivers\svchost.exe [C:\WINDOWS\system32\drivers\svchost.exe:*:Disabled:WinRAR archiver]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \{9550a262-3c0e-11dd-9cac-000feaa47e46} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9550a262-3c0e-11dd-9cac-000feaa47e46}\Shell\auto\command -> 
YN -> \{9550a262-3c0e-11dd-9cac-000feaa47e46}\Shell\auto\command\\"" -> G:\explorer.exe [G:\explorer.exe]
[Files/Folders - Created Within 30 Days]
NY -> Sysvxd.exe -> C:\WINDOWS\Sysvxd.exe
NY -> CddbCdda.dll -> C:\WINDOWS\System32\CddbCdda.dll
[Alternate Data Streams]
NY -> @Alternate Data Stream - 204 bytes -> C:\WINDOWS\System32\drivers:GbpKmAp.lst
[Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here .

Then re-run OTS and in the custom scan section paste the following and click run scan

netsvcs
%SYSTEMDRIVE%\*.exe
%systemroot%\system32\eventlog.dll
%systemroot%\system32\scecli.dll
%systemroot%\netlogon.dll
%systemroot%\system32\cngaudit.dll
%systemroot%\system32\sceclt.dll
%systemroot%\ntelogon.dll
%systemroot%\system32\logevent.dll

Attach the resultant OTS log

Then

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive.
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

  • 0

#5
Icaro Freire
Posted 31 August 2009 - 10:31 AM

Icaro Freire

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
OK...i dont know what means 'to skin a cat', but whatever... :) here at Brazil, we say: if you don't have dog, hunt with your cat...i guess it's the samething :)

here's the log of OTS, it reboot my machine and then gave me the log:

----------
All Processes Killed
[Registry - Safe List]
Registry value HKEY_USERS\S-1-5-21-507921405-602609370-682003330-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}\ not found.
Registry value HKEY_USERS\S-1-5-21-507921405-602609370-682003330-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{90B8B761-DF2B-48AC-BBE0-BCC03A819B3B}\ not found.
Registry value HKEY_USERS\S-1-5-21-507921405-602609370-682003330-500\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{A057A204-BACC-4D26-9990-79A187E2698E} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A057A204-BACC-4D26-9990-79A187E2698E}\ not found.
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\WINDOWS\system32\drivers\svchost.exe deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9550a262-3c0e-11dd-9cac-000feaa47e46}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9550a262-3c0e-11dd-9cac-000feaa47e46}\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9550a262-3c0e-11dd-9cac-000feaa47e46}\Shell\auto\command\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9550a262-3c0e-11dd-9cac-000feaa47e46}\Shell\auto\command not found.
[Files/Folders - Created Within 30 Days]
C:\WINDOWS\Sysvxd.exe moved successfully.
C:\WINDOWS\System32\CddbCdda.dll unregistered successfully.
C:\WINDOWS\System32\CddbCdda.dll moved successfully.
[Alternate Data Streams]
ADS C:\WINDOWS\System32\drivers:GbpKmAp.lst deleted successfully.
[Empty Temp Folders]


User: Administrador
->Temp folder emptied: 8843240 bytes
->Temporary Internet Files folder emptied: 5014779 bytes
->Java cache emptied: 3042892 bytes
->FireFox cache emptied: 48237753 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 6927891 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\NetworkService\Configurações locais\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 33170 bytes

%systemdrive% .tmp files removed: 0 bytes
C:\WINDOWS\msdownld.tmp folder deleted successfully.
%systemroot% .tmp files removed: 2134186 bytes
%systemroot%\System32 .tmp files removed: 1601817 bytes
Windows Temp folder emptied: 1146876 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 73,45 mb

< End of fix log >
OTS by OldTimer - Version 3.0.10.3 fix logfile created on 08312009_125521

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...
---------------

Now the OTS log:

Attached File  OTS.Txt   135.4KB   169 downloads

And now the RootRepeal report:

Attached File  RootRepeal.txt   36.7KB   126 downloads

I hope that i'm doing everything right :) thanks again.

Edited by Icaro Freire, 31 August 2009 - 10:33 AM.

  • 0

#6
Essexboy
Posted 31 August 2009 - 10:43 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
You are doing well :)

here at Brazil, we say: if you don't have dog, hunt with your cat...i guess it's the samething

It is :)

OK I see the rootkit so it is now time to kill it

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a OTL log so we can continue cleaning the system.

  • 0

#7
Icaro Freire
Posted 01 September 2009 - 10:50 AM

Icaro Freire

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Here's Combofix...

Attached File  ComboFix.txt   27.29KB   131 downloads

but did you mean OTL or OTS??

ComboFix 09-08-31.04 - Administrador 01/09/2009 13:24.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.55.1046.18.991.567 [GMT -3:00]
Executando de: c:\documents and settings\Administrador\Desktop\Combo-Fix.exe
AV: Avira AntiVir PersonalEdition *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
* Criado um novo ponto de restauração
.
ADS - drivers: deleted 204 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((( Outras Exclusões )))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\arquivos de programas\ActivationManager
c:\arquivos de programas\ActivationManager\SaveData.dat
c:\arquivos de programas\ActivationManager\Uninstall.exe
c:\windows\Installer\1f577.msi
c:\windows\Installer\1f8853.msp
c:\windows\Installer\218168.msp
c:\windows\Installer\27102.msi
c:\windows\Installer\30149.msp
c:\windows\Installer\5222c.msp
c:\windows\system32\drivers\UACtymyrobqji.sys
c:\windows\system32\Plugins
c:\windows\system32\Plugins\ml\ml_pmp_device_Icaro - BASE LIBA.ini
c:\windows\system32\sfcfiles.dll
c:\windows\system32\UACbqmivxtqbd.dat
c:\windows\system32\UACibfvkyajwu.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACrxhostjexm.dat
c:\windows\system32\UACtaswcllnmh.dll
c:\windows\system32\UACuwksiqqpxx.dll
c:\windows\system32\UACxnssiuwidr.dll
c:\windows\system32\UACymxjvwipxu.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Serviços )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_UACd.sys


(((((((((((((((( Arquivos/Ficheiros criados de 2009-08-01 to 2009-09-01 ))))))))))))))))))))))))))))
.

2009-08-31 15:55 . 2009-08-31 15:55 -------- d-----w- C:\_OTS
2009-08-29 02:50 . 2009-08-29 04:16 -------- d-----w- C:\573a298383e56b01f2971f12dd8f8a44
2009-08-28 15:57 . 2009-08-28 15:57 32 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-08-28 15:57 . 2009-08-28 15:57 32 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-08-27 04:26 . 2009-08-29 02:31 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\ParetoLogic
2009-08-27 04:26 . 2009-08-29 02:31 -------- d-----w- c:\arquivos de programas\Arquivos comuns\ParetoLogic
2009-08-21 04:47 . 2009-08-21 04:47 -------- d-----w- c:\arquivos de programas\GameVicio
2009-08-21 01:32 . 2009-08-21 01:32 617 ----a-w- c:\windows\eReg.dat
2009-08-21 01:32 . 2009-08-24 02:09 -------- d-----w- c:\arquivos de programas\EA Games
2009-08-12 16:23 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll
2009-08-06 15:58 . 2009-03-16 21:36 931672 ----a-w- c:\windows\system32\XAudioD2_4.dll
2009-08-06 15:58 . 2009-03-16 21:35 343368 ----a-w- c:\windows\system32\XactEngineD3_4.dll
2009-08-06 15:58 . 2009-03-16 21:35 125768 ----a-w- c:\windows\system32\XAPOFXD1_3.dll
2009-08-06 15:58 . 2009-03-16 21:35 428888 ----a-w- c:\windows\system32\XactEngineA3_4.dll
2009-08-06 15:58 . 2009-03-16 21:35 4280136 ----a-w- c:\windows\system32\D3dx9d_41.dll
2009-08-06 15:58 . 2009-03-16 21:35 358728 ----a-w- c:\windows\system32\dinput8d.dll
2009-08-06 15:58 . 2009-03-16 21:35 45384 ----a-w- c:\windows\system32\X3DAudioD1_6.dll
2009-08-06 15:58 . 2009-03-16 21:36 3795784 ----a-w- c:\windows\system32\d3dx9d_33.dll
2009-08-06 15:58 . 2009-03-16 21:36 3083592 ----a-w- c:\windows\system32\d3d9d.dll
2009-08-06 15:58 . 2009-03-16 21:35 348504 ----a-w- c:\windows\system32\d3dref9.dll
2009-08-06 15:58 . 2009-03-16 21:35 497480 ----a-w- c:\windows\system32\D3DX10d_41.dll
2009-08-06 15:53 . 2009-08-06 15:58 -------- d-----w- c:\arquivos de programas\Microsoft DirectX SDK (March 2009)
2009-08-06 15:53 . 2009-08-06 15:53 118104 ----a-w- c:\windows\dxsdkuninst.exe
2009-08-06 05:01 . 2009-08-28 16:37 1324 ----a-w- c:\windows\system32\d3d9caps.dat

.
((((((((((((((((((((((((((((((((((((( Relatório Find3M ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-01 16:05 . 2009-02-09 01:36 -------- d-----w- c:\arquivos de programas\Mozilla Firefox 3 Beta 3
2009-08-28 15:57 . 2009-08-28 15:57 32 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-08-28 15:57 . 2009-08-28 15:57 32 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-08-25 07:08 . 2009-07-18 19:24 -------- d-----w- c:\arquivos de programas\sXe Injected
2009-08-25 05:47 . 2009-07-18 19:16 -------- d-----w- c:\arquivos de programas\Valve
2009-08-17 16:04 . 2007-12-15 13:06 -------- d-----w- c:\arquivos de programas\CoolSMS
2009-08-14 16:35 . 2007-12-15 12:41 2568 ----a-w- c:\windows\system32\KGyGaAvL.sys
2009-08-14 15:48 . 2008-05-11 16:56 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Microsoft Help
2009-08-06 20:13 . 2007-12-15 00:07 -------- d--h--w- c:\arquivos de programas\InstallShield Installation Information
2009-08-06 16:19 . 2009-07-09 15:33 -------- d-----w- c:\arquivos de programas\LucasArts
2009-08-05 09:00 . 2004-08-04 03:45 205312 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-02 19:53 . 2008-05-24 20:42 -------- d-----w- c:\arquivos de programas\Microsoft Silverlight
2009-07-29 02:17 . 2009-07-29 02:17 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\Messenger Plus!
2009-07-27 02:04 . 2009-07-27 02:03 -------- d-----w- c:\arquivos de programas\Messenger Plus! Live
2009-07-26 10:36 . 2009-01-18 19:56 83456 ----a-w- c:\documents and settings\All Users\Dados de aplicativos\SpeedBit\DAP\SDCondition.dll
2009-07-23 01:55 . 2009-07-22 01:58 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\Hamachi
2009-07-22 01:58 . 2009-07-22 01:57 -------- d-----w- c:\arquivos de programas\Hamachi
2009-07-22 01:57 . 2009-07-22 01:57 25280 ----a-w- c:\windows\system32\drivers\hamachi.sys
2009-07-19 06:56 . 2009-07-04 04:07 98304 ----a-w- c:\windows\system32CmdLineExt.dll
2009-07-17 19:03 . 2004-08-04 03:45 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-14 02:43 . 2004-08-04 03:45 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-09 23:04 . 2008-11-24 16:04 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\GbPlugin
2009-07-08 20:41 . 2009-07-08 20:41 -------- d-----w- c:\arquivos de programas\FormatFactory
2009-07-07 22:18 . 2009-07-07 22:04 -------- d-----w- c:\documents and settings\Administrador\Dados de aplicativos\DAEMON Tools Lite
2009-07-07 22:16 . 2009-07-07 22:16 -------- d-----w- c:\documents and settings\All Users\Dados de aplicativos\DAEMON Tools Lite
2009-07-07 22:15 . 2009-07-07 22:15 -------- d-----w- c:\arquivos de programas\DAEMON Tools Toolbar
2009-07-07 22:15 . 2009-07-07 22:15 -------- d-----w- c:\arquivos de programas\DAEMON Tools Lite
2009-07-07 22:04 . 2007-12-17 19:15 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-07-07 21:27 . 2009-07-07 21:27 10134 ----a-r- c:\documents and settings\Administrador\Dados de aplicativos\Microsoft\Installer\{89661B04-C646-4412-B6D3-5E19F02F1F37}\ARPPRODUCTICON.exe
2009-07-06 15:33 . 2009-07-06 15:33 -------- d-----w- c:\arquivos de programas\Openoko Entertainment
2009-07-03 16:59 . 2004-08-04 03:45 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:27 . 2004-08-04 03:45 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:27 . 2004-08-04 03:45 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:27 . 2004-08-04 03:45 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:27 . 2004-08-04 03:45 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:27 . 2004-08-04 03:45 732672 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:27 . 2004-08-04 03:45 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2004-08-04 01:59 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:39 . 2004-08-04 03:45 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:39 . 2001-10-28 15:06 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 10:44 . 2004-08-04 03:45 77824 ----a-w- c:\windows\system32\telnet.exe
2009-06-15 10:44 . 2004-08-04 03:45 81408 ----a-w- c:\windows\system32\tlntsess.exe
2009-06-10 14:14 . 2004-08-04 03:45 85504 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 12:21 . 2007-12-14 16:07 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:15 . 2004-08-04 03:45 132096 ----a-w- c:\windows\system32\wkssvc.dll
2009-06-10 03:39 . 2001-10-28 15:07 83946 ----a-w- c:\windows\system32\perfc016.dat
2009-06-10 03:39 . 2001-10-28 15:07 480144 ----a-w- c:\windows\system32\perfh016.dat
2009-06-03 19:10 . 2004-08-04 03:45 1295872 ----a-w- c:\windows\system32\quartz.dll
.

(((((((((((((((((((((((((( Pontos de Carregamento do Registro )))))))))))))))))))))))))))))))))))))))
.
.
*Nota* entradas vazias e legítimas por defeito não são mostradas.
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Advanced SystemCare 3"="c:\arquivos de programas\IObit\Advanced SystemCare 3\AWC.exe" [2009-05-01 2329936]
"swg"="c:\arquivos de programas\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-15 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="c:\arquivos de programas\Arquivos comuns\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"GrooveMonitor"="c:\arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"SunJavaUpdateSched"="c:\arquivos de programas\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"avgnt"="c:\arquivos de programas\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-10-05 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-10-05 114688]
"UnlockerAssistant"="c:\arquivos de programas\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"ISUSScheduler"="c:\arquivos de programas\Arquivos comuns\InstallShield\UpdateService\issch.exe" [2006-03-20 86960]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\Soundman.exe [2005-04-15 77824]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-13 15360]

c:\documents and settings\Administrador\Menu Iniciar\Programas\Inicializar\
Adobe Gamma.lnk - c:\arquivos de programas\Arquivos comuns\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\arquivos de programas\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ GbPluginBb]
2009-03-25 14:32 271152 ----a-w- c:\arquivos de programas\GbPlugin\gbieh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"WinampAgent"="c:\arquivos de programas\Winamp\winampa.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Arquivos de programas\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Arquivos de programas\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Arquivos de programas\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Arquivos de programas\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"c:\\Arquivos de programas\\FrostWire\\FrostWire.exe"=
"c:\\Arquivos de programas\\DAP\\DAP.exe"=
"c:\\Arquivos de programas\\Arquivos comuns\\Ahead\\Nero Web\\SetupX.exe"=
"c:\\Arquivos de programas\\FlashGet\\flashget.exe"=
"c:\\Arquivos de programas\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Arquivos de programas\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Arquivos de programas\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Arquivos de programas\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Arquivos de programas\\DNA\\btdna.exe"=
"c:\\Arquivos de programas\\BitTorrent\\bittorrent.exe"=
"c:\\Arquivos de programas\\River Past\\Animated GIF Converter and Booster Pack\\VideoCleaner.exe"=
"c:\\WINDOWS\\system32\\rtcshare.exe"=
"c:\\Icaro\\Arquivos\\HQS\\gc\\JKDH\\Flatout 2 WWW.THEREBELS.BIZ BY OWEN09\\Flatout 2 WWW.THEREBELS.BIZ BY OWEN09\\FlatOut2.exe"=
"c:\\Arquivos de programas\\Valve\\hl.exe"=
"c:\\Arquivos de programas\\Valve\\hlds.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
"%windir%\\Network Diagnostic\\xpnetdiag.exe"= %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"= c:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
"c:\\Arquivos de programas\\Windows Live\\Sync\\WindowsLiveSync.exe"= c:\arquivos de programas\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP"= 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP"= 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP"= 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP"= 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
"%windir%\\Network Diagnostic\\xpnetdiag.exe"= %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
"c:\\Arquivos de programas\\Winamp Remote\\bin\\Orb.exe"= c:\arquivos de programas\Winamp Remote\bin\Orb.exe:*:Enabled:Orb
"c:\\Arquivos de programas\\Winamp Remote\\bin\\OrbTray.exe"= c:\arquivos de programas\Winamp Remote\bin\OrbTray.exe:*:Enabled:OrbTray
"c:\\Arquivos de programas\\Winamp Remote\\bin\\OrbStreamerClient.exe"= c:\arquivos de programas\Winamp Remote\bin\OrbStreamerClient.exe:*:Enabled:Orb Stream Client
"c:\\Arquivos de programas\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"= c:\arquivos de programas\Macromedia\Dreamweaver 8\Dreamweaver.exe:*:Enabled:Dreamweaver 8
"c:\\Arquivos de programas\\FrostWire\\FrostWire.exe"= c:\arquivos de programas\FrostWire\FrostWire.exe:*:Enabled:LimeWire
"c:\\Arquivos de programas\\DAP\\DAP.exe"= c:\arquivos de programas\DAP\DAP.exe:*:Enabled:Download Accelerator Plus (DAP)
"c:\\Arquivos de programas\\Arquivos comuns\\Ahead\\Nero Web\\SetupX.exe"= c:\arquivos de programas\Arquivos comuns\Ahead\Nero Web\SetupX.exe:*:Enabled:Nero ProductSetup
"c:\\Arquivos de programas\\FlashGet\\flashget.exe"= c:\arquivos de programas\FlashGet\flashget.exe:*:Enabled:Flashget
"c:\\Arquivos de programas\\Microsoft Office\\Office12\\OUTLOOK.EXE"= c:\arquivos de programas\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook
"c:\\Arquivos de programas\\Microsoft Office\\Office12\\GROOVE.EXE"= c:\arquivos de programas\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove
"c:\\Arquivos de programas\\Microsoft Office\\Office12\\ONENOTE.EXE"= c:\arquivos de programas\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote
"c:\\Arquivos de programas\\Windows Live\\Messenger\\msnmsgr.exe"= c:\arquivos de programas\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
"c:\\Arquivos de programas\\Windows Live\\Sync\\WindowsLiveSync.exe"= c:\arquivos de programas\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync
"c:\\Arquivos de programas\\DNA\\btdna.exe"= c:\arquivos de programas\DNA\btdna.exe:*:Enabled:DNA
"c:\\Arquivos de programas\\BitTorrent\\bittorrent.exe"= c:\arquivos de programas\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent
"c:\\Arquivos de programas\\River Past\\Animated GIF Converter and Booster Pack\\VideoCleaner.exe"= c:\arquivos de programas\River Past\Animated GIF Converter and Booster Pack\VideoCleaner.exe:*:Enabled:River Past Animated GIF Converter
"c:\\WINDOWS\\system32\\rtcshare.exe"= c:\windows\system32\rtcshare.exe:*:Enabled:Compartilhamento de aplicativo RTC
"c:\\Icaro\\Arquivos\\HQS\\gc\\JKDH\\Flatout 2 WWW.THEREBELS.BIZ BY OWEN09\\Flatout 2 WWW.THEREBELS.BIZ BY OWEN09\\FlatOut2.exe"= c:\icaro\Arquivos\HQS\gc\JKDH\Flatout 2 WWW.THEREBELS.BIZ BY OWEN09\Flatout 2 WWW.THEREBELS.BIZ BY OWEN09\FlatOut2.exe:*:Enabled:FlatOut2
"c:\\Arquivos de programas\\Valve\\hl.exe"= c:\arquivos de programas\Valve\hl.exe:*:Enabled:Half-Life Launcher
"c:\\Arquivos de programas\\Valve\\hlds.exe"= c:\arquivos de programas\Valve\hlds.exe:*:Enabled:HLDS Launcher

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP"= 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP"= 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP"= 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP"= 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP"= 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP"= 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

R0 GbpKm;Gbp KernelMode;c:\windows\system32\drivers\gbpkm.sys [31/1/2009 16:34 26320]
R2 GbpSv;Gbp Service;c:\arquiv~1\GbPlugin\GbpSv.exe [24/11/2008 13:04 52560]
R3 ham50;Intel HaM Data Fax Voice Modem;c:\windows\system32\drivers\ham50.sys [14/12/2007 21:46 365853]
S3 CrystalSysInfo;CrystalSysInfo;c:\arquivos de programas\MediaCoder\SysInfo.sys [25/9/2007 11:59 15152]
S3 SysProtDrv.sys;SysProtDrv.sys;c:\documents and settings\Administrador\desktop\SysProt\SysProtDrv.sys [29/8/2009 16:20 44288]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService
Alerter
LmHosts


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Conteúdo da pasta 'Tarefas Agendadas'

2009-09-01 c:\windows\Tasks\GlaryInitialize.job
- c:\arquivos de programas\Glary Utilities\initialize.exe [2008-05-11 14:08]
.
.
------- Scan Suplementar -------
.
uStart Page = hxxp://www.uol.com.br/
IE: c:\arquivos de programas\Software WIDCOMM\Bluetooth\btsendto_ie_ctx.htm
IE: &Clean Traces - c:\arquivos de programas\DAP\Privacy Package\dapcleanerie.htm
IE: &Descarregar tudo com o FlashGet - c:\arquivos de programas\FlashGet\jc_all.htm
IE: &Descarregar utilizando o FlashGet - c:\arquivos de programas\FlashGet\jc_link.htm
IE: &Download with &DAP - c:\arquivos de programas\DAP\dapextie.htm
IE: &Winamp Toolbar Search - c:\documents and settings\All Users\Dados de aplicativos\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
IE: Add to AMV Converter... - c:\arquivos de programas\MP3 Player Utilities 4.05\AMVConverter\grab.html
IE: Download &all with DAP - c:\arquivos de programas\DAP\dapextie2.htm
IE: E&xportar para o Microsoft Excel - c:\arquiv~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: MediaManager tool grab multimedia file - c:\arquivos de programas\MP3 Player Utilities 4.05\MediaManager\grab.html
LSP: c:\windows\system32\INetHTTPFilter.dll
Name-Space Handler: FTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\arquiv~1\DAP\dapie.dll
Name-Space Handler: HTTP\ZDA - {5BFA1DAF-5EDC-11D2-959E-00C00C02DA5E} - c:\arquiv~1\DAP\dapie.dll
DPF: {DB6BF2CD-4F59-4F1C-AA9C-D08C0B61A931} - hxxps://www14.bancobrasil.com.br/plugin/GbpDist.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-01 13:37
Windows 5.1.2600 Service Pack 3 NTFS

Procurando processos ocultos ...

Procurando entradas auto inicializáveis ocultas ...

Procurando ficheiros/arquivos ocultos ...

Varredura completada com sucesso
arquivos/ficheiros ocultos: 0

**************************************************************************
.
--------------------- CHAVES DO REGISTRO BLOQUEADAS ---------------------

[HKEY_USERS\S-1-5-21-507921405-602609370-682003330-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d7,2b,12,66,f3,f6,da,4a,b2,8d,23,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d7,2b,12,66,f3,f6,da,4a,b2,8d,23,\

[HKEY_USERS\S-1-5-21-507921405-602609370-682003330-500\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:12,60,ff,f8,2a,02,dc,f1,d7,25,74,1f,16,db,2d,58,43,c9,46,5d,24,75,02,
88,ae,51,05,76,8d,3c,87,6b,15,68,19,5f,0e,0e,ab,3a,6c,96,58,c2,ec,ad,15,63,\
"??"=hex:bd,8a,97,7e,54,25,e6,79,ec,fd,b6,38,5f,da,c8,4c

[HKEY_USERS\S-1-5-21-507921405-602609370-682003330-500\Software\SecuROM\License information*]
"datasecu"=hex:9e,07,aa,cf,8b,70,a0,48,1a,74,fa,89,53,b3,2b,2e,c7,54,f8,a8,b7,
dc,b4,96,b6,2f,67,36,5f,89,54,97,d3,10,41,bc,31,fc,6f,b0,28,84,0e,10,f6,5c,\
"rkeysecu"=hex:b6,f8,e3,02,31,6c,14,fd,d2,18,a7,c6,34,f9,2d,f6

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10b.exe,-101"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10b.exe"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}]
@Denied: (A 2) (Everyone)
@="FlashProp Class"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}\InprocServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\Flash6.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{3DA165B6-CC41-11d2-BDC6-00C04F79EC6B}\ProgID]
@Denied: (A) (Everyone)
@="{FA169448-8BE3-443A-9C71-E2D1F366A8C2}"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{3DA165B6-CC41-11d2-BDC6-00C04F79EC6B}\Version]
@Denied: (A) (Everyone)
@="{FA169448-8BE3-443A-9C71-E2D1F366A8C2}"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{8D8763AB-E93B-4812-964E-F04E0008FD50}\Version]
@Denied: (A) (Everyone)
@="{8D8763AB-E93B-4812-964E-F04E0008FD50}"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\Flash10b.ocx, 1"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\Flash10b.ocx, 1"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@="IFlashBroker2"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""

[HKEY_LOCAL_MACHINE\softwareSoftware\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
.
--------------------- DLLs Carregadas Sob os Processos em Execução ---------------------

- - - - - - - > 'winlogon.exe'(644)
c:\arquivos de programas\GBPLUGIN\gbieh.dll

- - - - - - - > 'explorer.exe'(3508)
c:\windows\system32\WININET.dll
c:\arquiv~1\WINDOW~2\wmpband.dll
c:\arquivos de programas\GBPLUGIN\gbieh.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\arquivos de programas\Windows Desktop Search\MSNLNamespaceMgr.dll
.
------------------------ Outros Processos em Execução ------------------------
.
c:\arquivos de programas\Avira\AntiVir PersonalEdition Classic\sched.exe
c:\arquivos de programas\Avira\AntiVir PersonalEdition Classic\avguard.exe
c:\arquivos de programas\Software WIDCOMM\Bluetooth\bin\btwdins.exe
c:\arquivos de programas\Java\jre6\bin\jqs.exe
c:\arquivos de programas\Arquivos comuns\Microsoft Shared\VS7Debug\mdm.exe
c:\arquivos de programas\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\arquivos de programas\Mozilla Firefox 3 Beta 3\firefox.exe
.
**************************************************************************
.
Tempo para conclusão: 2009-09-01 13:47 - Máquina reiniciou
ComboFix-quarantined-files.txt 2009-09-01 16:47

Pré-execução: 16 pasta(s) 11.707.437.056 bytes disponíveis
Pós execução: 16 pasta(s) 11.664.551.936 bytes disponíveis

WindowsXP-KB310994-SP2-Pro-BootDisk-PTG.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

380 --- E O F --- 2009-08-26 16:25
  • 0

#8
Essexboy
Posted 01 September 2009 - 11:26 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
:) OTS
  • 0

#9
Essexboy
Posted 01 September 2009 - 11:29 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
That log does not look to bad - what problems are you experiencing at the moment ?
  • 0

#10
Icaro Freire
Posted 01 September 2009 - 02:36 PM

Icaro Freire

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
The OTS log...

Attached File  OTS.Txt   156.49KB   150 downloads


No problems at all...at least,none that i can see...
  • 0

Advertisements

#11
Essexboy
Posted 01 September 2009 - 03:31 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Now a final sweep for orphans and I might let you go :)

Posted Image Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
  • 0

#12
Icaro Freire
Posted 02 September 2009 - 10:41 AM

Icaro Freire

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
Gee, almost free :)

man, i got so excited when the Mbam-setup worked! :)

the mbam log:

----------------
Malwarebytes' Anti-Malware 1.40
Versão do banco de dados: 2730
Windows 5.1.2600 Service Pack 3

2/9/2009 13:32:06
mbam-log-2009-09-02 (13-32-06).txt

Tipo de Verificação: Rápida
Objetos verificados: 98079
Tempo decorrido: 7 minute(s), 16 second(s)

Processos da Memória infectados: 0
Módulos de Memória Infectados: 0
Chaves do Registro infectadas: 1
Valores do Registro infectados: 0
Ítens do Registro infectados: 0
Pastas infectadas: 0
Arquivos infectados: 0

Processos da Memória infectados:
(Nenhum ítem malicioso foi detectado)

Módulos de Memória Infectados:
(Nenhum ítem malicioso foi detectado)

Chaves do Registro infectadas:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.

Valores do Registro infectados:
(Nenhum ítem malicioso foi detectado)

Ítens do Registro infectados:
(Nenhum ítem malicioso foi detectado)

Pastas infectadas:
(Nenhum ítem malicioso foi detectado)

Arquivos infectados:
(Nenhum ítem malicioso foi detectado)
-------------------------------

Now that i noticed...it's in portuguese...is there a problem? i will translate it:

-------------------
Malwarebytes' Anti-Malware 1.40
Database version: 2730
Windows 5.1.2600 Service Pack 3

2/9/2009 13:32:06
mbam-log-2009-09-02 (13-32-06).txt

Scan type: Quick Scan
Objects scanned: 98079
Time elapsed: 7 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
-----------------------

Better now,i guess...
  • 0

#13
Essexboy
Posted 02 September 2009 - 11:26 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Now the best part of the day ----- Your log now appears clean :)

A good workman always cleans up after himself so..Run OTS and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading select Do not show hidden files and folders.
  • Click Yes to confirm.
  • Click OK.

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:
  • Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 15.
  • Click the "Download" button to the right.
  • Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
  • Click on Continue.
  • Click on the link to download Windows Offline Installation (jre-6u15-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u15-windows-i586-p.exe and select "Run as an Administrator.")

XP
Now to get you off to a good start we will clean your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your restore points, but this is my method:
  • Select Start > All Programs > Accessories > System tools > System Restore.
  • On the dialogue box that appears select Create a Restore Point
  • Click NEXT
  • Enter a name e.g. Clean
  • Click CREATE
You now have a clean restore point, to get rid of the bad ones:
  • Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  • In the Drop down box that appears select your main drive e.g. C
  • Click OK
  • The System will do some calculation and the display a dialogue box with TABS
  • Select the More Options Tab.
  • At the bottom will be a system restore box with a CLEANUP button click this
  • Accept the Warning and select OK again, the program will close and you are done


SPRING CLEAN

Download TFC to your desktop
  • Open the file and close any other windows.
  • It will close all programs itself when run, make sure to let it run uninterrupted.
  • Click the Start button to begin the process. The program should not take long to finish its job
  • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

THEN

Download and run Auslogics Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes: It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe :)
  • 0

#14
Icaro Freire
Posted 02 September 2009 - 11:45 AM

Icaro Freire

    Member

  • Topic Starter
  • Member
  • PipPip
  • 39 posts
I'll do as you say, as soon as I get home...

i need to thank you! you saved my life! :)

i still have one doubt...how can I be like you?i mean, i've been reading some topics here and i get quite impressed, you guys know a lot about this stuff...is there a way for me to learn how to do this?
  • 0

#15
Essexboy
Posted 02 September 2009 - 12:47 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Have a little look here :)

Enjoy and keep safe
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP